cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by php remote file inclusion (CVSS 7.5).
Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).
The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. This high-severity path traversal vulnerability (CWE-22) is resolved in version 2026.2.14 and later, which implements proper access controls and routes media loading through hardened helpers.
OpenClaw is a personal AI assistant. [CVSS 7.5 HIGH]
Geth versions prior to 1.16.9 can be remotely crashed by sending a specially crafted message over the network, allowing unauthenticated attackers to cause denial of service against Ethereum nodes. This vulnerability in Go Ethereum's message handling requires no user interaction and affects the availability of affected nodes. Patched versions 1.16.9 and 1.17.0 are available to remediate this issue.
Unauthenticated attackers can bypass access controls in Alfresco Content Services to retrieve sensitive files from protected directories such as WEB-INF through the /share/page/resource/ endpoint. This vulnerability exposes critical configuration data and credentials without requiring authentication or user interaction. No patch is currently available for this remotely exploitable issue affecting Alfresco deployments.
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. [CVSS 7.5 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText™ XM Fax allows Path Traversal. The vulnerability could allow an attacker to arbitrarily disclose content of files on the local filesystem. [CVSS 7.5 HIGH]
OpenClaw's Telnyx voice-call webhook handler fails to validate webhook signatures when the public key is not configured, allowing unauthenticated attackers to forge arbitrary Telnyx events. This affects only deployments with the Voice Call plugin installed, enabled, and publicly accessible, enabling attackers to inject malicious voice-call events into the system. A patch is available.
Go Ethereum versions up to 1.17.0 is affected by allocation of resources without limits or throttling (CVSS 7.5).
Go Ethereum (Geth) versions prior to 1.16.9 contain a cryptographic implementation flaw in ECIES that allows remote attackers to extract portions of the p2p node key without authentication. This exposure could compromise the confidentiality of node communications and potentially enable impersonation or network-level attacks against affected Ethereum nodes. Administrators should upgrade to version 1.16.9 or later and rotate their node keys by deleting the nodekey file.
strongMan's credential encryption uses a static initialization vector with AES-CTR mode, causing all database fields to be encrypted with identical key streams. An attacker with database access can leverage publicly stored certificates to derive the key stream and decrypt stored private keys and EAP secrets. No patch is currently available for this high-severity vulnerability affecting strongSwan management deployments.
Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
httpsig-hyper versions prior to 0.0.23 fail to properly validate HTTP message digest headers due to improper use of Rust's matches! macro, allowing attackers to forge or modify message bodies without detection. This vulnerability affects applications using the library for HTTP signature verification, enabling attackers to bypass integrity checks on signed requests. A patch is available in version 0.0.23 and later.
OpenClaw prior to version 2026.2.14 fails to properly validate IPv6-formatted addresses in its SSRF protection, allowing attackers to bypass restrictions and access loopback and private network resources that should be blocked. An unauthenticated remote attacker can exploit this by crafting requests using IPv4-mapped IPv6 literals to reach restricted endpoints. The vulnerability has been patched in version 2026.2.14.
MeCODE Informatics and Engineering Services Ltd. Envanty is affected by authorization bypass through user-controlled key (CVSS 7.3).
Authenticated remote code execution affects multiple WSO2 products (API Manager 4.2.0-4.6.0, API Control Plane 4.5.0-4.6.0, Universal Gateway 4.5.0, and Traffic Manager 4.5.0-4.6.0) through an unrestricted file upload exposed via a system REST API. An administrator-level attacker can place an arbitrary file at a user-controlled path and trigger code execution on the host. No public exploit identified at time of analysis, EPSS is low at 0.28%, and a vendor patch is available per WSO2 advisory WSO2-2025-4849.
The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. [CVSS 7.2 HIGH]
The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
CartFlows through version 2.1.19 contains an unsafe deserialization vulnerability that enables object injection attacks against WordPress installations using the plugin. An authenticated attacker with high privileges can exploit this flaw to achieve arbitrary code execution with full system access. No patch is currently available for this vulnerability.
YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).
The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. [CVSS 7.2 HIGH]
OpenClaw versions before 2026.2.14 allow attackers with execution privileges to bypass command allowlist controls on node host deployments by exploiting a mismatch between validated and executed commands, potentially enabling execution of unapproved system commands. The vulnerability only affects configurations using node host execution paths with allowlist-based security policies and approval prompting. A patch is available in version 2026.2.14 which enforces consistency validation.
cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by missing authorization (CVSS 7.1).
OpenClaw versions prior to 2026.2.14 lack proper Cross-Origin Request Forgery (CSRF) protections on localhost mutation endpoints, allowing malicious websites to trigger unauthorized actions against a victim's local AI assistant instance such as opening tabs, modifying storage, or controlling browser functions. The vulnerability affects the browser control plane through cross-origin requests initiated from the victim's browser context, despite the service's loopback binding. Version 2026.2.14 and later mitigate this by validating Origin/Referer headers and rejecting mutating requests from cross-site origins.