๐จ CVE-2026-56005
Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions.
๐@cveNotify
Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress WP Activity Log Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56006
Unauthenticated Cross Site Scripting (XSS) in H5P <= 1.17.6 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in H5P <= 1.17.6 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress H5P Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56013
Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.
๐@cveNotify
Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.
๐@cveNotify
Patchstack
Insecure Direct Object References (IDOR) in WordPress License Manager for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56014
Unauthenticated Cross Site Scripting (XSS) in Master Slider <= 3.11.2 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Master Slider <= 3.11.2 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Master Slider Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56023
Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.
๐@cveNotify
Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress UPI QR Code Payment Gateway for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56042
Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions.
๐@cveNotify
Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Advanced Order Export For WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56050
Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects PPOM for WooCommerce: from n/a through 33.0.18.
๐@cveNotify
Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects PPOM for WooCommerce: from n/a through 33.0.18.
๐@cveNotify
Patchstack
Broken Access Control in WordPress PPOM for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56051
Unauthenticated Cross Site Scripting (XSS) in TablePress <= 3.3.1 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in TablePress <= 3.3.1 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress TablePress Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56054
Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions.
๐@cveNotify
Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions.
๐@cveNotify
Patchstack
Arbitrary File Deletion in WordPress JS Help Desk Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56071
Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Forminator Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57619
Contributor Sensitive Data Exposure in Elementor Website Builder <= 4.1.3 versions.
๐@cveNotify
Contributor Sensitive Data Exposure in Elementor Website Builder <= 4.1.3 versions.
๐@cveNotify
Patchstack
Sensitive Data Exposure in WordPress Elementor Website Builder Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-53915
In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
๐@cveNotify
In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
๐@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
๐จ CVE-2026-56208
A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.
๐@cveNotify
A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a denial of service (process crash) or potentially achieve code execution.
๐@cveNotify
๐จ CVE-2026-56209
An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.
๐@cveNotify
An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel values. The encoder then writes approximately 1,200 bytes at the attacker-controlled address. This is fully deterministic and does not require a separate information leak. An attacker who can supply frames to a network-facing libaom encoder with SVC enabled could exploit this for denial of service or potential code execution.
๐@cveNotify
๐จ CVE-2025-61028
An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
๐@cveNotify
An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
๐@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `time_t_to_dt` ยท Issue #1233 ยท openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE v0 ( v1 DATE NULL ) ; INSERT INTO v0 ( v1 , v1 ) VALUES ( 72057594037927935 , '-675 seco...
๐จ CVE-2026-44726
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook that was bound to the original, failed handle. As a result, the replacement TCP connection was never upgraded to TLS, and any data the application wrote before the secureConnect event travelled over the network unencrypted. A network attacker positioned to cause the initial connection attempt to fail (for example, by dropping IPv6 traffic on a dual-stack host) could deterministically trigger the fallback path and observe or tamper with traffic that the application believed was TLS-protected. This vulnerability is fixed in 2.7.8.
๐@cveNotify
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook that was bound to the original, failed handle. As a result, the replacement TCP connection was never upgraded to TLS, and any data the application wrote before the secureConnect event travelled over the network unencrypted. A network attacker positioned to cause the initial connection attempt to fail (for example, by dropping IPv6 traffic on a dual-stack host) could deterministically trigger the fallback path and observe or tamper with traffic that the application believed was TLS-protected. This vulnerability is fixed in 2.7.8.
๐@cveNotify
GitHub
TLS retry copies stale upgrade hook, risking plaintext traffic
## Summary
A flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled an...
A flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled an...
๐จ CVE-2026-49440
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied to the candidate was trial division by the primes up to 17,863. Any composite whose smallest prime factor exceeds that bound โ for example the product of two primes just above it, such as 17,881 ร 17,891 โ was reported as true ("probably prime"). The same divergence affected the lower-level op_node_check_prime / op_node_check_prime_bytes paths that the polyfill calls into. This vulnerability is fixed in 2.8.1.
๐@cveNotify
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied to the candidate was trial division by the primes up to 17,863. Any composite whose smallest prime factor exceeds that bound โ for example the product of two primes just above it, such as 17,881 ร 17,891 โ was reported as true ("probably prime"). The same divergence affected the lower-level op_node_check_prime / op_node_check_prime_bytes paths that the polyfill calls into. This vulnerability is fixed in 2.8.1.
๐@cveNotify
GitHub
fix(ext/node): enforce minimum Miller-Rabin rounds in checkPrime by bartlomieju ยท Pull Request #34391 ยท denoland/deno
crypto.checkPrime in Node defaults options.checks to 0, and the Deno
polyfill forwards that value straight into the Rust implementation of
is_probably_prime. The probabilistic loop is bounded by co...
polyfill forwards that value straight into the Rust implementation of
is_probably_prime. The probabilistic loop is bounded by co...
๐จ CVE-2026-13035
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High)
๐@cveNotify
Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux, which will roll out over the co...
๐จ CVE-2026-13036
Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux, which will roll out over the co...