๐จ CVE-2026-49049
The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.
๐@cveNotify
The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters.
๐@cveNotify
JoomShaper
Responsive Joomla 6 Templates & Free Joomla Extensions - JoomShaper
JoomShaper is a premium Joomla templates club with more than 150+ premium responsive Joomla templates and extensions.
๐จ CVE-2026-55607
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.
๐@cveNotify
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.
๐@cveNotify
GitHub
Sandbox Escape via Git Worktree Path Confusion Allows Unsandboxed Code Execution
Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploi...
๐จ CVE-2026-56124
phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
๐@cveNotify
phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the complete JSON-encoded result set in an inline script block, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA-256 fingerprints.
๐@cveNotify
GitHub
Fix uploaded metadata disclosure ยท shimosyan/phpUploader@45dc4f1
Limit public file list data to display-safe columns, strengthen inline JSON escaping, and bump release version to 2.0.2.
๐จ CVE-2026-57320
Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress BEAR Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57326
Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Business Directory Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57328
Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
๐@cveNotify
Subscriber Cross Site Scripting (XSS) in Business Directory <= 6.4.22 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Business Directory Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57330
Subscriber Cross Site Scripting (XSS) in MasterStudy LMS <= 3.7.27 versions.
๐@cveNotify
Subscriber Cross Site Scripting (XSS) in MasterStudy LMS <= 3.7.27 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress MasterStudy LMS Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57331
Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.
๐@cveNotify
Performer Arbitrary File Deletion in Paid Videochat Turnkey Site <= 7.4.8 versions.
๐@cveNotify
Patchstack
Arbitrary File Deletion in WordPress Paid Videochat Turnkey Site Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57332
Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions.
๐@cveNotify
Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Wallet System for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57333
Unauthenticated Cross Site Scripting (XSS) in Link Whisper Free <= 0.9.4 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Link Whisper Free <= 0.9.4 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Link Whisper Free Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57334
Unauthenticated Broken Access Control in WP User Frontend <= 4.3.7 versions.
๐@cveNotify
Unauthenticated Broken Access Control in WP User Frontend <= 4.3.7 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress WP User Frontend Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57336
Unauthenticated Cross Site Scripting (XSS) in Jobify <= 4.3.2 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Jobify <= 4.3.2 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Jobify Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57337
Unauthenticated Cross Site Scripting (XSS) in Landing Page Builder <= 1.5.3.5 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Landing Page Builder <= 1.5.3.5 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Landing Page Builder Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57338
Unauthenticated Cross Site Scripting (XSS) in ARForms <= 7.1.2 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in ARForms <= 7.1.2 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress ARForms Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57339
Unauthenticated Broken Access Control in Business Directory <= 6.4.23 versions.
๐@cveNotify
Unauthenticated Broken Access Control in Business Directory <= 6.4.23 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Business Directory Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57340
Unauthenticated Broken Access Control in Japanized For WooCommerce <= 2.9.12 versions.
๐@cveNotify
Unauthenticated Broken Access Control in Japanized For WooCommerce <= 2.9.12 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Japanized For WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-13437
Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.
๐@cveNotify
Insertion of sensitive information into sent data in the AI Agent job API in Devolutions PowerShell Universal 2026.2.0 allows an authenticated user with AI Agent read access to obtain reusable, potentially higher-privileged authentication tokens via App Tokens serialized in plaintext in job API responses.
๐@cveNotify
Devolutions
advisories
Stay informed with Devolutions' latest security advisories on vulnerabilities, threats, and incident responses to enhance your cybersecurity posture.
๐จ CVE-2026-13580
A security vulnerability has been detected in Edimax EW-7478APC 1.04. This affects the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A security vulnerability has been detected in Edimax EW-7478APC 1.04. This affects the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
lavender-bicycle-a5a on Notion
EDIMAX-EW-7478APC-formQoS | Notion
Overview
๐จ CVE-2026-13581
A vulnerability was detected in Edimax EW-7478APC 1.04. This vulnerability affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. The manipulation of the argument rootAPmac results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was detected in Edimax EW-7478APC 1.04. This vulnerability affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. The manipulation of the argument rootAPmac results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
lavender-bicycle-a5a on Notion
EDIMAX-EW-7478APC-formStaDrvSetup | Notion
Overview
๐จ CVE-2026-13582
A flaw has been found in Edimax EW-7478APC 1.04. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. This manipulation of the argument UserName/Password causes buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A flaw has been found in Edimax EW-7478APC 1.04. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. This manipulation of the argument UserName/Password causes buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
lavender-bicycle-a5a on Notion
EDIMAX-EW-7478APC-formUSBAccount | Notion
Overview