๐จ CVE-2026-57920
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
๐@cveNotify
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
๐@cveNotify
๐จ CVE-2026-57940
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
๐@cveNotify
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.
๐@cveNotify
GitHub
htmly/system/admin/admin.php at c8b7ed9af39a266b256759becf26dba6a59e11e6 ยท danpros/htmly
Simple and fast databaseless PHP blogging platform, and Flat-File CMS - danpros/htmly
๐จ CVE-2026-30040
A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.
๐@cveNotify
A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.
๐@cveNotify
kb.cert.org
CERT/CC Vulnerability Note VU#936962
Multiple file parsing vulnerabilities in FastStone Image Viewer 8.3.0.0
๐จ CVE-2026-30041
An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.
๐@cveNotify
An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.
๐@cveNotify
kb.cert.org
CERT/CC Vulnerability Note VU#936962
Multiple file parsing vulnerabilities in FastStone Image Viewer 8.3.0.0
๐จ CVE-2026-8636
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 allows an attacker to retrieve user passwords and cryptographic keys from memory. Attacker can use the same keys to decrypt password, gain access to the application and access sensitive data in the database.
๐@cveNotify
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 allows an attacker to retrieve user passwords and cryptographic keys from memory. Attacker can use the same keys to decrypt password, gain access to the application and access sensitive data in the database.
๐@cveNotify
Ibm
Security Bulletin: Multiple Vulnerabilities in IBM Datacap
Multiple vulnerabilities were addressed in IBM Datacap version 9.1.9 Interim Fix 008.
๐จ CVE-2026-9610
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, bypassing intended access controls.
๐@cveNotify
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, bypassing intended access controls.
๐@cveNotify
Ibm
Security Bulletin: Multiple Vulnerabilities in IBM Datacap
Multiple vulnerabilities were addressed in IBM Datacap version 9.1.9 Interim Fix 008.
๐จ CVE-2026-57620
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS.
This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS.
This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Exclusive Addons Elementor Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-66123
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
๐@cveNotify
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
๐@cveNotify
Patchstack
Insecure Direct Object References (IDOR) in WordPress BookPro Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-24547
Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.
๐@cveNotify
Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress SiteGround Email Marketing Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-54837
Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet <= 1.8.1 versions.
๐@cveNotify
Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet <= 1.8.1 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Intranet & Private Site โ All-In-One Intranet Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56010
Subscriber Privilege Escalation in Abandoned Cart Pro for WooCommerce <= 10.4.0 versions.
๐@cveNotify
Subscriber Privilege Escalation in Abandoned Cart Pro for WooCommerce <= 10.4.0 versions.
๐@cveNotify
Patchstack
Privilege Escalation in WordPress Abandoned Cart Pro for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56029
Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.
๐@cveNotify
Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions.
๐@cveNotify
Patchstack
Broken Authentication in WordPress CorvusPay WooCommerce Payment Gateway Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56035
Unauthenticated Multiple Vulnerabilities in BitFire Security <= 5.0.3 versions.
๐@cveNotify
Unauthenticated Multiple Vulnerabilities in BitFire Security <= 5.0.3 versions.
๐@cveNotify
Patchstack
Multiple Vulnerabilities in WordPress BitFire Security Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56043
Unauthenticated Cross Site Scripting (XSS) in Customer Reviews for WooCommerce <= 5.110.1 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Customer Reviews for WooCommerce <= 5.110.1 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Customer Reviews for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-56069
Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.
๐@cveNotify
Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.
๐@cveNotify
Patchstack
Insecure Direct Object References (IDOR) in WordPress Toolset Forms Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57315
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.45 versions.
๐@cveNotify
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.45 versions.
๐@cveNotify
Patchstack
Remote Code Execution (RCE) in WordPress Blocksy Companion Pro Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
โค1
๐จ CVE-2026-57322
Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress weMail Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57617
Contributor Cross Site Scripting (XSS) in SeedProd Pro < 6.19.5 versions.
๐@cveNotify
Contributor Cross Site Scripting (XSS) in SeedProd Pro < 6.19.5 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress SeedProd Pro Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.