CVE-2026-48745
— Traccar Client: silent configuration hijack via unverified deep link redirects all GPS te…
Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silent…
|
Misconfiguration
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-47277
— Runtipi: Unauthenticated arbitrary file read through app-store logo symlinks
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoin…
|
Path Traversal
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-48783
— Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the orga…
|
Authentication
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-2604
— Evolution-data-server: evolution data server: arbitrary file deletion via inconsistent ur…
A flaw was found in evolution-data-server. Inconsistent comparison logic in the addressbook file backend allows a Flatpak application with D-Bus access to craft a malicious URI containing directory t…
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-48781
— Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_…
|
Authentication
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-48779
— ws: Memory exhaustion DoS from tiny fragments and data chunks
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are…
|
Denial of Service
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-25470
— WordPress ACPT (Pro) - Custom Post Types plugin for WordPress plugin <= 2.0.47 - Remote C…
Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion.
This issue affects ACPT (Pro) - Cust…
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-39598
— WordPress Academy LMS Pro plugin < 3.5.2 - Arbitrary File Upload vulnerability
Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server.
This issue affects Academy LMS Pro: from n/a before 3.5.2.
Remote
|
Misconfiguration
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-49073
— WordPress Directorist Booking plugin <= 3.0.3 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection.
This issue affects Directorist Booking: fr…
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-48055
— Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle…
|
Path Traversal
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-11409
— OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N
An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access m…
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-11410
— OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N
An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrat…
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-49113
— WordPress Cornerstone plugin < 7.8.8 - Arbitrary Code Execution vulnerability
Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.
Remote
|
Memory Corruption
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-49080
— WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability
Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-49057
— WordPress JobSearch plugin <= 3.2.7 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-48869
— WordPress Enfold theme <= 7.1.4 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
enfold
|
Remote
|
Cross-Site Scripting
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-40761
— WordPress Valeska theme <= 1.2.2 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-40760
— WordPress Behold theme <= 1.5 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-40759
— WordPress Esmée theme <= 1.4 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-40758
— WordPress Léonie theme <= 1.2.1 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
