6.9
CVE-2025-15515 -
The authentication mechanism for a specific feature in the EasyShare module contains a vulnerability. If specific conditions are met on a local network, it can cause data leakage
6.4
CVE-2025-57849 - Fuse: privilege escalation via excessive /etc/passwd permissions
A container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can β¦
6.4
CVE-2025-8766 - Noobaa-core: excessive permissions of /etc could lead to escalation of privilege in the noobaa-coreβ¦
A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, evβ¦
6.9
CVE-2026-22216 - wpDiscuz before 7.6.47 - No Rate Limiting on Subscription Endpoints with LIKE Wildcard Bypass
wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard chβ¦
5.3
CVE-2026-22215 - wpDiscuz before 7.6.47 - Missing CSRF Protection on wpdGetFollowsPage
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by expβ¦
2.1
CVE-2026-22210 - wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Attachment URLs
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary Javβ¦
5.1
CVE-2026-22209 - wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Custom CSS in Style Tag
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like </style><script>alert(1)</script> in the custom CSS setting to execuβ¦
6.3
CVE-2026-22204 - wpDiscuz before 7.6.47 - Unsanitized Cookie Email Used as wp_mail() Recipient
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail()β¦
6.9
CVE-2026-22203 - wpDiscuz before 7.6.47 - Options Export Leaks OAuth Secrets in Plaintext
wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, β¦
6.1
CVE-2026-22202 - wpDiscuz before 7.6.47 - Destructive GET Action Deletes All Comments by Email
wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to tβ¦