CVE Notify
19.3K subscribers
4 photos
206K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2026-57997
Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.

πŸŽ–@cveNotify
❀1
🚨 CVE-2026-51218
A heap buffer overflow in the TS7Worker::PerformFunctionWrite() function (/core/s7_server.cpp) of snap7 v1.4.3 allows attackers to cause a Denial of Service (DoS) via a crafted packet.

πŸŽ–@cveNotify
🚨 CVE-2026-51219
A heap buffer overflow in the HighPriorityASDUQueue_hasUnconfirmedIMessages function of lib60870 v2.3.3 to v2.3.6 allows attackers to cause a Denial of Service (DoS) via a crafted payload.

πŸŽ–@cveNotify
🚨 CVE-2026-12243
NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` function decodes these sequences after the validation step, allowing an attacker to bypass the protection. This vulnerability enables an attacker to read arbitrary files accessible to the Python process by controlling the resource name parameter passed to `nltk.data.load()` or `nltk.data.find()`. The issue affects applications that rely on NLTK for resource loading, including NLP web applications, Jupyter notebooks, and CLI tools. The default `pathsec.ENFORCE=False` setting exacerbates the impact by not blocking the file read at the `open()` stage.

πŸŽ–@cveNotify
🚨 CVE-2026-58302
rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation. It is installed SUID root and loads shared library modules via dlopen() by using a user-supplied module name. Insufficient validation of the module name allows path traversal, enabling an unprivileged local user to load an arbitrary shared library. Because the process retains elevated privileges during module loading, this results in local privilege escalation to root.

πŸŽ–@cveNotify
🚨 CVE-2026-12114
The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

πŸŽ–@cveNotify
🚨 CVE-2026-14160
Time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargot allows Leveraging Race Conditions.

This issue affects Escargot: bab3a5797557014ce3c2e28419a6310cfba90d0d.

πŸŽ–@cveNotify
🚨 CVE-2026-11367
The PixMagix – WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the move_image_on_server function. This makes it possible for authenticated attackers, with author-level access and above, to write files with attacker-controlled content to arbitrary locations on the server. The unsanitized 'layers[].id' parameter is concatenated into a filesystem path and passed to PHP's copy() function, allowing traversal sequences (e.g. '../../') to escape the intended upload directory and write attacker-supplied file contents to arbitrary paths accessible by the web server process. The save_template REST endpoint is gated by the create_projects permission (edit_pixmagix + upload_files), which Author-level users hold by default after plugin activation, making this exploitable by any Author on sites running PixMagix.

πŸŽ–@cveNotify
🚨 CVE-2026-12073
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don't contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user's password and gain access to their account.

πŸŽ–@cveNotify
🚨 CVE-2026-12560
The Editorial Rating – Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The WordPress unfiltered_html capability exemption does not apply here because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than in post_content or post_excerpt, meaning the restriction affects all administrators regardless of their unfiltered_html status.

πŸŽ–@cveNotify
🚨 CVE-2026-8944
The Plugin for Google Analytics by IO technologies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the Google Analytics settings page (ga.php). This makes it possible for unauthenticated attackers to update the plugin's stored Google Analytics tracking ID option (io-ga-id) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

πŸŽ–@cveNotify
🚨 CVE-2026-11581
The Kali Forms β€” Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms β€” Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.

πŸŽ–@cveNotify
🚨 CVE-2026-11589
The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.

πŸŽ–@cveNotify
🚨 CVE-2026-11590
The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.

πŸŽ–@cveNotify
🚨 CVE-2026-12240
The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to trigger a user data export while a subscriber-level (or higher) user has stored a crafted serialized XLSXWriter object payload as their display name.

πŸŽ–@cveNotify
🚨 CVE-2026-12818
Delta Electronics DVP12SE PLCs are susceptible to a resource allocation vulnerability without limits or throttling (CWE-770) within their Modbus TCP service.

πŸŽ–@cveNotify
🚨 CVE-2026-12819
Delta Electronics DVP12SE PLC exposes a Modbus TCP service over a specified port without authentication or access control, permitting unauthenticated interaction with security-sensitive PLC functions.

πŸŽ–@cveNotify
🚨 CVE-2026-14164
A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition. Successful exploitation may cause applications using the vulnerable libarchive API to terminate unexpectedly, leading to a denial of service.

πŸŽ–@cveNotify
🚨 CVE-2026-56137
RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.

πŸŽ–@cveNotify
🚨 CVE-2026-56808
DGM3103SCT provided by AVTECH Security Corporation contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who can log in to the web management console of the affected product.

πŸŽ–@cveNotify