Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.
Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions.
Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.
Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.
Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3.
Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions.
Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.
Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.
Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.
Subscriber SQL Injection in Geo Mashup <= 1.13.19 versions.
Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an u...
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.
Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and Hugging...
Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re...
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose....
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, d...
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_SECRET, and the auth middleware trusted every claim in that JWT without re-resolving the user fr...