Threat Intelligence Feed

CVE-2026-56355 GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization. MED · CVE-2026-56347 AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering d MED · CVE-2026-56346 AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that HIGH · CVE-2026-56345 AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php end MED · CVE-2026-56342 AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows aut HIGH · CVE-2026-56341 AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authori HIGH · CVE-2026-56340 vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because P MED · CVE-2025-71379 vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Severa CVE-2026-5366 Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the ` MED · CVE-2026-56332 Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to re CVE-2026-56330 Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept CVE-2026-56325 Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain r MED · CVE-2026-56319 Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that CVE-2026-56317 Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript compo MED · CVE-2026-56307 Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudf MED · CVE-2026-56304 picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to cr MED · CVE-2026-56295 Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-exp MED · CVE-2026-56294 capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSuc MED · CVE-2026-56282 Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication endpoint that CVE-2026-56276 Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated CVE-2026-56267 Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoin MED · CVE-2026-56235 Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metri MED · CVE-2026-56228 Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy confi MED · CVE-2026-56227 Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopbac MED · CVE-2026-56218 Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing informa MED · CVE-2025-71331 Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat CRIT · CVE-2024-58351 Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig opti CVE-2026-12673 Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalati CRIT · CVE-2022-50972 WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by HIGH · CVE-2020-37255 WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attack CRIT · CVE-2019-25763 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attacke CVE-2026-48939 A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature CVE-2026-48909 SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauth CVE-2026-48908 A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulti MED · CVE-2026-12119 The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization c HIGH · CVE-2026-11912 The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization HIGH · CVE-2026-11911 The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validat HIGH · CVE-2026-9843 The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion CVE-2026-9265 Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_ HIGH · CVE-2026-56216 Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows ap CVE-2026-56355 GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization. MED · CVE-2026-56347 AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering d MED · CVE-2026-56346 AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that HIGH · CVE-2026-56345 AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php end MED · CVE-2026-56342 AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows aut HIGH · CVE-2026-56341 AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authori HIGH · CVE-2026-56340 vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because P MED · CVE-2025-71379 vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. Severa CVE-2026-5366 Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the ` MED · CVE-2026-56332 Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to re CVE-2026-56330 Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept CVE-2026-56325 Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain r MED · CVE-2026-56319 Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that CVE-2026-56317 Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript compo MED · CVE-2026-56307 Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudf MED · CVE-2026-56304 picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to cr MED · CVE-2026-56295 Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-exp MED · CVE-2026-56294 capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSuc MED · CVE-2026-56282 Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication endpoint that CVE-2026-56276 Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated CVE-2026-56267 Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoin MED · CVE-2026-56235 Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions (get_app_metri MED · CVE-2026-56228 Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy confi MED · CVE-2026-56227 Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopbac MED · CVE-2026-56218 Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing informa MED · CVE-2025-71331 Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat CRIT · CVE-2024-58351 Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig opti CVE-2026-12673 Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalati CRIT · CVE-2022-50972 WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by HIGH · CVE-2020-37255 WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attack CRIT · CVE-2019-25763 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attacke CVE-2026-48939 A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature CVE-2026-48909 SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauth CVE-2026-48908 A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulti MED · CVE-2026-12119 The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization c HIGH · CVE-2026-11912 The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization HIGH · CVE-2026-11911 The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validat HIGH · CVE-2026-9843 The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion CVE-2026-9265 Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_ HIGH · CVE-2026-56216 Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows ap