Latest Vulnerabilities

CVE ID :CVE-2026-5797 Published : April 17, 2026, 6:16 a.m. | 40 minutes ago Description :The Quiz And Survey Master plugin for WordPress is vulnerable to Arbitrary Shortcode Execution in versions up to and including 11.1.0. This is due to insufficient input sanitization and the execution of do_shortcode() on user-submitted quiz answer text. User-submitted answers pass through sanitize_text_field() and htmlspecialchars(), which only strip HTML tags but do not encode or remove shortcode brackets [ and ]. When quiz results are displayed, the plugin calls do_shortcode() on the entire results page output (including user answers), causing any injected shortcodes to be executed. This makes it possible for unauthenticated attackers to inject arbitrary WordPress shortcodes such as [qsm_result id=X] to access other users’ quiz submissions without authorization, as the qsm_result shortcode lacks any authorization checks. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-6421 Published : April 17, 2026, 6:16 a.m. | 40 minutes ago Description :A vulnerability has been found in Mobatek MobaXterm Home Edition up to 26.1. This affects an unknown part in the library msimg32.dll. The manipulation leads to uncontrolled search path. An attack has to be approached locally. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 26.2 is able to mitigate this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. Severity: 7.3 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-6482 Published : April 17, 2026, 6:16 a.m. | 40 minutes ago Description :The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that is writable by standard users. By planting a crafted openssl.cnf file an attacker can trick the high-privilege service into executing arbitrary commands. This effectively permits an unprivileged user to bypass security controls and achieve a full host compromise under the agent’s SYSTEM level access. Severity: 8.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-21719 Published : April 17, 2026, 6:16 a.m. | 40 minutes ago Description :An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command. Severity: 8.6 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-34018 Published : April 17, 2026, 6:16 a.m. | 40 minutes ago Description :An SQL injection vulnerability exists in CubeCart prior to 6.6.0, which may allow an attacker to execute an arbitrary SQL statement on the product. Severity: 6.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-35496 Published : April 17, 2026, 6:16 a.m. | 40 minutes ago Description :A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to access higher-level directories that should not be accessible. Severity: 5.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-5502 Published : April 17, 2026, 5:16 a.m. | 1 hour, 40 minutes ago Description :The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the ‘content_parent’ parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-5807 Published : April 17, 2026, 5:16 a.m. | 1 hour, 40 minutes ago Description :Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-6080 Published : April 17, 2026, 5:16 a.m. | 1 hour, 40 minutes ago Description :The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the ‘date’ parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-4853 Published : April 17, 2026, 5:16 a.m. | 1 hour, 40 minutes ago Description :The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary Directory Deletion in versions up to and including 3.1.19.8. This is due to insufficient input validation on the fileName parameter in the file upload handler. The plugin sanitizes the fileName parameter using sanitize_text_field(), which removes HTML tags but does not prevent path traversal sequences like ‘../’. The unsanitized filename is then directly concatenated in Upload::getFileLocation() without using basename() or validating the resolved path stays within the intended directory. When an invalid file is uploaded, the cleanup logic calls dirname() on the traversed path and passes it to Util::rm(), which recursively deletes the entire resolved directory. This makes it possible for authenticated attackers with administrator-level access to traverse outside the intended upload directory and trigger deletion of critical WordPress directories such as wp-content/plugins, effectively disabling all installed plugins and causing severe site disruption. Severity: 4.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-5234 Published : April 17, 2026, 5:16 a.m. | 1 hour, 40 minutes ago Description :The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-5427 Published : April 17, 2026, 5:16 a.m. | 1 hour, 40 minutes ago Description :The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubio_rest_pre_insert_import_assets() function, which is hooked to the rest_pre_insert_{post_type} filter for posts, pages, templates, and template parts. When a post is created or updated via the REST API, Kubio parses block attributes looking for URLs in the ‘kubio’ attribute namespace and automatically imports them via importRemoteFile() without verifying the user has the upload_files capability. This makes it possible for authenticated attackers with Contributor-level access and above to bypass WordPress’s normal media upload restrictions and upload files fetched from external URLs to the media library, creating attachment posts in the database. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-3330 Published : April 17, 2026, 5:16 a.m. | 1 hour, 40 minutes ago Description :The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the ‘ip_search’, ‘startdate’, ‘enddate’, ‘username_search’, and ‘useremail_search’ parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress’s `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link. Severity: 4.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-5052 Published : April 17, 2026, 4:16 a.m. | 2 hours, 40 minutes ago Description :Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-4666 Published : April 17, 2026, 4:16 a.m. | 2 hours, 40 minutes ago Description :The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of `extract($args, EXTR_OVERWRITE)` on user-controlled input in the `edit()` method of `classes/Posts.php` in all versions up to, and including, 2.4.16. The `post_edit` action handler in `Actions.php` passes `$_REQUEST[‘post’]` directly to `Posts::edit()`, which calls `extract($args, EXTR_OVERWRITE)`. An attacker can inject `post[guestposting]=1` to overwrite the local `$guestposting` variable, causing the entire permission check block to be skipped. The nonce check uses a hardcoded `wpforo_verify_form` action shared across all 8 forum templates, so any user who can view any forum page obtains a valid nonce. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the title, body, name, and email fields of any forum post, including posts in private forums, admin posts, and moderator posts. Content passes through `wpforo_kses()` which strips JavaScript but allows rich HTML. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-4525 Published : April 17, 2026, 4:16 a.m. | 2 hours, 40 minutes ago Description :If a Vault auth mount is configured to pass through the “Authorization” header, and the “Authorization” header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-3605 Published : April 17, 2026, 4:16 a.m. | 2 hours, 40 minutes ago Description :An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data. Fxed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0, 1.21.5, 1.20.10, and 1.19.16. Severity: 8.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-5162 Published : April 17, 2026, 2:16 a.m. | 4 hours, 40 minutes ago Description :The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget’s ‘instagram_follow_text’ setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-5231 Published : April 17, 2026, 2:16 a.m. | 4 hours, 40 minutes ago Description :The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘utm_source’ parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin’s referral parser copies the raw utm_source value into the source_name field when a wildcard channel domain matches, and the chart renderer later inserts this value into legend markup via innerHTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in admin pages that will execute whenever an administrator accesses the Referrals Overview or Social Media analytics pages. Severity: 7.2 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-3488 Published : April 17, 2026, 2:16 a.m. | 4 hours, 40 minutes ago Description :The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_updatePrivacyStatus`, and `wp_statistics_dismiss_notices`. These endpoints only verify a `wp_rest` nonce via `check_ajax_referer()` but do not enforce any capability checks such as `current_user_can()` or the plugin’s own `User::Access()` method. Since the `wp_rest` nonce is available to all authenticated WordPress users, this makes it possible for authenticated attackers, with Subscriber-level access and above, to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), retrieve and modify privacy audit compliance status, and dismiss administrative notices. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-4817 Published : April 17, 2026, 2:16 a.m. | 4 hours, 40 minutes ago Description :The MasterStudy LMS WordPress Plugin for Online Courses and Education plugin for WordPress is vulnerable to Time-based Blind SQL Injection via the ‘order’ and ‘orderby’ parameters in the /lms/stm-lms/order/items REST API endpoint in versions up to and including 3.7.25. This is due to insufficient input sanitization combined with a design flaw in the custom Query builder class that allows unquoted SQL injection in ORDER BY clauses. When the Query builder detects parentheses in the sort_by parameter, it treats the value as a SQL function and directly concatenates it into the ORDER BY clause without any quoting. While esc_sql() is applied to escape quotes and backslashes, this cannot prevent ORDER BY injection when the values themselves are not wrapped in quotes in the resulting SQL statement. This makes it possible for authenticated attackers, with subscriber-level access and above, to append arbitrary SQL queries via the ORDER BY clause to extract sensitive information from the database including user credentials, session tokens, and other confidential data through time-based blind SQL injection techniques. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-40263 Published : April 17, 2026, 1:17 a.m. | 5 hours, 39 minutes ago Description :Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2. Severity: 3.7 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-40265 Published : April 17, 2026, 1:17 a.m. | 5 hours, 39 minutes ago Description :Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private. This issue has been fixed in version 0.19.2. Severity: 5.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-40922 Published : April 17, 2026, 1:17 a.m. | 5 hours, 39 minutes ago Description :SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not effectively filter srcdoc attributes which contain raw HTML rather than URLs. A malicious bazaar package author can include an iframe with a srcdoc attribute containing embedded scripts in their README. When other users view the package in SiYuan’s marketplace UI, the payload executes in the Electron context with full application privileges, enabling arbitrary code execution on the user’s machine. This issue has been fixed in version 3.6.4. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID :CVE-2026-40262 Published : April 17, 2026, 1:17 a.m. | 5 hours, 39 minutes ago Description :Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition, allowing browsers to sniff and render active content. An authenticated user can upload an HTML or SVG file containing JavaScript as a note asset, and when a victim navigates to the asset URL, the script executes under the application’s origin with access to the victim’s authenticated session and API actions. This issue has been fixed in version 0.19.2. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more…