Threat Intelligence Feed

CVE-2026-49416 The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer CVE-2026-49414 The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the P CVE-2026-49417 Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained va CVE-2026-49413 The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. Durin CVE-2026-49412 The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, CVE-2026-45259 sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation CVE-2026-45258 dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the MED · CVE-2026-9242 The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vu MED · CVE-2026-9233 The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass MED · CVE-2026-3462 The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks MED · CVE-2026-13295 The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Paramet MED · CVE-2026-12471 The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plu MED · CVE-2026-12432 The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8. MED · CVE-2026-12399 The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Sc MED · CVE-2026-11987 The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPr MED · CVE-2026-11783 The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPr MED · CVE-2026-11773 The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypas MED · CVE-2026-11597 The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusions MED · CVE-2026-11364 The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, an CVE-2026-9677 The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl se MED · CVE-2026-13245 The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' para MED · CVE-2026-12404 The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all ve CVE-2026-10820 The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress pl CRIT · CVE-2026-12415 The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on th MED · CVE-2026-13422 The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to MED · CVE-2026-13335 The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point MED · CVE-2026-13333 The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection MED · CVE-2026-13331 The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection MED · CVE-2026-11356 The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_t MED · CVE-2025-59868 HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an HIGH · CVE-2023-37524 HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of servi HIGH · CVE-2026-56414 A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arb HIGH · CVE-2026-55975 A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to t HIGH · CVE-2026-33560 The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which a HIGH · CVE-2026-31928 The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are CRIT · CVE-2026-28701 Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape HIGH · CVE-2026-55069 Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAu MED · CVE-2026-53577 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution CRIT · CVE-2026-53576 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for CVE-2026-50767 A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System CVE-2026-49416 The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer CVE-2026-49414 The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the P CVE-2026-49417 Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained va CVE-2026-49413 The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. Durin CVE-2026-49412 The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, CVE-2026-45259 sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation CVE-2026-45258 dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the MED · CVE-2026-9242 The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vu MED · CVE-2026-9233 The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass MED · CVE-2026-3462 The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks MED · CVE-2026-13295 The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Paramet MED · CVE-2026-12471 The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plu MED · CVE-2026-12432 The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8. MED · CVE-2026-12399 The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Sc MED · CVE-2026-11987 The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPr MED · CVE-2026-11783 The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPr MED · CVE-2026-11773 The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypas MED · CVE-2026-11597 The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusions MED · CVE-2026-11364 The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, an CVE-2026-9677 The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl se MED · CVE-2026-13245 The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' para MED · CVE-2026-12404 The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all ve CVE-2026-10820 The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress pl CRIT · CVE-2026-12415 The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on th MED · CVE-2026-13422 The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to MED · CVE-2026-13335 The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point MED · CVE-2026-13333 The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection MED · CVE-2026-13331 The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection MED · CVE-2026-11356 The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_t MED · CVE-2025-59868 HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an HIGH · CVE-2023-37524 HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of servi HIGH · CVE-2026-56414 A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arb HIGH · CVE-2026-55975 A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to t HIGH · CVE-2026-33560 The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which a HIGH · CVE-2026-31928 The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are CRIT · CVE-2026-28701 Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape HIGH · CVE-2026-55069 Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAu MED · CVE-2026-53577 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution CRIT · CVE-2026-53576 Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for CVE-2026-50767 A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System