CVE-2026-49075
— WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability
Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-49074
— WordPress JetEngine plugin <= 3.8.9.1 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-49073
— WordPress Directorist Booking plugin <= 3.0.3 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection.
This issue affects Directorist Booking: fr…
Remote
|
Injection
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-49072
— WordPress WooCommerce Anti-Fraud plugin <= 7.2.6 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions.
Remote
|
Authorization
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-49071
— WordPress WooCommerce Dropshipping plugin <= 5.2.4 - Broken Authentication vulnerability
Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-49058
— WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalation vulnerability
Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions.
Remote
|
Authentication
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-49057
— WordPress JobSearch plugin <= 3.2.7 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-48967
— WordPress Geo Mashup plugin <= 1.13.19 - SQL Injection vulnerability
Subscriber SQL Injection in Geo Mashup <= 1.13.19 versions.
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes a…
Jun 17, 2026
Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
CVE-2026-48875
— WordPress JetSmartFilters plugin <= 3.8.1 - SQL Injection vulnerability
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.
Remote
|
Injection
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-48869
— WordPress Enfold theme <= 7.1.4 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
enfold
|
Remote
|
Cross-Site Scripting
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-48797
— Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authenticatio…
Remote
|
Authentication
Jun 17, 2026
Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
CVE-2026-48788
— Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability explo…
remark42
|
Remote
|
Cross-Site Scripting
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-48783
— Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the orga…
postiz
|
Remote
|
Authentication
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-48782
— pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 ad…
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be byp…
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
CVE-2026-48781
— Postiz has cross-tenant SUPERADMIN takeover via Skool-provider JWT forgery
Postiz is an AI social media scheduling tool. In versions prior to 2.21.8, the Skool integration callback signed an attacker-controlled JSON blob into a session-shape JWT using the application's JWT_…
postiz
|
Remote
|
Authentication
Jun 17, 2026
Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
CVE-2026-48779
— ws: Memory exhaustion DoS from tiny fragments and data chunks
ws is an open source WebSocket client and server for Node.js. All versions from 1.1.0 up to (but not including) 5.2.5, from 6.0.0 up to 6.2.4, from 7.0.0 up to 7.5.11, and from 8.0.0 up to 8.21.0 are…
ws
|
Remote
|
Denial of Service
Jun 17, 2026
Jul 02, 2026
Jun 17, 2026
Jul 02, 2026
CVE-2026-48745
— Traccar Client: silent configuration hijack via unverified deep link redirects all GPS te…
Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silent…
Remote
|
Misconfiguration
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize…
Jun 17, 2026
Jun 18, 2026
Jun 17, 2026
Jun 18, 2026
CVE-2026-48055
— Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle…
Remote
|
Path Traversal
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Jun 17, 2026