Unofficial account to notify You about new CVE id's
CVE is a program that identifies, defines, and catalogs publicly disclosed cybersecurity vulnerabilities.
check out @infosec.skyfleet.blue
🆘 @skyfleet.blue
CVE Alerts
Loading...
CVE-2026-10736 - Tutor LMS
CVE ID : CVE-2026-10736
Published : June 18, 2026, 5:34 a.m. | 2 hours, 8 minutes ago
Description : The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all...
CVE-2026-28573 - Android Persistent Denial of Service
CVE ID : CVE-2026-28573
Published : June 18, 2026, 6:29 a.m. | 1 hour, 13 minutes ago
Description : In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This coul...
CVE-2026-55740 - SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter
CVE ID : CVE-2026-55740
Published : June 18, 2026, 5:48 a.m. | 1 hour, 54 minutes ago
Description : Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e4...
CVE-2026-55744 - Cotonti CSRF in PFS allows forced arbitrary file upload
CVE ID : CVE-2026-55744
Published : June 18, 2026, 6:06 a.m. | 1 hour, 35 minutes ago
Description : Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the ...
CVE-2026-55746 - Cotonti stored XSS via PFS folder title
CVE ID : CVE-2026-55746
Published : June 18, 2026, 6:46 a.m. | 55 minutes ago
Description : Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (...
CVE-2026-12137 - SysBasics Customize My Account for WooCommerce
CVE ID : CVE-2026-12137
Published : June 18, 2026, 6:50 a.m. | 52 minutes ago
Description : The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for Wor...
CVE-2026-55741 - Cotonti CSRF in admin.config.php allows unauthorized configuration changes
CVE ID : CVE-2026-55741
Published : June 18, 2026, 6:04 a.m. | 1 hour, 38 minutes ago
Description : Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Requ...
CVE-2026-55745 - Cotonti CSRF in PFS folder edit allows unauthorized folder modification
CVE ID : CVE-2026-55745
Published : June 18, 2026, 6:07 a.m. | 1 hour, 35 minutes ago
Description : Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request...
CVE-2026-11358 - Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More
CVE ID : CVE-2026-11358
Published : June 18, 2026, 5:34 a.m. | 2 hours, 8 minutes ago
Description : The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Noti...
CVE-2026-12098 - PowerPress Podcasting plugin by Blubrry
CVE ID : CVE-2026-12098
Published : June 18, 2026, 6:50 a.m. | 52 minutes ago
Description : The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' ...
CVE Alerts
CVE Alerts
CVE Alerts
CVE Alerts
CVE Alerts
CVE Alerts
CVE Alerts
CVE Alerts
CVE Alerts
CVE Alerts
In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This …
The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject …
Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter received via HTTP POST is concatenated directly into a MySQL query (select * from bus_info where id=$busid) without sanitization, escaping, or parameterization, and in a numeric (unquoted) context. A remote, unauthenticated …
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=upload') processes uploaded files without calling cot_check_xg() to validate the anti-CSRF token, even though sibling actions such as 'delete' (line 272) do. A remote attacker …
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action ('a=update') processes POST data via cot_config_update_options() without calling cot_check_xg() to validate the anti-CSRF token (the 'x' parameter), unlike other admin handlers (e.g. admin.structure.php, admin.cache.php). A remote attacker …
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, which does not strip or encode HTML (the tag check in cot_import is disabled), so an authenticated user can store HTML/JavaScript …
cvefeed.io
The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers …
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, …
Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action ('a=update') updates folder metadata (title, description, public/gallery flags) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated user into …
