Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.
Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to bypass DM and room allowlists by spoofing display names. Attackers can change their Nextcloud display name to match an allowlisted user ID, gaining unauthorized access to restricted conversations without authentication. EPSS score is low (0.05%, 16th percentile), indicating low observed exploitation probability. No active exploitation confirmed; vulnerability was responsibly disclosed by AISLE Research Team and patched in version 2026.2.6.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
SQL injection in WP Attractive Donations System WordPress plugin.
Blind SQL injection in Riode Core (riode-core) WordPress theme/plugin core allows data extraction from the database.
Host header injection in @perfood/couch-auth v0.26.0 for password reset token theft.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Exec allowlist bypass in OpenClaw before 2026.2.2 via argument injection. Patch available.
Arbitrary file read in OpenMQ via configuration parsing. Can lead to full exploitation.
Auth bypass in Login with Salesforce WordPress plugin through 1.0.2.
HTTP request smuggling in Pingora HTTP/1.0 Transfer-Encoding handling.
HTTP request smuggling in Cloudflare Pingora HTTP/1.1 upgrade handling.
Deserialization of untrusted data in WooCommerce License Manager (fs-license-manager) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Arbitrary file upload in AI Engine WordPress plugin.
Insecure session ID generation in Apache::Session::Generate::MD5 through 1.94 for Perl.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.
Input quantity validation bypass in W3 Total Cache WordPress plugin.
Stored XSS in Chamilo LMS before 1.11.34 via file uploads in Social Networks. Leads to account takeover.
Code injection in Widget Options WordPress plugin.