0.0
CVE-2026-40737 - WordPress COMPE plugin <= 1.1.4 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects COMPE: from n/a through <= 1.1.4.
0.0
CVE-2026-40734 - WordPress Categories Images plugin <= 3.3.1 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1.
0.0
CVE-2026-40730 - WordPress ThemeGrill Demo Importer plugin <= 2.0.0.6 - Broken Access Control vulnerability
Missing Authorization vulnerability in ThemeGrill ThemeGrill Demo Importer themegrill-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeGrill Demo Importer: from n/a through <= 2.0.0.6.
0.0
CVE-2026-40729 - WordPress 3D viewer โ Embed 3D Models plugin <= 1.8.5 - Broken Access Control vulnerability
Missing Authorization vulnerability in bPlugins 3D viewer โ Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer โ Embed 3D Models: from n/a through <= 1.8.5.
0.0
CVE-2026-40728 - WordPress Magazine Blocks plugin <= 1.8.3 - Broken Access Control vulnerability
Missing Authorization vulnerability in BlockArt Magazine Blocks magazine-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Blocks: from n/a through <= 1.8.3.
6.8
CVE-2026-28741 - CSRF Protection Bypass Allows Updating a User's Authentication Method
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost โฆ
9
CVE-2026-33805 - @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in โฆ
2.7
CVE-2026-27769 - Connected Workspaces: Malicious remote server can manipulate arbitrary user's status
Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API.. Maโฆ
9.1
CVE-2026-33807 - @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugโฆ
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causโฆ
7.5
CVE-2024-33618 -
Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface.