CVE Notify
19.3K subscribers
4 photos
204K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2026-4298
The DSGVO All in one for WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 4.9. This is due to the dsgvo_reset_policy_service_func() function lacking both capability checks and nonce verification while processing user-supplied parameters to reset plugin options. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset all customized privacy policy content including cookie notices, Google Analytics policies, Facebook policies, and YouTube policies to their default values.

πŸŽ–@cveNotify
🚨 CVE-2026-50644
SOPlanning is vulnerable to SQL injection in the audit retention configuration. An attacker holding parameters_all rights can inject SQL commands into the audit configuration form which is then saved. The execution is triggered when the audit functionality is accessed (by the attacker or another user).

This issue was fixed in version 1.56.01.

πŸŽ–@cveNotify
🚨 CVE-2026-56288
GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing.
An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service.



This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313

πŸŽ–@cveNotify
🚨 CVE-2026-56289
GNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop while attempting to locate the requested position.
This results in excessive CPU consumption and prevents the process from completing.
An attacker can trigger this behavior by supplying a malicious patch file, causing the utility to become unresponsive and require manual termination.



This issue has been fixed in the commit faba04ef4f2b410257f76c1b9dc85e350929c4b9

πŸŽ–@cveNotify
🚨 CVE-2026-58303
Stack-based buffer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.

This issue affects Escargot: before b30b63fc63b403907d8137da1c65aaa4521fe74e.

πŸŽ–@cveNotify
🚨 CVE-2026-58305
Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.

This issue affects Escargot: before 779f6bedf58f334dec64b0a51ebb724b4708b84a.

πŸŽ–@cveNotify
🚨 CVE-2026-58307
Out-of-bounds read, Reachable assertion vulnerability in Samsung Open Source Escargot allows Overread Buffers, Input Data Manipulation.

This issue affects Escargot: before 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c.

πŸŽ–@cveNotify
🚨 CVE-2026-59691
A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit pixels. This type mismatch causes an out-of-bounds heap write that can lead to denial of service (process crash) and potential memory corruption.

πŸŽ–@cveNotify
🚨 CVE-2026-59692
A stack buffer overflow vulnerability was found in GStreamer's DTLS plugin. During a DTLS handshake, the peer certificate Subject Distinguished Name is printed into a fixed-size 2048-byte stack buffer without bounds checking. A remote unauthenticated attacker can send a certificate with an oversized Subject DN that exceeds the buffer, causing a stack buffer overflow and process crash, resulting in denial of service.

πŸŽ–@cveNotify
🚨 CVE-2026-9021
The Easy Invoice plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.19. This is due to the plugin registering the easy_invoice_accept_quote and easy_invoice_decline_quote AJAX actions via wp_ajax_nopriv_ hooks and relying solely on a quote-scoped nonce that is rendered into the publicly accessible single quote template, combined with an ownership check that is gated behind an off-by-default Pro option (easy_invoice_pro_restrict_quote_to_client). This makes it possible for unauthenticated attackers to accept or decline arbitrary published quotes β€” and, depending on the configured accept action, automatically convert them into invoices (and even email them to the client) β€” by harvesting the per-quote nonce from the public quote page and submitting it to admin-ajax.

πŸŽ–@cveNotify
🚨 CVE-2026-9027
The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The `corvuspay_success_handler` function registers the REST endpoint `POST /wp-json/corvuspay/success/` with `'permission_callback' => '__return_true'`, and while it calls `$this->client->validate->signature()` and stores the boolean result in `$res`, the result is never evaluated in a conditional β€” it is only written to the debug log β€” causing execution to unconditionally reach `$order->payment_complete()` regardless of whether the cryptographic signature is valid. This makes it possible for unauthenticated attackers to mark any pending WooCommerce order as fully paid by sending a POST request to the success endpoint containing an arbitrary or forged signature value, allowing them to obtain goods or services without payment. Because WooCommerce order IDs are sequential integers, target orders are trivially enumerable via the `order_number` POST parameter, requiring no prior knowledge of the victim order.

πŸŽ–@cveNotify
🚨 CVE-2026-9235
The DHL eCommerce (Benelux) for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the create_label() and delete_label() functions in versions up to, and including, 2.2.3. These functions are wired to the wp_ajax_dhlpwc_label_create and wp_ajax_dhlpwc_label_delete hooks and act on an attacker-supplied post_id (WooCommerce order ID). This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete DHL shipping labels associated with any WooCommerce order on the site.

πŸŽ–@cveNotify
🚨 CVE-2026-9237
The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete, archive, unarchive, and duplicate arbitrary job listings β€” along with their associated stages, meta, addresses, and applications β€” by supplying an arbitrary integer job_id. The nonce verified by Dispatcher::dispatch() is exposed to all authenticated front-end visitors via wp_head script localization, meaning subscribers can trivially obtain it and satisfy the nonce check without possessing any elevated privilege.

πŸŽ–@cveNotify
🚨 CVE-2026-9240
The Colissimo Officiel : MΓ©thodes de livraison pour WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateShippingMethod() function (registered to the wp_ajax_lpc_order_affect AJAX action) in versions up to, and including, 2.9.0. This is due to the handler performing no current_user_can() capability check and no nonce verification before reading an attacker-supplied order_id and modifying that order's shipping method, pickup-point meta, and shipping address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or modify the shipment information (shipping method, pickup relay data, and shipping address) of arbitrary WooCommerce orders, including orders placed by other users.

πŸŽ–@cveNotify
🚨 CVE-2026-57256
When the application opens a PDF and executes JavaScript, it performs abnormal operations on the list box field, and this operation is repeated after the form is reset. During this process, the application failed to adequately verify the validity of the form objects and their internal dictionary pointers, resulting in accessing internal members of invalid or improperly initialized fields. This led to an illegal pointer read, ultimately causing the application to crash.

πŸŽ–@cveNotify
🚨 CVE-2026-57260
The application opened a PDF file containing an abnormal Unity 3D object. During parsing, the application incorrectly resolved a portion of the abnormal object as a pointer and used it as a valid address, ultimately causing the application to crash.

πŸŽ–@cveNotify
🚨 CVE-2026-57248
When the application opens a PDF file and JavaScript writes annotation attributes, there is a lack of sufficient object type and argument checks. As a result, due to the damage to the internal structure of the annotations, it causes the application to crash during subsequent release.

πŸŽ–@cveNotify
🚨 CVE-2026-57249
After the application opened the PDF file, the script first reset the annotation status, then triggered the reset form event by additional action. During the re-entry process, the application access invalid objects and crashed.

πŸŽ–@cveNotify