Threat Intelligence Feed

CVE-2026-6056 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2026-41242 protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers CVE-2026-40948 The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `s CVE-2026-2986 The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes CVE-2026-2505 The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including CVE-2026-0894 The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin CVE-2026-41254 Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed CVE-2026-32690 Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by th CVE-2026-32228 UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate t CVE-2026-30912 In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to f CVE-2026-30898 An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause CVE-2026-25917 Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing t CVE-2026-41253 In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working CVE-2026-6518 The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload an CVE-2026-6048 The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget CVE-2026-4801 The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via exter CVE-2026-40494 SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. P CVE-2026-40493 SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. P CVE-2026-40492 SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. P CVE-2026-40491 gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack CVE-2026-40490 The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HT CVE-2026-40489 editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to CVE-2026-40487 Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authen CVE-2026-35582 Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable CVE-2026-1838 The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all CVE-2026-1559 The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in al CVE-2026-40572 NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (Memo CVE-2026-40350 Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenti CVE-2026-40317 NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (Jump CVE-2026-35465 SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the Se CVE-2026-40593 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) rende CVE-2026-40582 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint va CVE-2026-40581 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (S CVE-2026-40485 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/pu CVE-2026-40484 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functional CVE-2026-40483 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation com CVE-2026-40482 ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::ge CVE-2026-40480 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoin CVE-2026-40349 Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenti CVE-2026-40348 Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenti CVE-2026-6056 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2026-41242 protobufjs compiles protobuf definitions into JavaScript (JS) functions. In versions prior to 8.0.1 and 7.5.5, attackers CVE-2026-40948 The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `s CVE-2026-2986 The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'other_attributes CVE-2026-2505 The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including CVE-2026-0894 The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin CVE-2026-41254 Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed CVE-2026-32690 Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by th CVE-2026-32228 UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate t CVE-2026-30912 In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to f CVE-2026-30898 An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause CVE-2026-25917 Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing t CVE-2026-41253 In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working CVE-2026-6518 The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload an CVE-2026-6048 The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget CVE-2026-4801 The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via exter CVE-2026-40494 SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. P CVE-2026-40493 SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. P CVE-2026-40492 SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. P CVE-2026-40491 gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack CVE-2026-40490 The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HT CVE-2026-40489 editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to CVE-2026-40487 Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authen CVE-2026-35582 Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable CVE-2026-1838 The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all CVE-2026-1559 The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in al CVE-2026-40572 NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (Memo CVE-2026-40350 Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenti CVE-2026-40317 NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (Jump CVE-2026-35465 SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the Se CVE-2026-40593 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) rende CVE-2026-40582 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint va CVE-2026-40581 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (S CVE-2026-40485 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/pu CVE-2026-40484 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functional CVE-2026-40483 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation com CVE-2026-40482 ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::ge CVE-2026-40480 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoin CVE-2026-40349 Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenti CVE-2026-40348 Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenti