🚨 CVE-2026-14800
A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
GitHub
GitHub - imhamzaazam/ecommerceFlask: My final project is an e-commerce website which is made using flask (python's microframe work)…
My final project is an e-commerce website which is made using flask (python's microframe work) and a bit of Javascript. The database used is sqlite. - imhamzaazam/ecommerceFlask
🚨 CVE-2026-14801
A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.
🎖@cveNotify
A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.
🎖@cveNotify
GitHub
GitHub - gpac/gpac: GPAC Ultramedia OSS for Video Streaming & Next-Gen Multimedia Transcoding, Packaging & Delivery
GPAC Ultramedia OSS for Video Streaming & Next-Gen Multimedia Transcoding, Packaging & Delivery - gpac/gpac
🚨 CVE-2026-14802
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
GitHub
GitHub - react/create-react-app: Set up a modern web app by running one command.
Set up a modern web app by running one command. Contribute to react/create-react-app development by creating an account on GitHub.
🚨 CVE-2026-14807
ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.
🎖@cveNotify
ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.
🎖@cveNotify
🚨 CVE-2026-14808
Prog
Management System developed by PROG MIS has a Exposure of Sensitive
Information vulnerability, allowing unauthenticated remote attackers to view
a specific page and obtain the database account and password.
🎖@cveNotify
Prog
Management System developed by PROG MIS has a Exposure of Sensitive
Information vulnerability, allowing unauthenticated remote attackers to view
a specific page and obtain the database account and password.
🎖@cveNotify
🚨 CVE-2026-6382
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
🎖@cveNotify
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
🎖@cveNotify
WPScan
Multiple elFinder Plugins - Authenticated OS Command Injection
See details on Multiple elFinder Plugins - Authenticated OS Command Injection CVE 2026-6382. View the latest Plugin Vulnerabilities on WPScan.
🚨 CVE-2024-6228
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.
🎖@cveNotify
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server.
🎖@cveNotify
WPScan
WANotifier < 2.6 - Subscriber+ LFI
See details on WANotifier < 2.6 - Subscriber+ LFI CVE 2024-6228. View the latest Plugin Vulnerabilities on WPScan.
🚨 CVE-2026-10830
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
🎖@cveNotify
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
🎖@cveNotify
WPScan
AllCoach < 1.0.2 - Unauthenticated Account Takeover
See details on AllCoach < 1.0.2 - Unauthenticated Account Takeover CVE 2026-10830. View the latest Plugin Vulnerabilities on WPScan.
🚨 CVE-2026-11766
The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
🎖@cveNotify
The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.
🎖@cveNotify
WPScan
Ultimate Member < 2.12.0 - Subscriber+ Stored XSS via Custom Textarea Profile Fields
See details on Ultimate Member < 2.12.0 - Subscriber+ Stored XSS via Custom Textarea Profile Fields CVE 2026-11766. View the latest Plugin Vulnerabilities on WPScan.
🚨 CVE-2026-11855
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.
🎖@cveNotify
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.
🎖@cveNotify
WPScan
Simple Membership < 4.7.5 - Unauthenticated Stored XSS via Stripe Webhook API Version
See details on Simple Membership < 4.7.5 - Unauthenticated Stored XSS via Stripe Webhook API Version CVE 2026-11855. View the latest Plugin Vulnerabilities on WPScan.
🚨 CVE-2026-11962
The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation.
🎖@cveNotify
The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation.
🎖@cveNotify
WPScan
FileOrganizer < 1.2.0 - Authenticated Arbitrary File Upload via elFinder File Operations
See details on FileOrganizer < 1.2.0 - Authenticated Arbitrary File Upload via elFinder File Operations CVE 2026-11962. View the latest Plugin Vulnerabilities on WPScan.
🚨 CVE-2026-12083
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
🎖@cveNotify
The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.
🎖@cveNotify
WPScan
Admin and Site Enhancements < 8.8.4 - Unauthenticated Administrator-Role Restoration via reset-for Parameter
See details on Admin and Site Enhancements < 8.8.4 - Unauthenticated Administrator-Role Restoration via reset-for Parameter CVE 2026-12083. View the latest Plugin Vulnerabilities on WPScan.
🚨 CVE-2026-14800
A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
A weakness has been identified in imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b. The affected element is an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
GitHub
GitHub - imhamzaazam/ecommerceFlask: My final project is an e-commerce website which is made using flask (python's microframe work)…
My final project is an e-commerce website which is made using flask (python's microframe work) and a bit of Javascript. The database used is sqlite. - imhamzaazam/ecommerceFlask
🚨 CVE-2026-14801
A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.
🎖@cveNotify
A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.
🎖@cveNotify
GitHub
GitHub - gpac/gpac: GPAC Ultramedia OSS for Video Streaming & Next-Gen Multimedia Transcoding, Packaging & Delivery
GPAC Ultramedia OSS for Video Streaming & Next-Gen Multimedia Transcoding, Packaging & Delivery - gpac/gpac
🚨 CVE-2026-14802
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
GitHub
GitHub - react/create-react-app: Set up a modern web app by running one command.
Set up a modern web app by running one command. Contribute to react/create-react-app development by creating an account on GitHub.
🚨 CVE-2026-14807
ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.
🎖@cveNotify
ERP App developed by PROG MIS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to view application code and obtain the database account and password.
🎖@cveNotify
🚨 CVE-2026-14808
Prog
Management System developed by PROG MIS has a Exposure of Sensitive
Information vulnerability, allowing unauthenticated remote attackers to view
a specific page and obtain the database account and password.
🎖@cveNotify
Prog
Management System developed by PROG MIS has a Exposure of Sensitive
Information vulnerability, allowing unauthenticated remote attackers to view
a specific page and obtain the database account and password.
🎖@cveNotify
🚨 CVE-2026-6382
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
🎖@cveNotify
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
🎖@cveNotify
WPScan
Multiple elFinder Plugins - Authenticated OS Command Injection
See details on Multiple elFinder Plugins - Authenticated OS Command Injection CVE 2026-6382. View the latest Plugin Vulnerabilities on WPScan.
🚨 CVE-2026-14809
Prog Management System developed by PROG MIS has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
🎖@cveNotify
Prog Management System developed by PROG MIS has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
🎖@cveNotify
🚨 CVE-2026-1433
uniFLOW Universal Login Manager (ULM) Standalone
contains an information disclosure vulnerability that may allow an
authenticated administrator to access sensitive configuration information
through the ULM Remote User Interface (RUI). Exploitation requires
administrative privileges and may disclose configuration data associated with
SMTP or LDAP integrations. ULM deployments connected to uniFLOW Server or
uniFLOW Online are not affected.
🎖@cveNotify
uniFLOW Universal Login Manager (ULM) Standalone
contains an information disclosure vulnerability that may allow an
authenticated administrator to access sensitive configuration information
through the ULM Remote User Interface (RUI). Exploitation requires
administrative privileges and may disclose configuration data associated with
SMTP or LDAP integrations. ULM deployments connected to uniFLOW Server or
uniFLOW Online are not affected.
🎖@cveNotify
🚨 CVE-2026-24012
Uncontrolled Resource Consumption vulnerability in Apache IoTDB.
Some interface fails to impose reasonable
limits on the time span and aggregation interval of the query. An attacker
can construct a request with extreme parameters (e.g., a very large time
range combined with a minimal interval). This forces the DataNode to build
an enormous result set in memory, which exhausts the Java heap and causes
the DataNode process to crash.
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
🎖@cveNotify
Uncontrolled Resource Consumption vulnerability in Apache IoTDB.
Some interface fails to impose reasonable
limits on the time span and aggregation interval of the query. An attacker
can construct a request with extreme parameters (e.g., a very large time
range combined with a minimal interval). This forces the DataNode to build
an enormous result set in memory, which exhausts the Java heap and causes
the DataNode process to crash.
This issue affects Apache IoTDB: from 1.3.3 before 2.0.8.
Users are recommended to upgrade to version 2.0.8, which fixes the issue.
🎖@cveNotify