Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions.
Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.
Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.
Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
Unauthenticated Cross Site Request Forgery (CSRF) in Eagle Booking <= 1.3.4.3 versions.
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
Unauthenticated Content Injection in Auros Core <= 5.3.1 versions.
Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions.
Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions.
Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.
Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions.
HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privile...
In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details
In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata
The Mattermost Go module github.com/mattermost/mattermost/server/public versions < v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost Adv...