A heap buffer over-read in iccDEV versions prior to 2.3.1.2 allows local attackers with user interaction to leak sensitive heap memory contents or crash the application when processing specially crafted ICC color profiles. The vulnerability stems from unsafe handling of non-null-terminated buffers in the strlen() function during ICC profile processing. Users of the iccDEV library should upgrade to version 2.3.1.2 to remediate this issue.
Jirafeau's MIME type validation can be bypassed by sending crafted HTTP requests with invalid MIME types, allowing attackers to trigger browser-based MIME sniffing that may execute malicious JavaScript embedded in SVG or HTML files. An unauthenticated remote attacker can exploit this through a simple network request requiring user interaction to view a malicious preview. A patch is available and the vulnerability affects Jirafeau and related products.
libsoup's HTTP redirect handling fails to strip Proxy-Authorization headers when requests are forwarded to different hosts, allowing proxy credentials to be exposed to unintended third-party servers. Applications relying on libsoup for HTTP communication are vulnerable to disclosure of sensitive proxy authentication data. No patch is currently available.
NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. [CVSS 5.5 MEDIUM]
The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. [CVSS 5.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44. [CVSS 5.4 MEDIUM]
Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]
Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2. [CVSS 5.4 MEDIUM]
Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]
The Vzaar Media Management WordPress plugin through version 1.2 contains a reflected cross-site scripting vulnerability in the PHP_SELF variable that lacks proper input sanitization, allowing unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link and tricking users into clicking it, leading to arbitrary script execution in their browsers. No patch is currently available for this vulnerability.
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. [CVSS 5.3 MEDIUM]
Unauthenticated attackers can delete arbitrary calendar entries in the Simple Calendar for Elementor WordPress plugin through versions 1.6.6 due to missing authorization checks on an AJAX function that accepts both authenticated and unauthenticated requests. An attacker only needs a valid nonce and the target calendar entry ID to perform the deletion. No patch is currently available for this vulnerability.
RegistrationMagic (WordPress plugin) versions up to 6.0.7.4. is affected by missing authorization (CVSS 5.3).
Unauthenticated attackers can bypass authorization checks in WordPress form plugins (Database for Contact Form 7, WPforms, Elementor forms) through version 1.4.5 to download CSV exports of all form submissions containing sensitive personally identifiable information. The vulnerability exists because the CSV export endpoint lacks proper capability verification and exports complete datasets regardless of user permissions, while an export key is exposed in publicly accessible page source code. This allows attackers to retrieve sensitive data without authentication or proper authorization.
A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. [CVSS 5.3 MEDIUM]
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. [CVSS 5.3 MEDIUM]
WP Adminify (WordPress plugin) versions up to 4.0.7.7 is affected by information exposure (CVSS 5.3).
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0. [CVSS 5.3 MEDIUM]
Arithmetic overflow in Soroban SDK versions up to 25.0.2 allows contracts using user-controlled range bounds in Bytes::slice, Vec::slice, or Prng::gen_range methods to operate on incorrect data ranges or generate unintended random numbers, potentially corrupting contract state. Developers who do not enable overflow-checks in their Rust configuration are vulnerable to this silent data corruption. A patch is available and should be applied immediately to affected Soroban contracts.
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]
The RustCrypto ml-dsa crate versions 0.0.4 through 0.1.0-rc.3 incorrectly validate ML-DSA digital signatures by accepting duplicate hint indices that should be strictly increasing per the FIPS 204 specification, allowing attackers to forge valid signatures that should be rejected. This regression was introduced by a comparison operator change in version 0.0.4 and affects any application relying on this crate for signature verification. A patch is available in version 0.1.0-rc.4.
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. [CVSS 5.3 MEDIUM]
A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. [CVSS 4.8 MEDIUM]
Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. [CVSS 4.6 MEDIUM]
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. [CVSS 4.6 MEDIUM]
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]
Stored XSS in WP Google Ad Manager Plugin up to version 1.1.0 allows administrators to inject malicious scripts into WordPress pages through insufficiently sanitized admin settings, affecting multi-site installations and configurations with disabled unfiltered_html. Authenticated attackers with administrator privileges can exploit this to execute arbitrary JavaScript that persists and runs for all users visiting affected pages. No patch is currently available.
The Appointment Hour Booking plugin for WordPress through version 1.5.60 allows administrators to inject persistent JavaScript into the form builder interface through inadequately sanitized field configuration parameters. Exploitation requires high-level authenticated access and affects only multisite installations or those with unfiltered HTML disabled. Injected scripts execute in the context of other users accessing the form builder, enabling credential theft or unauthorized actions.
Stored XSS in Ivory Search WordPress plugin up to version 5.5.13 allows administrators to inject malicious scripts into admin settings due to inadequate input sanitization, affecting multi-site installations and those with unfiltered_html disabled. Attackers with admin privileges can execute arbitrary JavaScript that persists and runs for all users accessing affected pages. A patch is not currently available.
Order Minimum/Maximum Amount Limits for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry. [CVSS 4.4 MEDIUM]
Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is pat...
Authenticated attackers with Author-level permissions can read, modify, and delete document library entries belonging to other users in the Document Embedder plugin for WordPress through improper access control checks in multiple AJAX handlers. The vulnerability affects all versions up to 2.0.4 and requires no additional user interaction, allowing privilege escalation within the plugin's document management system. No patch is currently available.
An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. [CVSS 4.3 MEDIUM]
The Change WP URL plugin for WordPress through version 1.0 lacks proper nonce validation, allowing unauthenticated attackers to modify the WordPress login URL through cross-site request forgery if they can socially engineer a site administrator into clicking a malicious link. This vulnerability affects all WordPress installations using the vulnerable plugin and enables attackers to redirect administrator access to attacker-controlled pages. No patch is currently available.
The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]
Bitcoin Donate Button (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Unauthenticated attackers can modify WordPress imwptip plugin settings through cross-site request forgery attacks by exploiting missing nonce validation in versions up to 1.1. An attacker can trick site administrators into clicking a malicious link to alter plugin configurations without authentication. No patch is currently available for this vulnerability.
The Easy Replace Image plugin for WordPress up to version 3.5.2 lacks proper authorization checks on its AJAX image replacement function, allowing authenticated users with Contributor-level privileges to replace arbitrary image attachments with external URLs. This enables attackers to deface sites, conduct phishing attacks, or manipulate content without administrative oversight. No patch is currently available for this medium-severity vulnerability.
Stop Spammers Classic (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Thunderbird's inline OpenPGP message decryption can leak secret email contents through CSS style injection when remote content loading is enabled, allowing attackers to extract decrypted plaintext via crafted email formatting. This affects Thunderbird versions before 147.0.1 and 140.7.1, requiring user interaction to trigger the vulnerability. No patch is currently available.
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3. [CVSS 4.2 MEDIUM]