5.5
CVE-2025-15491 - Post Slides <= 1.0.1 - Contributor+ Local File Inclusion
The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks
6.4
CVE-2025-12159 - Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authent…
6.4
CVE-2025-13463 - Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scripting in Post …
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access an…
6.4
CVE-2025-12803 - Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Sho…
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated …
6.4
CVE-2025-15267 - Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_acc…
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auth…
5.3
CVE-2026-2075 - yeqifu warehouse Role-Permission Binding RoleController.java saveRolePermission access control
A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role-Permission Binding Handler. The m…
5.3
CVE-2026-2074 - O2OA HTTP POST Request check xml external entity reference
A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is…
6.9
CVE-2026-2073 - itsourcecode School Management System index.php sql injection
A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed…
6.8
CVE-2025-31990 - HCL DevOps Velocity is susceptible to a Denial of Service vulnerability
Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerabilit…
8.7
CVE-2026-2071 - UTT 进取 520W formP2PLimitConfig strcpy buffer overflow
A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public…