5.3
CVE-2026-1438 - Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface
Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker …
5.3
CVE-2026-1437 - Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface
Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker …
7.1
CVE-2026-1436 - Improper Access Control (IDOR) vulnerability in Graylog Web Interface
Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive…
9.3
CVE-2026-1435 - Incorrect management of session invalidation vulnerability in Graylog Web Interface
Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, wh…
6.5
CVE-2026-1317 - WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injec…
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `file_name` parameter which is stored in the database during file upload and later used in raw SQL quer…
3.7
CVE-2026-1582 - WP All Export <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict …
4.3
CVE-2026-2386 - The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommer…
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_create_page() AJAX handler authorizing users only with current…
4.9
CVE-2025-8781 - Bookster – WordPress Appointment Booking Plugin <= 2.1.1 - Authenticated (Administrator+) SQL Injec…
The Bookster – WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This…
5.3
CVE-2025-7630 - OTP Password Brute Forcing in DorukNet's Wispotter
Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, Brute Force.This issue affects Wispotter: from 1.0 before v2025.10.08.1.
6.5
CVE-2025-14799 - Brevo - Email, SMS, Web Push, Chat, and more. <= 3.3.0 - Unauthenticated Authorization Bypass via T…
The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in th…