4.3
CVE-2026-1981 - Winston AI <= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settingβ¦
The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston_disconnect() function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attaβ¦
4.3
CVE-2026-1644 - WP Frontend Profile <= 1.3.8 - Cross-Site Request Forgery to Unauthorized User Account Approval or β¦
The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account regisβ¦
5.3
CVE-2026-2371 - Greenshift <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure vβ¦
The Greenshift β animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the `gspb_el_reusable_load()` AJAX handler. The handler accepts β¦
6.1
CVE-2026-27142 - URLs in meta content attribute actions are not escaped in html/template
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actionsβ¦
7.5
CVE-2026-25679 - Incorrect parsing of IPv6 host literals in net/url
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
5.9
CVE-2026-27138 - Panic in name constraint checking for malformed certificates in crypto/x509
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
2.5
CVE-2026-27139 - FileInfo can escape from a Root in os
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the fiβ¦
7.5
CVE-2026-27137 - Incorrect enforcement of email constraints in crypto/x509
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
8.5
CVE-2026-30242 - Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.xβ¦
7.5
CVE-2026-30244 - Plane: Unauthenticated Workspace Member Information Disclosure
Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission clasβ¦