145
ثغرة
17
تهديد
0
خبر
9
حرجة
6
CISA KEV
🛡 الثغرات الأمنية (CVE)
ثغرة XSS معكوسة في نقطة نهاية novo_memorandoo.php بمدير الويب WeGIA للمؤسسات الخيرية تسمح بحقن JavaScript عشوائي عبر معامل GET 'sccs'. يتم إرجاع المعامل مباشرة في استجابة HTML دون أي تنظيف أو ترميز، مما يمكّن المهاجمين من تنفيذ رموز ضارة في متصفحات المستخدمين.
تحتوي نسخة WeGIA 3.6.6 وأقل على ثغرة XSS معكوسة في ملف listar_memorandos_ativos.php حيث يتم عكس معامل GET المسمى sccd مباشرة في استجابة HTML دون أي تنظيف أو ترميز. يمكن للمهاجم استخدام هذه الثغرة لحقن كود JavaScript ضار والذي سيتم تنفيذه في متصفح المستخدم عند زيارة رابط مصنوع بعن…
ثغرة SSRF في WWBN AVideo تسمح لأي مستخدم بعيد غير مصرح به بإجبار خادم AVideo على إرسال طلبات HTTP إلى عناوين URL تعسفية عبر ملف plugin/Live/test.php. يمكن استخدام هذه الثغرة للوصول إلى الخدمات الداخلية والموارد المحمية وبيانات السحابة الحساسة.
تسمح ثغرة في Census CSWeb 8.0.1 بالوصول غير المصرح إلى ملفات التكوين الحساسة عبر نقطة نهاية HTTP غير محمية. يمكن للمهاجمين البعيدين بدون مصادقة الحصول على أسرار حساسة مثل مفاتيح API وكلمات مرور قواعد البيانات. تم إصلاح هذه المشكلة في الإصدار 8.1.0 ألفا.
CVE-2014-6278
GNU Bash OS Command Injection Vulnerability — GNU Bash contains an OS command injection vulnerability which allows remot
11:01 KSA
GNU Bash OS Command Injection Vulnerability — GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment.
CVE-2014-6287
Rejetto HTTP File Server (HFS) Remote Code Execution Vulnerability — The findMacroMarker function in parserLib.pas in Re
11:01 KSA
Rejetto HTTP File Server (HFS) Remote Code Execution Vulnerability — The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (HFS or HttpFileServer) allows remote attackers to execute arbitrary programs.
CVE-2014-6324
Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability — The Kerberos Key Distribution Cent
11:01 KSA
Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability — The Kerberos Key Distribution Center (KDC) in Microsoft allows remote authenticated domain users to obtain domain administrator privileges.
CVE-2014-6332
Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability — OleAut32.dll i
11:01 KSA
Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability — OleAut32.dll in OLE in Microsoft Windows allows remote attackers to remotely execute code via a crafted web site.
CVE-2014-6352
Microsoft Windows Code Injection Vulnerability — Microsoft Windows allow remote attackers to execute arbitrary code via
11:01 KSA
Microsoft Windows Code Injection Vulnerability — Microsoft Windows allow remote attackers to execute arbitrary code via a crafted OLE object.
CVE-2026-23480
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability.
11:22 KSA
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and…
CVE-2026-33046
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In vers
11:22 KSA
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.12, due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use spec…
CVE-2026-33634
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy
11:22 KSA
Trivy is a security scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in `aquasecurity/trivy-action` to credential-stealing malware, and replace all 7 tags in `aquasecurity/setup-…
CVE-2026-4565
A vulnerability was detected in Tenda AC21 16.03.08.16. Impacted is the function formSetQosBand of the file /goform/SetN
11:22 KSA
A vulnerability was detected in Tenda AC21 16.03.08.16. Impacted is the function formSetQosBand of the file /goform/SetNetControlList. Performing a manipulation of the argument list results in buffer overflow. The attack can be initiated remotely. The exploit is now public and ma…
CVE-2026-4566
A flaw has been found in Belkin F9K1122 1.00.33. The affected element is the function formWISP5G of the file /goform/for
11:22 KSA
A flaw has been found in Belkin F9K1122 1.00.33. The affected element is the function formWISP5G of the file /goform/formWISP5G. Executing a manipulation of the argument webpage can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been pub…
CVE-2026-33480
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AV
11:22 KSA
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to valida…
CVE-2026-33513
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`AP
11:22 KSA
WWBN AVideo is an open source video platform. In versions up to and including 26.0, an unauthenticated API endpoint (`APIName=locale`) concatenates user input into an `include` path with no canonicalization or whitelist. Path traversal is accepted, so arbitrary PHP files under th…
CVE-2026-32845
cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating
11:22 KSA
cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors that allows attackers to trigger out-of-bounds reads by supplying crafted glTF/GLB input files with attacker-controlled size values. Attackers …
CVE-2026-33649
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermissio
11:22 KSA
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and …
CVE-2026-33651
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint pas
11:22 KSA
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which direc…
CVE-2026-23482
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform perm
11:22 KSA
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When schedu…
CVE-2026-2580
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnera
11:22 KSA
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.9.1 due to insufficient escaping on the user supplied parame…
CVE-2026-32969
An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s a
11:22 KSA
An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
CVE-2026-4306
The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to,
11:22 KSA
The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it pos…
CVE-2026-4645
A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by subm
11:22 KSA
A flaw was found in the `github.com/antchfx/xpath` component. A remote attacker could exploit this vulnerability by submitting crafted Boolean XPath expressions that evaluate to true. This can cause an infinite loop in the `logicalQuery.Select` function, leading to 100% CPU utili…
CVE-2026-33488
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the L
11:22 KSA
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public k…
CVE-2025-10679
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for
11:22 KSA
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and including, 2.2.12. This is due to insufficient input validation in the bulkTenRevi…
CVE-2026-4562
A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/c
11:22 KSA
A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The ex…
CVE-2026-4579
A vulnerability was identified in code-projects Simple Laundry System 1.0. This affects an unknown function of the file
11:22 KSA
A vulnerability was identified in code-projects Simple Laundry System 1.0. This affects an unknown function of the file /viewdetail.php of the component Parameters Handler. The manipulation of the argument serviceId leads to sql injection. Remote exploitation of the attack is pos…
CVE-2026-4580
A security flaw has been discovered in code-projects Simple Laundry System 1.0. This impacts an unknown function of the
11:22 KSA
A security flaw has been discovered in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /checkupdatestatus.php of the component Parameters Handler. The manipulation of the argument serviceId results in sql injection. The attack can be executed…
CVE-2026-4581
A weakness has been identified in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /
11:22 KSA
A weakness has been identified in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checklogin.php of the component Parameters Handler. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out re…
CVE-2026-4594
A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy
11:22 KSA
A vulnerability has been found in erupts erupt up to 1.13.3. Affected by this issue is the function geneEruptHqlOrderBy of the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. Such manipulation of the argument sort.field leads to sql injection hiberna…
CVE-2026-4612
A vulnerability has been found in itsourcecode Free Hotel Reservation System 1.0. This affects an unknown part of the fi
11:22 KSA
A vulnerability has been found in itsourcecode Free Hotel Reservation System 1.0. This affects an unknown part of the file /hotel/admin/mod_users/index.php?view=edit&id=8 of the component Parameter Handler. The manipulation of the argument account_id leads to sql injection. Remot…
CVE-2026-23882
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creati
11:22 KSA
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP (Model Context Protocol) server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4.
CVE-2026-4611
A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the fu
11:22 KSA
A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched re…
CVE-2026-33493
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoi
11:22 KSA
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/import.json.php` endpoint accepts a user-controlled `fileURI` POST parameter with only a regex check that the value ends in `.mp4`. Unlike `objects/listFiles.json.php`, which was hard…
CVE-2025-10736
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for
09:54 KSA
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility() function in all versions up to, and incl…
CVE-2026-2290
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and incl
05:45 KSA
The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests…
CVE-2026-2351
The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 v
05:45 KSA
The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents o…
CVE-2026-2375
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalat
05:45 KSA
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role…
CVE-2026-2421
The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, an
05:45 KSA
The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a f…
CVE-2026-2503
The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter i
05:45 KSA
The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL o…
CVE-2026-2720
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing
05:45 KSA
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with …
CVE-2026-32043
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run exec
05:45 KSA
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and executio…
CVE-2026-32053
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized even
05:45 KSA
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale…
CVE-2026-32054
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path
05:45 KSA
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside …
CVE-2026-4004
The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all
23:36 KSA
The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows …
CVE-2026-4087
The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hint_ids' parameter of the pp
23:36 KSA
The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hint_ids' parameter of the pprh_update_hints AJAX action in all versions up to, and including, 1.8.20. This is due to insufficient escaping on the user supplied parameter and lack of suffic…
CVE-2025-6229
The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Tabl
09:54 KSA
The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `Fancy Text Widget` And `Countdown Wid…
CVE-2026-0609
The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored
05:45 KSA
The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-…
CVE-2026-1093
The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
05:45 KSA
The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'wpfaqblock' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on u…
CVE-2026-1275
The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' s
05:45 KSA
The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' p…
CVE-2026-1397
The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget
05:45 KSA
The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Ti…
CVE-2026-1575
The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `itemscope` shor
05:45 KSA
The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `itemscope` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f…
CVE-2026-1806
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th
05:45 KSA
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. T…
CVE-2026-1822
The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortc
05:45 KSA
The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f…
CVE-2026-1851
The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' shortcode attr
05:45 KSA
The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' shortcode attribute in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, …
CVE-2026-1854
The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in
05:45 KSA
The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authen…
CVE-2026-1886
The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin'
05:45 KSA
The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on the user-supplied…
CVE-2026-1889
The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' sh
05:45 KSA
The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…
CVE-2026-1891
The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmr_fb_scoreb
05:45 KSA
The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmr_fb_scoreboard' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it …
CVE-2026-1899
The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortc
05:45 KSA
The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible …
CVE-2026-1908
The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotfor
05:45 KSA
The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotform' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it p…
CVE-2026-1911
The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweet_title' parameter in t
05:45 KSA
The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweet_title' parameter in the 'TwitterFeeds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for a…
CVE-2026-1914
The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortco
05:45 KSA
The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping on the 'emailtext' attribute. This makes it possible for…
CVE-2026-2352
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_preload' meta value i
05:45 KSA
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_preload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the `ao_metabox_save()` function and missing output escaping when…
CVE-2026-2430
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing
05:45 KSA
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all…
CVE-2026-2496
The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `eds_font_aweso
05:45 KSA
The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `eds_font_awesome` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This ma…
CVE-2026-2501
The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share`
05:45 KSA
The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes …
CVE-2026-32052
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allo
05:45 KSA
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while ex…
CVE-2026-3333
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate'
05:45 KSA
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it poss…
CVE-2026-3350
The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all v
05:45 KSA
The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attribut…
CVE-2026-3516
The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in
05:45 KSA
The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sanitization and output escaping when handling the Google Maps iframe custom field…
CVE-2026-3554
The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' sh
05:45 KSA
The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of th…
CVE-2026-3617
The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' short
05:45 KSA
The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attribu…
CVE-2026-3619
The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute
23:36 KSA
The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the [sheets2table-render-table] shortcode in all versions up to and including 0.4.1. This is due to insufficient input sanitization and output escaping. Spec…
CVE-2026-3996
The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game] shortcode in all ver
23:36 KSA
The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game] shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'width', 'he…
CVE-2026-3997
The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of
23:36 KSA
The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied …
CVE-2026-4022
The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting v
23:36 KSA
The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and …
CVE-2026-4067
The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribu
23:36 KSA
The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The ad_fun…
CVE-2026-4072
The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortco
23:36 KSA
The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as …
CVE-2026-4077
The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter
23:36 KSA
The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' …
CVE-2026-4083
The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboar
05:45 KSA
The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhg_shortcode() allows arbitrary HTML attributes to be added to the rendered <if…
CVE-2026-4084
The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'f
23:36 KSA
The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on user-supp…
CVE-2026-4086
The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text
23:36 KSA
The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output …
CVE-2026-4472
A security vulnerability has been detected in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability a
05:45 KSA
A security vulnerability has been detected in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability affects unknown code of the file /admin/admin_edit_supplier.php. The manipulation of the argument Supplier_Name leads to sql injection. The attack can be initiat…
CVE-2026-4476
A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown fun
05:45 KSA
A vulnerability was found in Yi Technology YI Home Camera 2 2.1.1_20171024151200. The impacted element is an unknown function of the file home/web/ipc of the component CGI Endpoint. Performing a manipulation results in missing authentication. Access to the local network is requir…
CVE-2026-4485
A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown functio
05:45 KSA
A vulnerability has been found in itsourcecode College Management System 1.0. The impacted element is an unknown function of the file /admin/search_student.php. The manipulation of the argument Search leads to sql injection. The attack is possible to be carried out remotely. The …
CVE-2026-4500
A vulnerability was identified in bagofwords1 bagofwords up to 0.0.297. This impacts the function generate_df of the fil
05:45 KSA
A vulnerability was identified in bagofwords1 bagofwords up to 0.0.297. This impacts the function generate_df of the file backend/app/ai/code_execution/code_execution.py. Such manipulation leads to injection. The attack may be launched remotely. The exploit is publicly available …
CVE-2026-4505
A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function module_plugin.refresh
05:45 KSA
A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function module_plugin.refresh_plugins of the file packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py of the component FastAPI Endpoint. Such manipulation leads to unrestricted upl…
CVE-2026-4506
A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core
05:45 KSA
A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used.…
CVE-2026-4507
A vulnerability was determined in Mindinventory MindSQL up to 0.2.1. The affected element is the function ask_db of the
05:45 KSA
A vulnerability was determined in Mindinventory MindSQL up to 0.2.1. The affected element is the function ask_db of the file mindsql/core/mindsql_core.py. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclo…
CVE-2026-4509
A security flaw has been discovered in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function
23:36 KSA
A security flaw has been discovered in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black results in incomplete blacklist. The attack may be launched remotely. The exploit…
CVE-2026-4511
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. Affected is the function exec of the file /src
23:36 KSA
A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. Affected is the function exec of the file /src/vanna/legacy. Such manipulation leads to injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor wa…
CVE-2026-4568
A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown function of the file
09:54 KSA
A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown function of the file /update_supplier.php of the component HTTP GET Request Handler. The manipulation of the argument sid results in sql injection. The attack may be launched remot…
CVE-2026-4569
A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This impacts an unknown function of the
09:54 KSA
A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This impacts an unknown function of the file /view_category.php of the component HTTP POST Request Handler. This manipulation of the argument searchtxt causes sql injection. Remote exploitation of th…
CVE-2026-4570
A vulnerability was identified in SourceCodester Sales and Inventory System 1.0. Affected is an unknown function of the
09:54 KSA
A vulnerability was identified in SourceCodester Sales and Inventory System 1.0. Affected is an unknown function of the file /view_customers.php of the component HTTP POST Request Handler. Such manipulation of the argument searchtxt leads to sql injection. The attack can be execu…
CVE-2026-4571
A security flaw has been discovered in SourceCodester Sales and Inventory System 1.0. Affected by this vulnerability is
09:54 KSA
A security flaw has been discovered in SourceCodester Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_payments.php of the component HTTP POST Request Handler. Performing a manipulation of the argument searchtxt results …
CVE-2026-4572
A weakness has been identified in SourceCodester Sales and Inventory System 1.0. Affected by this issue is some unknown
09:54 KSA
A weakness has been identified in SourceCodester Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /view_product.php of the component HTTP POST Request Handler. Executing a manipulation of the argument searchtxt can lead to sql injec…
CVE-2026-4573
A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part
09:54 KSA
A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/form_handlers/delete_post.php of the component HTTP GET Parameter Handler. The manipulation of the argument post_id leads to sql injection…
CVE-2026-4574
A vulnerability was detected in SourceCodester Simple E-learning System 1.0. This vulnerability affects unknown code of
09:54 KSA
A vulnerability was detected in SourceCodester Simple E-learning System 1.0. This vulnerability affects unknown code of the component User Profile Update Handler. The manipulation of the argument firstName results in sql injection. It is possible to launch the attack remotely. Th…
CVE-2026-4586
A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects the function Upload of the file chat2db-serve
09:54 KSA
A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects the function Upload of the file chat2db-server/chat2db-server-web/chat2db-server-web-api/src/main/java/ai/chat2db/server/web/api/controller/driver/JdbcDriverController.java of the component JDBC Driver Upl…
CVE-2026-4589
A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file
09:54 KSA
A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file /workspace/source-code/app/controller/explorer/editor.class.php of the component fileGet Endpoint. Such manipulation of the argument path leads to server-side r…
CVE-2019-25620
Tree Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by prov
09:54 KSA
Tree Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causi…
CVE-2019-25621
Pixel Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by pro
09:54 KSA
Pixel Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters, causing the application to beco…
CVE-2019-25622
Paint Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by pro
09:54 KSA
Paint Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of characters and trigger the application to read i…
CVE-2019-25623
Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by
09:54 KSA
Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can create a text file with arbitrary character sequences and trigger the application to pr…
CVE-2019-25624
Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by pr
09:54 KSA
Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, cau…
CVE-2019-25625
Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by prov
09:54 KSA
Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of repeated characters and trigger the application t…
CVE-2025-13910
The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJA
05:45 KSA
The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plug…
CVE-2026-1647
The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` p
05:45 KSA
The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated atta…
CVE-2026-2277
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters
05:45 KSA
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possib…
CVE-2026-2427
The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' param
05:45 KSA
The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke…
CVE-2026-2723
The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including,
05:45 KSA
The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This makes it possible for unauthenticate…
CVE-2026-32844
XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.
05:45 KSA
XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft …
CVE-2026-3572
The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting
05:45 KSA
The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combine…
CVE-2026-4069
The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'naam' parameter in al
23:36 KSA
The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'naam' parameter in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_option_page() function combined with insufficient input sanitizatio…
CVE-2026-32045
OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes,
05:45 KSA
OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without prope…
CVE-2026-32057
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pair
05:45 KSA
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by usi…
CVE-2026-33129
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability i
05:45 KSA
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by…
CVE-2026-4603
Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsi
09:54 KSA
Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption)…
CVE-2024-13785
The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortc
05:45 KSA
The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. This is due to the software allowing users to execute an action that does not properly validate a val…
CVE-2026-32044
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypas
05:45 KSA
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size gu…
CVE-2026-3347
The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[me
05:45 KSA
The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the `arv_lb_options_val()…
CVE-2026-32895
OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event han
05:45 KSA
OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-a…
CVE-2026-32898
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves
05:45 KSA
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations…
CVE-2026-33051
Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu
05:45 KSA
Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privile…
CVE-2025-10731
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for
09:54 KSA
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the allReminderSettings function. This makes it poss…
CVE-2025-10734
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for
09:54 KSA
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the syncedData function. This makes it possible for …
CVE-2025-13997
The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin f
09:54 KSA
The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML…
CVE-2026-1253
The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a
05:45 KSA
The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7. This makes…
CVE-2026-32046
OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to ex
05:45 KSA
OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protec…
CVE-2026-3335
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via th
05:45 KSA
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or …
CVE-2026-3460
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to
05:45 KSA
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parame…
CVE-2026-3506
The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and inclu
05:45 KSA
The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers…
CVE-2026-3546
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and
05:45 KSA
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The functio…
CVE-2026-3550
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17.
05:45 KSA
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and…
CVE-2026-3567
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up
05:45 KSA
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First,…
CVE-2026-3570
The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.
05:45 KSA
The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0. This is due to missing authentication and capability checks on the configuration reset functionality in the global scope of smarter-analytics.php. This makes…
CVE-2026-3641
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3.
23:36 KSA
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verificati…
CVE-2026-3645
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and
23:36 KSA
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce ver…
CVE-2026-3651
The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0
23:36 KSA
The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, ca…
CVE-2026-4127
The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including
23:36 KSA
The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_u…
CVE-2026-4496
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vul
05:45 KSA
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation …
CVE-2026-4582
A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerabili
09:54 KSA
A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the loc…
CVE-2026-4583
A vulnerability was detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this issue is some unknown fun
09:54 KSA
A vulnerability was detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this issue is some unknown functionality of the component Bluetooth Handler. Performing a manipulation results in authentication bypass by capture-replay. The attack must originate from the …
⚠️ استخبارات التهديدات
17 تهديد
rss:The Hacker News
—
08:03 KSA
<strong>قراصنة يستغلون ثغرة CVE-2025-32975 (درجة خطورة 10.0) لاختراق أنظمة Quest KACE SMA غير المحدثة</strong>
يستغل مجرمو الإنترنت ثغرة أمنية بالغة الخطورة (درجة 10.0) في نظام Quest KACE لإدارة الأنظمة. رصدت شركة Arctic Wolf نشاطاً خبيثاً بدءاً من مارس 2026 يستهدف الأنظمة غير ا…
rss:The Hacker News
—
06:58 KSA
<strong>اختراق Trivy ينشر برمجيات سرقة المعلومات عبر Docker ويطلق دودة وماسح Kubernetes</strong>
كشف باحثون عن هجوم سلسلة التوريد على ماسح الأمان Trivy الموزع عبر Docker Hub. تحتوي الإصدارات الخبيثة (0.69.4، 0.69.5) على برمجيات سرقة المعلومات وقدرات الدودة ووظيفة مسح Kubernetes،…
rss:The Hacker News
—
06:58 KSA
<strong>مايكروسوفت تحذر من هجوم تصيد احتيالي يستهدف مصلحة الضرائب الأمريكية يصيب 29,000 مستخدم وينشر برمجيات خبيثة للتحكم عن بعد</strong>
اكتشفت مايكروسوفت حملات تصيد احتيالي تستغل موسم الضرائب الأمريكي، أثرت على 29,000 مستخدم. يرسل المهاجمون إشعارات مزيفة من مصلحة الضرائب حول ا…
rss:The Hacker News
—
06:58 KSA
<strong>اكتشفنا ثمانية نواقل هجوم داخل AWS Bedrock. إليك ما يمكن للمهاجمين فعله بها</strong>
اكتشف باحثون أمنيون ثمانية نواقل هجوم في منصة AWS Bedrock من أمازون لبناء تطبيقات الذكاء الاصطناعي. إن اتصال المنصة ببيانات وأنظمة المؤسسات، رغم قوته للمطورين، يخلق مخاطر أمنية كبيرة يمك…
rss:BleepingComputer
—
06:28 KSA
<strong>كرانشي رول تحقق في اختراق بعد ادعاء قراصنة بسرقة بيانات 6.8 مليون مستخدم</strong>
تحقق منصة كرانشي رول لبث الأنمي في اختراق أمني يؤثر على حوالي 6.8 مليون مستخدم. يدعي القراصنة سرقة المعلومات الشخصية للمشتركين، مما يثير مخاوف بشأن سرقة بيانات الاعتماد واحتمال اختراق الحسا…
rss:The Hacker News
—
06:13 KSA
<strong>⚡ ملخص أسبوعي: باب خلفي في CI/CD، مكتب التحقيقات الفيدرالي يشتري بيانات الموقع، واتساب يتخلى عن الأرقام والمزيد</strong>
ملخص أسبوعي للأمن السيبراني يغطي تهديدات متعددة بما في ذلك هجمات سلسلة التوريد التي تستهدف أنظمة CI/CD، وإيقاف أجهزة إنترنت الأشياء المستغلة منذ فترة …
rss:The Hacker News
—
06:13 KSA
<strong>قراصنة كوريون شماليون يستغلون مهام التشغيل التلقائي في VS Code لنشر برمجية StoatWaffle الخبيثة</strong>
يستغل مهاجمون كوريون شماليون (WaterPlum/حملة المقابلة المعدية) ميزة التشغيل التلقائي tasks.json في Visual Studio Code لنشر البرمجية الخبيثة StoatWaffle. يستهدف هذا اله…
rss:Dark Reading
—
06:11 KSA
<strong>مديرو أمن المعلومات يناقشون دور الإنسان في الأمن السيبراني المدعوم بالذكاء الاصطناعي</strong>
ناقش مسؤولو الأمن السيبراني في مؤتمر RSAC 2026 ضرورة الإشراف البشري على أنظمة الأمن المدعومة بالذكاء الاصطناعي. يتحدى النقاش النهج التقليدي للتدخل البشري مع تطور قدرات الذكاء ال…
rss:Dark Reading
—
06:11 KSA
<strong>المهاجمون يخفون برامج سرقة المعلومات في إشعارات انتهاك حقوق النشر</strong>
تستهدف حملة تصيد احتيالي متطورة قطاعات الرعاية الصحية والحكومة والضيافة والتعليم عالمياً باستخدام إشعارات مزيفة لانتهاك حقوق النشر. ينشر المهاجمون برامج خبيثة لسرقة المعلومات مع استخدام تقنيات متع…
rss:BleepingComputer
—
06:10 KSA
<strong>مجموعة TeamPCP تنشر برمجية ماسحة تستهدف إيران في هجمات Kubernetes</strong>
تستهدف مجموعة القرصنة TeamPCP مجموعات Kubernetes ببرمجيات خبيثة ماسحة مدمرة تنشط عند اكتشاف أنظمة مُهيأة لإيران. تمثل الهجمات عمليات إلكترونية ذات دوافع جيوسياسية ضد البنية التحتية الحاسمة للحاويا…
rss:Malwarebytes Lab
—
05:41 KSA
<strong>هذا كل ما يتطلبه الأمر لإيقاف قطار</strong>
يمكن لثغرات شبكية بسيطة في أنظمة النقل بمنطقة الخليج أن تتسبب في انقطاعات كبيرة للقطارات. يناقش البودكاست كيف تشكل مشاكل أمن الشبكات الأساسية مخاطر كبيرة على البنية التحتية الحيوية للنقل.
rss:Malwarebytes Lab
—
05:21 KSA
<strong>أسبوع في الأمن السيبراني (16 مارس - 22 مارس)</strong>
ملخص أسبوعي للأمن السيبراني يغطي مواضيع وحوادث أمنية متنوعة من 16 إلى 22 مارس 2026. يقدم نظرة عامة موحدة للتهديدات والثغرات والتطورات الأمنية الأخيرة.
rss:Malwarebytes Lab
—
05:21 KSA
<strong>ميزة التدفق المتقدم ستجعل التحميل الجانبي على أندرويد أكثر أماناً</strong>
تقدم جوجل ميزة الأمان 'التدفق المتقدم' لنظام أندرويد لتعزيز سلامة التحميل الجانبي من خلال تطبيق تأخيرات تعطل عمليات تثبيت التطبيقات الاحتيالية. يهدف هذا الإجراء إلى حماية المستخدمين من التطبيقات ا…
rss:Malwarebytes Lab
—
05:21 KSA
<strong>دليل عمليات الاحتيال في بطولة مارس مادنس</strong>
يستغل مجرمو الإنترنت الأحداث الرياضية الكبرى مثل بطولة مارس مادنس لشن حملات احتيال متنوعة تستهدف المشجعين. يقدم المقال إرشادات حول تحديد وتجنب مخططات الاحتيال الشائعة المرتبطة بالبطولات الرياضية واسعة النطاق.
rss:Mandiant Blog
—
05:09 KSA
<strong>اتجاهات M-Trends 2026: البيانات والرؤى والاستراتيجيات من الخطوط الأمامية</strong>
يوثق تقرير M-Trends 2026 السنوي من Mandiant تطور تكتيكات وتقنيات الخصوم التي لوحظت في عام 2025. يسلط التقرير الضوء على تباين واضح في وتيرة الخصوم ويقدم رؤى استراتيجية للمدافعين للتكيف مع مش…
rss:Malwarebytes Lab
—
05:09 KSA
<strong>فريندلي ديلر يحاكي متاجر التطبيقات الرسمية لنشر تطبيقات قمار غير معتمدة</strong>
أكثر من 1,500 موقع مزيف لمتاجر التطبيقات ينتحل هوية متجر جوجل بلاي ومتجر آبل لتوزيع تطبيقات قمار مستنسخة وغير معتمدة قائمة على الويب. يعتقد المستخدمون أنهم يقومون بالتنزيل من مصادر رسمية لكن…
rss:Krebs on Securit
—
05:08 KSA
<strong>هجوم 'CanisterWorm' يستهدف إيران بهجمات مسح البيانات</strong>
أطلقت مجموعة تهديد ذات دوافع مالية دودة إلكترونية تستهدف إيران عبر الخدمات السحابية ضعيفة الحماية. تنتشر البرمجية الخبيثة تلقائياً وتمسح البيانات على الأنظمة المضبوطة على المنطقة الزمنية الإيرانية أو…
📰 أخبار الأمن السيبراني
0 مقال
لا توجد أخبار مجمّعة اليوم حتى الآن
يتم تحديث هذه النشرة تلقائياً يومياً — آخر تحديث: 23 Mar 2026
أرشيف الثغرات ·
التهديدات ·
الأخبار