Common Vulnerabilities and Exposures (CVE)
CVE-2026-54090
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.33.8, when a shell interpreter is configured (e.g. /bin/sh -c), the command allowlist can be...
CVE-2026-57627
Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions.
CVE-2026-57633
Unauthenticated Sensitive Data Exposure in WCBoost – Products Compare <= 1.1.0 versions.
CVE-2026-57640
Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions.
CVE-2026-57646
Subscriber Insecure Direct Object References (IDOR) in Majestic Support <= 1.1.7 versions.
CVE-2026-57652
Unauthenticated Insecure Direct Object References (IDOR) in JS Help Desk <= 3.1.0 versions.
CVE-2026-57658
Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions.
CVE-2026-57664
Unauthenticated Sensitive Data Exposure in Bopo – WooCommerce Product Bundle Builder <= 1.1.6 versions.
CVE-2026-57874
An unauthenticated buffer overflow vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when parsing filename values in multipart ...
CVE-2026-45256
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission ...
CVE-2026-57873
An unauthenticated NULL pointer dereference vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper validation of multipart upload headers when processin...
CVE-2026-57872
An unauthenticated directory traversal vulnerability exists in get_fcont.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient validation of user-supplied file path input before the reques...
CVE-2026-45257
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backe...
CVE-2026-8380
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitr...
CVE-2026-4600
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2...