🚨 CVE-2026-13006
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration file or by injecting an environment variable before program execution.



A successful attack requires the presence of Janino library to be present on the user's class path. In addition, the attacker must  have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.

🎖@cveNotify

🚨 CVE-2026-6292
The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the enter_mpclp_login_options() function, which contains an inverted check (if wp_verify_nonce(...) { return false; }) and is missing the required action parameter for wp_verify_nonce(). As a result, the nonce check is effectively dead code: it never blocks malicious requests because a CSRF-supplied empty/invalid nonce always returns false, satisfying the inverted condition to continue execution. Furthermore, the settings-update handler is hooked on init without any capability check. This makes it possible for unauthenticated attackers to modify all plugin setting, including login page background, logo URL, image dimensions, button colors, and login message, by tricking a logged-in administrator into submitting a crafted request.

🎖@cveNotify

🚨 CVE-2026-8614
The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings() function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's options including the critical 'assistiobot_oauth_settings' option, which disrupts the plugin's integration with the Assistio bot service.

🎖@cveNotify

🚨 CVE-2026-8688
The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to duplicate, copy, move, or publish nav_menu_item posts via wp_insert_post(), modifying the site's navigation menus without authorization.

🎖@cveNotify

🚨 CVE-2026-9172
The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_account() function in versions up to, and including, 1.2.0. The REST route 'devs-accounting/v1/delete-account/(?P<id>\d+)' is registered without any permission_callback, which causes WordPress to expose the endpoint to public, unauthenticated access. This makes it possible for unauthenticated attackers to soft-delete arbitrary accounting account records (wp_dac_accounts) by issuing a simple GET request to the endpoint with any account ID.

🎖@cveNotify

🚨 CVE-2026-9178
The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/<id> (callback userDetail()) with permission_callback set to '__return_true', and the function's home-grown authentication only verifies that the supplied 'Username' HTTP header maps to an administrator account and that a 'Password' HTTP header is non-empty. It never validates the password with wp_check_password() (unlike the sibling delete_wc_user() function which does). This makes it possible for unauthenticated attackers to retrieve sensitive information for any registered user ID — including the WordPress password hash (user_pass) and email address — by sending a request with a valid administrator login name (commonly the default 'admin') and any arbitrary password value.

🎖@cveNotify

🚨 CVE-2026-9612
The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order details — including full name, email address, phone number, billing address, ordered items with quantities and prices, applied coupons, shipping method, and order total — from any customer's invoice by enumerating sequential order IDs. Invoice HTML files are written to the publicly accessible wp-content/uploads/whatsorder_invoices/ directory, which is created without an .htaccess deny rule or index.php guard, making every invoice directly downloadable over HTTP with no authentication check.

🎖@cveNotify

🚨 CVE-2026-9619
The Reviews and Rating – Docplanner plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger outbound scraping of external websites and write scraped review data into the wp_dp_reviews database table, as well as send feature-request emails from the site administrator's email address.

🎖@cveNotify

🚨 CVE-2026-9709
The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.9 (v0.8.x) on the .org repository.

🎖@cveNotify

🚨 CVE-2026-9710
The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata including raw password hashes. This affects the premium co Cornerstone page builder distributed bundled with the X , not the unrelated free `cornerstone` Cornerstone WordPress plugin before 7.8.8 (v0.8.x) on the .org repository.

🎖@cveNotify

🚨 CVE-2026-9724
The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordesk_admin_home function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings, including the search page URI and custom template directory path via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

🎖@cveNotify

🚨 CVE-2026-56052
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows Blind SQL Injection.

This issue affects Funnel Builder by FunnelKit: from n/a through 3.15.0.5.

🎖@cveNotify

🚨 CVE-2026-10745
Improper output neutralization for logs vulnerability in upKeeper Solutions upKeeper Instant Privilege Access on Windows allows Log Injection-Tampering-Forging.

This issue affects upKeeper Instant Privilege Access: through 1.6.1.

🎖@cveNotify

🚨 CVE-2026-11968
Argument Injection in TortoiseGitBlame via Malicious Git History Filenames Leads to Arbitrary File Write in TortoiseGit

🎖@cveNotify

🚨 CVE-2026-13150
Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.

🎖@cveNotify

🚨 CVE-2025-71332
Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to be executed, including blind and error-based extraction of data from the credential table.

🎖@cveNotify

🚨 CVE-2025-71354
picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.

🎖@cveNotify

🚨 CVE-2025-71361
picklescan before 0.0.29 fails to detect malicious idlelib.calltip.Calltip.fetch_tip calls in pickle files, allowing remote code execution. Attackers can embed undetected payloads in pickle files that execute arbitrary code when loaded via pickle.load().

🎖@cveNotify

🚨 CVE-2026-12242
The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings.

🎖@cveNotify

🚨 CVE-2026-13140
Stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens.




Anonymous exploitation requires knowledge of a random identifier.




This issue affects Canarytokens: from Docker tag sha-4116b92cb before sha-f5aa5c4e, from Git commit 4116b92cb before f5aa5c4e.

🎖@cveNotify

🚨 CVE-2026-13163
Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.

🎖@cveNotify