7.5
CVE-2026-3045 - Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Inforβ¦
The Appointment Booking Calendar β Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated userβ¦
9.8
CVE-2026-3891 - Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload
The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated atβ¦
6.9
CVE-2025-15515 -
The authentication mechanism for a specific feature in the EasyShare module contains a vulnerability. If specific conditions are met on a local network, it can cause data leakage
6.4
CVE-2025-57849 - Fuse: privilege escalation via excessive /etc/passwd permissions
A container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can β¦
6.4
CVE-2025-8766 - Noobaa-core: excessive permissions of /etc could lead to escalation of privilege in the noobaa-coreβ¦
A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, evβ¦
6.9
CVE-2026-22216 - wpDiscuz before 7.6.47 - No Rate Limiting on Subscription Endpoints with LIKE Wildcard Bypass
wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard chβ¦
5.3
CVE-2026-22215 - wpDiscuz before 7.6.47 - Missing CSRF Protection on wpdGetFollowsPage
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by expβ¦
2.1
CVE-2026-22210 - wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Attachment URLs
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary Javβ¦
5.1
CVE-2026-22209 - wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Custom CSS in Style Tag
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execuβ¦
6.3
CVE-2026-22204 - wpDiscuz before 7.6.47 - Unsanitized Cookie Email Used as wp_mail() Recipient
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail()β¦