π¨ CVE-2026-42004
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdistβs filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
π@cveNotify
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdistβs filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
π@cveNotify
π¨ CVE-2026-12755
Improper input validation in the PAM AD discovery endpoints in
Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated
user with the UserGroupsView permission to coerce server-side
authentication to an attacker-controlled host, exposing PAM provider
credentials as a NTLMv2 challenge-response, via a crafted DomainName
parameter.
π@cveNotify
Improper input validation in the PAM AD discovery endpoints in
Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated
user with the UserGroupsView permission to coerce server-side
authentication to an attacker-controlled host, exposing PAM provider
credentials as a NTLMv2 challenge-response, via a crafted DomainName
parameter.
π@cveNotify
Devolutions
advisories
Stay informed with Devolutions' latest security advisories on vulnerabilities, threats, and incident responses to enhance your cybersecurity posture.
π¨ CVE-2026-40012
ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
π@cveNotify
ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
π@cveNotify
π¨ CVE-2026-42387
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
π@cveNotify
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
π@cveNotify
π¨ CVE-2026-42388
Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
π@cveNotify
Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
π@cveNotify
π¨ CVE-2026-42389
This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
π@cveNotify
This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
π@cveNotify
π¨ CVE-2026-42390
An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
π@cveNotify
An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
π@cveNotify
π¨ CVE-2026-52690
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
π@cveNotify
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
π@cveNotify
π¨ CVE-2026-54822
Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions.
π@cveNotify
Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions.
π@cveNotify
Patchstack
SQL Injection in WordPress SALESmanago & Leadoo Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54823
Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.
π@cveNotify
Contributor Remote Code Execution (RCE) in Widget Options <= 4.2.3 versions.
π@cveNotify
Patchstack
Remote Code Execution (RCE) in WordPress Widget Options Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54838
Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.
π@cveNotify
Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.
π@cveNotify
Patchstack
SQL Injection in WordPress WC Vendors Marketplace Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54841
Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.
π@cveNotify
Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.
π@cveNotify
Patchstack
Sensitive Data Exposure in WordPress Vitepos Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54849
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.
π@cveNotify
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.
π@cveNotify
Patchstack
SQL Injection in WordPress Premmerce Wishlist for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-56023
Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.
π@cveNotify
Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 versions.
π@cveNotify
Patchstack
Broken Access Control in WordPress UPI QR Code Payment Gateway for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-56042
Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions.
π@cveNotify
Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce <= 4.0.9 versions.
π@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Advanced Order Export For WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-56071
Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.
π@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Forminator <= 1.53.1 versions.
π@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Forminator Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-13222
Our payment integration with Oppwa-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
π@cveNotify
Our payment integration with Oppwa-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.
π¨ CVE-2026-13223
Our payment integration with Computop-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
π@cveNotify
Our payment integration with Computop-based payment methods did not
properly validate payment status responses. An attacker could use a
successful payment status response from one payment and supply it to the
system for a different payment, gaining access to multiple valid
tickets with only one payment.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.
π¨ CVE-2026-13314
Malicious HTML content could be injected into the content rendered by the pretix-digital plugin.
π@cveNotify
Malicious HTML content could be injected into the content rendered by the pretix-digital plugin.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.
π¨ CVE-2026-46735
Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
π@cveNotify
Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
π@cveNotify
π¨ CVE-2026-49319
Remote Keyless Entry System (RKES), using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD., is vulnerable to a roll-back attack against its rolling-code authentication.
An attacker within RF range who records two consecutive lock or unlock transmissions from a legitimate key fob can later replay the same pair of transmissions repeatedly. During testing, replaying the first captured transmission caused the RKES to enter a state in which replaying the second captured transmission resulted in a successful lock or unlock operation of the vehicle. Tested and confirmed on a 2024 Suzuki Swift (SWIFT ISG GLS AC 1.2 5P 4x2 TM).
π@cveNotify
Remote Keyless Entry System (RKES), using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD., is vulnerable to a roll-back attack against its rolling-code authentication.
An attacker within RF range who records two consecutive lock or unlock transmissions from a legitimate key fob can later replay the same pair of transmissions repeatedly. During testing, replaying the first captured transmission caused the RKES to enter a state in which replaying the second captured transmission resulted in a successful lock or unlock operation of the vehicle. Tested and confirmed on a 2024 Suzuki Swift (SWIFT ISG GLS AC 1.2 5P 4x2 TM).
π@cveNotify