π¨ CVE-2026-40208
An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
π@cveNotify
An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
π@cveNotify
π¨ CVE-2026-40210
An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.
π@cveNotify
An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.
π@cveNotify
π¨ CVE-2026-40211
An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.
π@cveNotify
An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.
π@cveNotify
π¨ CVE-2026-42004
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdistβs filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
π@cveNotify
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdistβs filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
π@cveNotify
π¨ CVE-2026-12755
Improper input validation in the PAM AD discovery endpoints in
Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated
user with the UserGroupsView permission to coerce server-side
authentication to an attacker-controlled host, exposing PAM provider
credentials as a NTLMv2 challenge-response, via a crafted DomainName
parameter.
π@cveNotify
Improper input validation in the PAM AD discovery endpoints in
Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated
user with the UserGroupsView permission to coerce server-side
authentication to an attacker-controlled host, exposing PAM provider
credentials as a NTLMv2 challenge-response, via a crafted DomainName
parameter.
π@cveNotify
Devolutions
advisories
Stay informed with Devolutions' latest security advisories on vulnerabilities, threats, and incident responses to enhance your cybersecurity posture.
π¨ CVE-2026-40012
ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
π@cveNotify
ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
π@cveNotify
π¨ CVE-2026-42387
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
π@cveNotify
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
π@cveNotify
π¨ CVE-2026-42388
Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
π@cveNotify
Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
π@cveNotify
π¨ CVE-2026-42389
This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
π@cveNotify
This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
π@cveNotify
π¨ CVE-2026-42390
An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
π@cveNotify
An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
π@cveNotify
π¨ CVE-2026-52690
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
π@cveNotify
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
π@cveNotify
π¨ CVE-2026-54822
Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions.
π@cveNotify
Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions.
π@cveNotify
Patchstack
SQL Injection in WordPress SALESmanago & Leadoo Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54823
Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.
π@cveNotify
Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.
π@cveNotify
Patchstack
Remote Code Execution (RCE) in WordPress Widget Options Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54838
Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.
π@cveNotify
Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.
π@cveNotify
Patchstack
SQL Injection in WordPress WC Vendors Marketplace Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54841
Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.
π@cveNotify
Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.
π@cveNotify
Patchstack
Sensitive Data Exposure in WordPress Vitepos Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54849
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.
π@cveNotify
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.
π@cveNotify
Patchstack
SQL Injection in WordPress Premmerce Wishlist for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-56023
Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.
π@cveNotify
Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.
π@cveNotify
Patchstack
Broken Access Control in WordPress UPI QR Code Payment Gateway for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-56042
Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions.
π@cveNotify
Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions.
π@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Advanced Order Export For WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-56071
Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.
π@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.
π@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Forminator Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-13222
Our payment integration with Oppwa-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
π@cveNotify
Our payment integration with Oppwa-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.
π¨ CVE-2026-13223
Our payment integration with Computop-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
π@cveNotify
Our payment integration with Computop-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.