|
2561
|
5.4 |
MEDIUM
Network
|
-
|
-
|
A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScr…
|
CWE-79
Cross-site Scripting
|
CVE-2026-11569
|
2026-06-8 23:57 |
2026-06-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2562
|
- |
|
-
|
-
|
## Summary
The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`C…
|
CWE-20
Improper Input Validation
|
CVE-2026-47430
|
2026-06-8 23:57 |
2026-06-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2563
|
7.4 |
HIGH
Network
|
-
|
-
|
A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle to bypass certificate validation in VPN sit…
|
CWE-295
Improper Certificate Validation
|
CVE-2026-50752
|
2026-06-8 23:57 |
2026-06-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2564
|
3.8 |
LOW
Network
|
-
|
-
|
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_si…
|
CWE-73
External Control of File Name or Path
|
CVE-2025-12656
|
2026-06-8 23:57 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2565
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to pe…
|
CWE-862
Missing Authorization
|
CVE-2026-7523
|
2026-06-8 23:57 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2566
|
7.5 |
HIGH
Network
|
-
|
-
|
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) functi…
|
CWE-22
Path Traversal
|
CVE-2026-9290
|
2026-06-8 23:57 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2567
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missin…
|
CWE-352
Origin Validation Error
|
CVE-2026-9719
|
2026-06-8 23:57 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2568
|
8.8 |
HIGH
Network
|
-
|
-
|
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-7654
|
2026-06-8 23:57 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2569
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to A…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-10038
|
2026-06-8 23:57 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2570
|
4.9 |
MEDIUM
Network
|
-
|
-
|
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1…
|
CWE-89
SQL Injection
|
CVE-2026-6448
|
2026-06-8 23:57 |
2026-06-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
