0.0
CVE-2026-31987 - Apache Airflow: JWT token appearing in logs
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue.
5.3
CVE-2026-6410 - @fastify/static vulnerable to path traversal in directory listing
@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain diβ¦
5.3
CVE-2026-4160 - Fluent Forms β Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - β¦
The Fluent Forms β Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validationβ¦
5.9
CVE-2026-6414 - @fastify/static vulnerable to route guard bypass via encoded path separators
@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. Fβ¦
10
CVE-2026-31843 -
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling reβ¦
5.7
CVE-2025-15621 - Sparx Enterprise Architect Client does not verify the receiver of OAuth2 credentials during OpenID β¦
Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication
3.1
CVE-2026-3155 - OneSignal β Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) β¦
The OneSignal β Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscrβ¦
5.4
CVE-2026-3369 - Better Find and Replace β AI-Powered Suggestions <= 1.7.9 - Authenticated (Author+) Stored Cross-Siβ¦
The Better Find and Replace β AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, witβ¦
7.5
CVE-2026-3489 - DirectoryPress β Business Directory And Classified Ad Listing <= 3.6.26 - Unauthenticated SQL Injecβ¦
The DirectoryPress β Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing β¦
6
CVE-2025-12624 - Improper Token Invalidation in WSO2 Identity Server Allows Access After Account Lock
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequeβ¦