Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia’s Java search using...

A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload. More information : http://creatorsofcode.com

OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the name cookie parameter. More information : http://openrapid.com

When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request...

A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. More information : https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3781

Mattermost Plugins versions

Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi. More information : https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain). More information : https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1

URL Redirection to Untrusted Site (‘Open Redirect’) vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0. More information : https://patchstack.com/database/wordpress/plugin/facebook-for-woocommerce/vulnerability/wordpress-facebook-for-woocommerce-plugin-3-7-0-open-redirection-vulnerability?_s_id=cve

Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. More information : https://patchstack.com/database/wordpress/plugin/elementskit-lite/vulnerability/wordpress-elementskit-elementor-addons-lite-plugin-3-9-6-broken-access-control-vulnerability-2?_s_id=cve

Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. More information : https://patchstack.com/database/wordpress/plugin/elementskit-lite/vulnerability/wordpress-elementskit-elementor-addons-lite-plugin-3-9-6-broken-access-control-vulnerability?_s_id=cve

Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Meta and Date Remover: from n/a through 2.3.6. More information :...

Missing Authorization vulnerability in DearHive DearFlip allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DearFlip: from n/a through 2.4.27. More information : https://patchstack.com/database/wordpress/plugin/3d-flipbook-dflip-lite/vulnerability/wordpress-dearflip-plugin-2-4-27-broken-access-control-vulnerability?_s_id=cve

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection. This issue affects Duplicate Page and Post: from n/a through...