🚨 CVE-2026-58587
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
🎖@cveNotify
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
🎖@cveNotify
Drupal.org
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065
The Canvas AI submodule allows you to upload image files via a custom API to use within the AI web chat. These file uploads are insufficiently validated before being written to Drupal's temporary directory. In some cases, this may lead to cross-site scripting…
🚨 CVE-2026-58588
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
🎖@cveNotify
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
🎖@cveNotify
Drupal.org
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066
The Canvas module allow you to upload image files via a custom API. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations…
🚨 CVE-2026-58589
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
🎖@cveNotify
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
🎖@cveNotify
Drupal.org
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067
This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently enforce permissions on certain endpoints. Attackers may be able to trigger workflow execution (incurring LLM spend and tool…
🚨 CVE-2026-58590
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
🎖@cveNotify
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
🎖@cveNotify
Drupal.org
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068
This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently re-evaluate a human-in-the-loop approval gate where the workflow iterates more than once. This may result in execution of workflows…
🚨 CVE-2026-58591
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0.
🎖@cveNotify
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0.
🎖@cveNotify
Drupal.org
Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069
The Colorbox module integrates with the Colorbox JavaScript library to display content in an overlay above the page. The module doesn't sufficiently protect against injection of malicious JavaScript under certain scenarios. This vulnerability is mitigated…
🚨 CVE-2026-59155
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.
🎖@cveNotify
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.
🎖@cveNotify
GitHub
fix(api): redact third-party credentials in ddns/notification list · nezhahq/nezha@39d3980
GET /api/v1/ddns and /api/v1/notification returned full objects with
plaintext credentials (Cloudflare/TencentCloud secrets, webhook URLs
with embedded bot tokens, Authorization headers). Redact th...
plaintext credentials (Cloudflare/TencentCloud secrets, webhook URLs
with embedded bot tokens, Authorization headers). Redact th...
🚨 CVE-2026-31927
Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes.
🎖@cveNotify
Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-106-03.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
🚨 CVE-2026-40066
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.
🎖@cveNotify
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-106-03.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
🚨 CVE-2026-11913
vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*.
🎖@cveNotify
vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*.
🎖@cveNotify
Drupal.org
Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-11914
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
🎖@cveNotify
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
🎖@cveNotify
Drupal.org
Composer - Critical - Unsupported - SA-CONTRIB-2026-046
The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s…
🚨 CVE-2026-11915
vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.
🎖@cveNotify
vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.
🎖@cveNotify
Drupal.org
Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-14480
OpenPLC Runtime v3 contains an authenticated arbitrary file write
vulnerability in the legacy web UI program‑upload workflow. The
application stores an attacker‑supplied filename (prog_file) directly
into the Programs.File database field and later uses this value as the
destination path for an uploaded file without validating or restricting
the path. Because Python os.path.join() honors attacker‑controlled
absolute paths, an authenticated user can write arbitrary files anywhere
writable by the OpenPLC webserver process. In the default build
pipeline, all C++ source files within the OpenPLC runtime core directory
are automatically compiled into the executable runtime binary. By
writing a malicious .cpp file into this directory, an authenticated
attacker can escalate the arbitrary file write into arbitrary native
code execution when the operator triggers a normal program compilation
and runtime start.
🎖@cveNotify
OpenPLC Runtime v3 contains an authenticated arbitrary file write
vulnerability in the legacy web UI program‑upload workflow. The
application stores an attacker‑supplied filename (prog_file) directly
into the Programs.File database field and later uses this value as the
destination path for an uploaded file without validating or restricting
the path. Because Python os.path.join() honors attacker‑controlled
absolute paths, an authenticated user can write arbitrary files anywhere
writable by the OpenPLC webserver process. In the default build
pipeline, all C++ source files within the OpenPLC runtime core directory
are automatically compiled into the executable runtime binary. By
writing a malicious .cpp file into this directory, an authenticated
attacker can escalate the arbitrary file write into arbitrary native
code execution when the operator triggers a normal program compilation
and runtime start.
🎖@cveNotify
🚨 CVE-2026-15086
vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.
🎖@cveNotify
vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.
🎖@cveNotify
Drupal.org
Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-15087
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
🎖@cveNotify
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
🎖@cveNotify
Drupal.org
Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-15089
vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.
🎖@cveNotify
vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.
🎖@cveNotify
Drupal.org
Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-20744
The charging station websocket endpoint accepts connections without
proper authentication, which could lead to privilege escalation.
🎖@cveNotify
The charging station websocket endpoint accepts connections without
proper authentication, which could lead to privilege escalation.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-188-01.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
🚨 CVE-2026-42952
Previously, there was no throttling on repeated authentication attempts
to the charging station backend, which could allow an attacker to
execute a denial-of-service attack.
🎖@cveNotify
Previously, there was no throttling on repeated authentication attempts
to the charging station backend, which could allow an attacker to
execute a denial-of-service attack.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-188-01.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
🚨 CVE-2026-44383
Multiple connections to the backend using the same charging station ID
are allowed, which could allow an attacker to deploy multiple instances
of malicious OCPP clients to overwhelm the backend.
🎖@cveNotify
Multiple connections to the backend using the same charging station ID
are allowed, which could allow an attacker to deploy multiple instances
of malicious OCPP clients to overwhelm the backend.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-188-01.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
🚨 CVE-2026-55175
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4.
🎖@cveNotify
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pods when performing Kustomize bakes. This issue is fixed in versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4.
🎖@cveNotify
GitHub
Merge commit from fork (#7713) · spinnaker/spinnaker@2d75818
Co-authored-by: Christos Arvanitis <c_christos.arvanitis@harness.io>
🚨 CVE-2026-11426
The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. This is due to the plugin accepting arbitrary local file paths in the template_thumbnail parameter and copying their contents into a publicly accessible uploads file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server, which can contain sensitive information.
🎖@cveNotify
The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. This is due to the plugin accepting arbitrary local file paths in the template_thumbnail parameter and copying their contents into a publicly accessible uploads file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server, which can contain sensitive information.
🎖@cveNotify
UnderConstructionPage
Changelog - UnderConstructionPage
The log (record) of notable changes created on Under Construction Page Pro plugin.
🚨 CVE-2026-13756
The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the `update()` handler for the `/wp-json/wpgb/v2/metadata` REST endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator by updating their own `wp_capabilities` user meta with a crafted nested array payload.
🎖@cveNotify
The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the `update()` handler for the `/wp-json/wpgb/v2/metadata` REST endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator by updating their own `wp_capabilities` user meta with a crafted nested array payload.
🎖@cveNotify
WP Grid Builder
Changelog - WP Grid Builder
The latest updates to the Gridbuilder ᵂᴾ plugin