CVE Database

Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.

Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.

Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.

Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.

Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework <= 5.11.1 versions.

Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.

Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.

Unauthenticated Cross Site Scripting (XSS) in WP Google Review Slider <= 18.0 versions.

Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions.

Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.

Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions.

Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions.

Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.

Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.

Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions.

Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.

Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions.

Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.

Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions.

Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.

Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.

Editor Privilege Escalation in AI Engine <= 3.4.9 versions.

Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.

Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.

Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.

Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.

Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.

Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.

Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.

Subscriber Broken Access Control in Bookify <= 1.1.1 versions.

Unauthenticated Cross Site Scripting (XSS) in Eli&#039;s WordCents adSense Widget with Analytics <= 1.3.03.27 versions.

Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.

Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.

Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.

Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.

Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.

Rejected reason: ]** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-49489. Reason: This candidate is a duplicate of CVE-2026-49489. Notes: All CVE users should reference CVE-2026-49489 instead of this candidate.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12075. Reason: This candidate is a duplicate of CVE-2026-12075. Notes: All CVE users should reference CVE-2026-12075 instead of this candidate.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12061. Reason: This candidate is a duplicate of CVE-2026-12061. Notes: All CVE users should reference CVE-2026-12061 instead of this candidate.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12072. Reason: This candidate is a duplicate of CVE-2026-12072. Notes: All CVE users should reference CVE-2026-12072 instead of this candidate.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-12074. Reason: This candidate is a duplicate of CVE-2026-12074. Notes: All CVE users should reference CVE-2026-12074 instead of this candidate.

A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation. The WavPack library then writes decoded audio samples far beyond the allocated buffer, resulting in heap memory corruption. This affects both 32-bit and 64-bit systems since the arithmetic is performed in 32-bit integers before promotion to the allocation size type. A remote attacker could use this flaw to crash an application or potentially execute arbitrary code by convincing a user to open a malicious WavPack audio file.

A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents.

A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec type, packet size, sample rate, channel count, and extra codec data length from fixed offsets within the chunk without first checking that the chunk contains enough data. If a malicious file provides an MDPR chunk that is too small to contain a complete audio stream header, the parser reads beyond the end of the buffer. This can cause the application to crash. In some cases, bytes read past the buffer boundary may be incorporated into stream metadata, which could result in limited information disclosure.

A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.

Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure.

A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.

An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.

A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.