8.8
CVE-2025-15100 - JAY Login & Register <= 2.6.03 - Authenticated (Subscriber+) Privilege Escalation via jay_panel_ajaβ¦
The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. This makes it possible for authenticated atβ¦
9.8
CVE-2025-15027 - JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_cβ¦
The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_login_register_ajax_create_final_user' function. This makes it possible for unauβ¦
5.3
CVE-2026-2209 - WeKan Custom Translation translationBody.js setCreateTranslation improper authorization
A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotely.β¦
5.3
CVE-2026-2208 - WeKan Rules rules.js RulesBleed authorization
A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended toβ¦
6.9
CVE-2026-2207 - WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure
A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely. Upgrβ¦
5.3
CVE-2026-2206 - WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotβ¦
5.3
CVE-2026-2205 - WeKan Meteor Publication cards.js CardPubSubBleed information disclosure
A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitβ¦
5.3
CVE-2026-2122 - Xiaopi Panel WAF Firewall demo.php sql injection
A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public anβ¦
8.6
CVE-2026-2120 - D-Link DIR-823X Configuration Parameter set_server_settings os command injection
A vulnerability was identified in D-Link DIR-823X 250416. This affects an unknown function of the file /goform/set_server_settings of the component Configuration Parameter Handler. The manipulation of the argument terminal_addr/server_ip/server_port leads to os command injection. The attack may be β¦
8.6
CVE-2026-2118 - UTT HiPER 810 rehttpd formReleaseConnect sub_4407D4 command injection
A vulnerability was determined in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_4407D4 of the file /goform/formReleaseConnect of the component rehttpd. Executing a manipulation of the argument Isp_Name can lead to command injection. The attack can be launched remotely. The exβ¦