| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions. |
| Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions. |
| Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions. |
| Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions. |
| Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions. |
| Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. |
| Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions. |
| Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions. |
| Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions. |
| telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. |
| Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that routes to an external web server. Mattermost Advisory ID: MMSA-2026-00651 |
| Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967–969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project's wasmtime-cli's use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2. |
| Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions. |
| Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions. |
| Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions. |
| Unauthenticated SQL Injection in WPGraphQL < 2.11.1 versions. |
| Subscriber Sensitive Data Exposure in WP SMS <= 7.2.1 versions. |
| Subscriber Broken Access Control in Classified Listing <= 5.3.9 versions. |
