Common Vulnerabilities and Exposures (CVE)

CVE-2026-35080

Jul 3, 2026 08:51:44 UTC

The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

CVE-2026-35079

Jul 3, 2026 08:51:26 UTC

The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

CVE-2026-35078

Jul 3, 2026 08:51:10 UTC

The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

CVE-2026-35077

Jul 3, 2026 08:50:46 UTC

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

CVE-2026-35076

Jul 3, 2026 08:50:25 UTC

The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

CVE-2026-35075

Jul 3, 2026 08:49:03 UTC

An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.

CVE-2026-11398

Jul 3, 2026 07:53:10 UTC

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is auth...

CVE-2026-4804

Jul 3, 2026 07:53:09 UTC

The Zakra theme for WordPress is vulnerable to Stored Cross-Site Scripting via post meta values in all versions up to, and including, 4.2.0. This is due to the theme registering three post meta fields (zakra_menu_item_color, zakra_menu_item...

CVE-2026-9756

Jul 3, 2026 07:53:09 UTC

The GenerateBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Headline Block 'linkMetaFieldType' Dynamic Link Attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output...

CVE-2026-11778

Jul 3, 2026 07:53:08 UTC

The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to exe...

CVE-2026-11900

Jul 3, 2026 07:53:08 UTC

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 2.8.16 via the 'data' attribute of the [adinserter] shortcode. This is due to the replace_ai_t...

CVE-2026-8804

Jul 3, 2026 07:43:05 UTC

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the ag...

CVE-2026-14544

Jul 3, 2026 07:39:33 UTC

A flaw was found in HPLIP (HP Linux Imaging and Printing Software). This vulnerability, an incomplete fix for CVE-2026-8631, may allow a remote attacker to escalate privileges or achieve arbitrary code execution. This can occur through an i...

CVE-2026-9148

Jul 3, 2026 06:50:12 UTC

The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor()...

CVE-2026-9230

Jul 3, 2026 06:50:11 UTC

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorize...