| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-11832 | Cri | 0.59 | 9.1 | 0.00 | Jun 15, 2026 | Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable. | ||
| CVE-2026-9691 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions. | ||
| CVE-2026-52703 | Cri | 0.62 | 9.6 | 0.00 | Jun 15, 2026 | Unauthenticated Path Traversal in FastDup <= 2.7.2 versions. | ||
| CVE-2026-52693 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions. | ||
| CVE-2026-49781 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions. | ||
| CVE-2026-49776 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions. | ||
| CVE-2026-49770 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions. | ||
| CVE-2026-49769 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions. | ||
| CVE-2026-49768 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions. | ||
| CVE-2026-49766 | Cri | 0.64 | 9.9 | 0.01 | Jun 15, 2026 | Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions. | ||
| CVE-2026-49765 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions. | ||
| CVE-2026-49764 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions. | ||
| CVE-2026-49763 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions. | ||
| CVE-2026-49109 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions. | ||
| CVE-2026-49106 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions. | ||
| CVE-2026-49105 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | ||
| CVE-2026-49104 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions. | ||
| CVE-2026-49085 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | ||
| CVE-2026-49067 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions. | ||
| CVE-2026-48886 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions. | ||
| CVE-2026-48881 | Cri | 0.59 | 9.1 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions. | ||
| CVE-2026-48836 | Cri | 0.65 | 10.0 | 0.01 | Jun 15, 2026 | Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions. | ||
| CVE-2026-45439 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions. | ||
| CVE-2026-42665 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions. | ||
| CVE-2026-42639 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions. | ||
| CVE-2026-42386 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions. | ||
| CVE-2026-42381 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions. | ||
| CVE-2026-40798 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions. | ||
| CVE-2026-40772 | Cri | 0.65 | 10.0 | 0.00 | Jun 15, 2026 | Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions. | ||
| CVE-2026-40771 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions. | ||
| CVE-2026-39591 | Cri | 0.64 | 9.9 | 0.00 | Jun 15, 2026 | Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions. | ||
| CVE-2026-39583 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions. | ||
| CVE-2026-39530 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions. | ||
| CVE-2026-39519 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions. | ||
| CVE-2026-39512 | Cri | 0.53 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions. | ||
| CVE-2026-39511 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions. | ||
| CVE-2026-39502 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions. | ||
| CVE-2026-39493 | Cri | 0.53 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions. | ||
| CVE-2026-39492 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions. | ||
| CVE-2026-39465 | Cri | 0.59 | 9.1 | 0.01 | Jun 15, 2026 | Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions. | ||
| CVE-2026-39441 | Cri | 0.53 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions. | ||
| CVE-2026-34901 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions. | ||
| CVE-2026-27053 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions. | ||
| CVE-2026-54257 | cri | 0.52 | — | 0.00 | Jun 15, 2026 | ### Impact Most apps will crash and some may perform incorrect buffer allocations in the Node.js `Buffer` API resulting in unexpected truncation or allocation. ### Workarounds No workarounds. Do not use these impacted Electron releases ### Fixed Versions * `42.3.3` ### For… | ||
| CVE-2026-50890 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement. | ||
| CVE-2026-50887 | Cri | 0.59 | 9.1 | 0.00 | Jun 15, 2026 | A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl. | ||
| CVE-2026-50886 | Cri | 0.59 | 9.1 | 0.00 | Jun 15, 2026 | Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request. | ||
| CVE-2026-50883 | Cri | 0.62 | 9.6 | 0.00 | Jun 15, 2026 | An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload. | ||
| CVE-2026-50880 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request. | ||
| CVE-2026-50873 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file. |
- risk 0.59cvss 9.1epss 0.00
Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.
- risk 0.62cvss 9.6epss 0.00
Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
- risk 0.64cvss 9.9epss 0.01
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions.
- risk 0.59cvss 9.1epss 0.00
Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.
- risk 0.65cvss 10.0epss 0.01
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions.
- risk 0.65cvss 10.0epss 0.00
Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions.
- risk 0.64cvss 9.9epss 0.00
Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions.
- risk 0.53cvss 9.3epss 0.00
Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions.
- risk 0.53cvss 9.3epss 0.00
Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.
- risk 0.59cvss 9.1epss 0.01
Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.
- risk 0.53cvss 9.3epss 0.00
Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
- risk 0.52cvss —epss 0.00
### Impact Most apps will crash and some may perform incorrect buffer allocations in the Node.js `Buffer` API resulting in unexpected truncation or allocation. ### Workarounds No workarounds. Do not use these impacted Electron releases ### Fixed Versions * `42.3.3` ### For…
- risk 0.64cvss 9.8epss 0.00
Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.
- risk 0.59cvss 9.1epss 0.00
A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl.
- risk 0.59cvss 9.1epss 0.00
Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.
- risk 0.62cvss 9.6epss 0.00
An HTML injection vulnerability in the /src/highlight.rs component of matze wastebin v3.4.1 allows attackers to execute arbitrary scripts via a crafted payload.
- risk 0.64cvss 9.8epss 0.00
An issue in the sendmail transport integration component of YouTransfer v1.0.6 allows attackers to execute arbitrary code via supplying a crafted request.
- risk 0.64cvss 9.8epss 0.00
An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file.