CVE-2026-56027: Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions.
Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions.
● Live advisory feed
Security advisories from 24 sources — CISA, CERT-EU, NCSC-UK, BSI, CERT-FR, NCSC-NL, JPCERT/CC, JVN, HKCERT, the Canadian Cyber Centre, NVD, GitHub, Microsoft, Cisco, Fortinet, Palo Alto Networks and more — normalized, translated to English and flagged against the CISA KEV catalog. One global feed for CSIRTs, SOCs and defenders.
Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions.
Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions.
Unauthenticated Broken Access Control in Paymob for WooCommerce <= 4.1.2 versions.
Unauthenticated Cross Site Scripting (XSS) in MapPress Maps for WordPress <= 2.97.3 versions.
Subscriber Privilege Escalation in Abandoned Cart Pro for WooCommerce <= 10.4.0 versions.
Contributor Privilege Escalation in Fusion Builder <= 3.15.4 versions.
Unauthenticated Broken Access Control in Stylish Cost Calculator <= 8.3.9 versions.
Unauthenticated Broken Access Control in Syncee Premium Dropshipping & Wholesale <= 1.0.27 versions.
Unauthenticated Broken Access Control in Newsletters <= 4.13 versions.
Unauthenticated Sensitive Data Exposure in Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups <= 2.0.9 versions.
Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet <= 1.8.1 versions.
Unauthenticated Broken Access Control in Five Star Restaurant Menu <= 2.5.2 versions.
Unauthenticated Sensitive Data Exposure in Object Cache 4 everyone <= 2.3.2 versions.
Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions.
Unauthenticated Broken Access Control in Gutenverse Companion <= 2.5.0 versions.
Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions.
Unauthenticated SQL Injection in Real Estate 7 <= 3.5.9 versions.
Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions.
Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.
Unauthenticated Sensitive Data Exposure in Ads by WPQuads <= 3.0.3 versions.
Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions.
Unauthenticated Broken Access Control in User Registration <= 5.2.2 versions.
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-sid…
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M…
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned th…
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown …
An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file.
A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.
Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions.
Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.
Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.
Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.
Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.
Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.
Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.
Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.
Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions.
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with ad…
In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details
In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal component…
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.