Frappe versions prior to 14.100.1 and 15.100.0 contain a SQL injection vulnerability in an endpoint that allows authenticated attackers to extract sensitive information from the database. An attacker with valid credentials can craft malicious requests to bypass query protections and access confidential data without modifying or disrupting system availability. No patch is currently available for affected deployments.
kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by missing authorization (CVSS 6.5).
WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by cross-site scripting (xss) (CVSS 6.5).
RadiusTheme Classified Listing plugin through version 5.3.4 exposes sensitive data in sent communications due to improper information handling. An authenticated attacker can retrieve embedded sensitive information from network traffic without modifying data or disrupting service. No patch is currently available for this vulnerability.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19. [CVSS 6.5 MEDIUM]
OpenClaw versions 2026.1.30 and earlier leak authentication bearer tokens to untrusted domains when the optional MS Teams attachment downloader extension is enabled, due to overly permissive suffix-based domain allowlisting during download retries. An attacker could harvest these tokens from allowed domains to compromise authenticated sessions. No patch is currently available, affecting users of the vulnerable versions.
SQL injection in WordPress Page and Post Clone plugin up to version 6.3 allows authenticated contributors and above to extract sensitive database information through a second-order injection via the meta_key parameter. The vulnerability stems from insufficient input escaping and query preparation in the content_clone() function, with malicious payloads stored as post metadata and executed during the clone operation. No patch is currently available.
Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons is affected by missing authorization (CVSS 6.5).
Themeum Tutor LMS through version 3.9.5 contains an authorization bypass that allows authenticated users to modify content they should not have access to due to improper access control validation. An attacker with valid credentials can exploit this vulnerability to alter course materials and settings without proper permission checks. No patch is currently available for this medium-severity issue.
Out-of-bounds write vulnerability in the IMS module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.5 MEDIUM]
A denial-of-service (DoS) vulnerability was identified in Omada EAP610 v3. An attacker with adjacent network access can send crafted requests to cause the device’s HTTP service to crash. [CVSS 6.5 MEDIUM]
CKEditor 5 versions before 47.6.0 contain a stored XSS vulnerability in the General HTML Support feature that allows attackers to execute arbitrary JavaScript by injecting malicious markup into documents processed by vulnerable editor instances. This vulnerability affects users relying on unsafe General HTML Support configurations, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for affected deployments.
OoohBoi Steroids for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored Cross-Site Scripting in the Greenshift page builder plugin for WordPress (versions up to 12.8.5) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the `_gspb_post_css` post meta and `dynamicAttributes` block attributes due to inadequate input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.
SkatDesign Ratatouille versions up to 1.2.6 contain a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests from the affected system. An attacker with valid credentials can leverage this flaw to access internal services, retrieve sensitive information, or perform actions on behalf of the server across different security domains. No patch is currently available for this medium-severity vulnerability.
OpenClaw Chrome extension relay server versions prior to 2026.2.12 improperly bind to all network interfaces when wildcard cdpUrl values are configured, enabling remote attackers to discover service endpoints and port information. An attacker can exploit this exposure to conduct denial-of-service attacks and brute-force attempts against the relay token authentication mechanism without requiring local access.
OpenClaw versions before 2026.2.14 fail to validate base URLs in the Tlon Urbit extension, allowing attackers to trigger server-side request forgery attacks that direct the gateway to arbitrary hosts, including internal systems. This network-accessible vulnerability requires no authentication and can result in information disclosure and service disruption. No patch is currently available.
Unauthorized access in PixFort Core through version 3.2.22 allows authenticated attackers to bypass access control restrictions and modify system data due to improper authorization checks. An attacker with valid credentials could exploit this vulnerability to access or modify resources they should not have permission to interact with. No patch is currently available for this vulnerability.
Race condition vulnerability in the printing module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.2 MEDIUM]
Data processing vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 6.2 MEDIUM]
Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class attributes that execute arbitrary JavaScript when pages are viewed by other users. An attacker could exploit this to perform administrative actions or steal credentials from higher-privileged users viewing the compromised content. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, with patches now available.
Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript through specially-crafted page titles that executes when other admins perform translation actions, potentially compromising their credentials. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, and requires admin-level access to exploit, limiting exposure to internal threats. Patches are available for all affected versions.
HumHub Calendar module versions prior to 1.8.11 contain a stored XSS vulnerability in Event Types that allows attackers to inject malicious scripts viewed by users accessing events created by administrative accounts. An attacker with event creation privileges can execute arbitrary JavaScript in the browsers of users viewing affected events, potentially compromising session tokens or sensitive information. No patch is currently available for affected installations.
Stored cross-site scripting in Gogs prior to version 0.14.2 allows unauthenticated attackers to inject malicious scripts through template rendering of user-controlled data, potentially affecting all users viewing compromised content. The vulnerability exploits unsafe handling of data URLs combined with permissive sanitization, enabling attackers to steal session cookies, deface pages, or perform actions on behalf of victims. A patch is available in version 0.14.2 and later.
Allauth versions up to 65.14.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).
OpenClaw versions 2026.1.16 through 2026.2.13 allow local attackers to write arbitrary files outside intended directories by supplying malicious archives to the skills, hooks, plugins, or signal installation commands. Successful exploitation enables attackers to achieve code execution or establish persistence on affected systems. A patch is available for affected users.
OpenClaw versions before 2026.2.14 allow local attackers to write arbitrary files outside the sandbox directory through path traversal sequences in crafted skill package names when sandbox skill mirroring is enabled. An attacker can exploit this by providing a malicious skill package with traversal patterns like ../ or absolute paths in the frontmatter name parameter, potentially compromising system integrity. A patch is available to remediate this vulnerability.
OpenClaw versions before 2026.2.12 are vulnerable to timing-based token extraction attacks due to non-constant-time string comparison in hook authentication. A network-based attacker can exploit this side-channel vulnerability to gradually recover the hook validation token through repeated timing measurements across multiple requests. The vulnerability requires repeated probing but poses a confidentiality risk to systems using vulnerable versions.
OpenClaw voice-call plugin versions before 2026.2.3 allow remote attackers to forge webhook events by exploiting improper authentication in reverse-proxy environments where forwarded headers are implicitly trusted. An unauthenticated attacker can manipulate Forwarded or X-Forwarded-* headers to bypass webhook verification and spoof legitimate events. A patch is available to address this authentication bypass vulnerability.
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).
Inseri Core versions up to 1.0.5 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability has a CVSS score of 5.3 and currently lacks a patch, putting deployments at risk until remediation is available.
Buffer overflow vulnerability in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.9 MEDIUM]
Race condition vulnerability in the printing module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.9 MEDIUM]
Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.9 MEDIUM]
Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. [CVSS 5.8 MEDIUM]
Insertion of Sensitive Information Into Sent Data vulnerability in Roland Murg WP Booking System wp-booking-system allows Retrieve Embedded Sensitive Data.This issue affects WP Booking System: from n/a through <= 2.0.19.12. [CVSS 5.8 MEDIUM]
Authentication bypass in RustDesk Client through 1.4.5 across Windows, macOS, Linux, iOS, and Android allows remote attackers to replay captured session IDs and login proofs to impersonate legitimate peers without knowing the original credentials. The flaw stems from insufficient computational effort in the hash_password() routine combined with reusable session identifiers in the login proof construction, enabling capture-replay attacks against the peer authentication module. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (12th percentile).
Openclaw versions up to 2026.2.14 is affected by allocation of resources without limits or throttling (CVSS 5.5).
Openclaw versions up to 2026.2.14 is affected by allocation of resources without limits or throttling (CVSS 5.5).
The SiteGuard WP Plugin for WordPress through version 1.7.9 contains a guessable CAPTCHA implementation that allows attackers to bypass security protections without authentication. This vulnerability enables attackers to circumvent the plugin's functionality controls and potentially gain unauthorized access to protected resources or perform actions that should be restricted.
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misint...
OpenClaw versions 2026.1.14-1 through 2026.2.1 with the Matrix plugin enabled fail to validate homeserver identity when checking direct message allowlists, allowing remote attackers to impersonate authorized users by spoofing display names or local identifiers from different homeservers. This bypass enables unauthorized access to routing and agent pipelines for authenticated Matrix users on remote servers. A patch is available in version 2026.2.2 and later.
Gogs versions prior to 0.14.2 expose authentication tokens in URL parameters, allowing credentials to be captured through server logs, browser history, and HTTP referrer headers. This information disclosure vulnerability affects self-hosted Gogs instances and could enable attackers to gain unauthorized API access if tokens are leaked through these channels. A patch is available in version 0.14.2 and later.
Products.isurlinportal is a replacement for isURLInPortal method in Plone. versions up to 2.1.0 is affected by url redirection to untrusted site (open redirect) (CVSS 5.3).
Double free vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.1 MEDIUM]
Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP redirect targets, enabling access to private IP addresses through attacker-controlled intermediaries. An attacker with control over webhook endpoints or image URLs can leverage this vulnerability to reach restricted internal resources that would normally be blocked.
SQL injection in the Apocalypse Meow WordPress plugin up to version 22.1.0 allows authenticated administrators to execute arbitrary SQL queries due to a flawed validation check combined with improper quote escaping. An authenticated attacker with administrator privileges can exploit this via the 'type' parameter to extract sensitive database information. No patch is currently available.
Stylemix uListing versions 2.2.0 and earlier contain a path traversal vulnerability that allows authenticated users with high privileges to access files outside the intended directory structure and read sensitive information. The vulnerability requires valid credentials and does not enable file modification or system disruption, limiting its impact to unauthorized information disclosure.
Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthenticated remote attackers to abuse API sync and configuration management functions. The vulnerability in the rendezvous mediator and HTTP sync modules enables attackers to gain elevated privileges without user interaction. No patch is currently available for affected users.
OpenClaw versions before 2026.2.13 are vulnerable to timing side-channel attacks on hook token validation due to use of non-constant-time string comparison. Remote attackers can exploit this weakness by measuring response times across multiple requests to gradually recover authentication tokens for the hooks endpoint. This affects confidentiality and integrity of OpenClaw deployments accessible over the network.