Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 6.5 CVE-2026-11965

User Registration & Membership < 5.2.0 - Unauthenticated Paid Membership Bypass_CVE-2026-11965

The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscript...

Unknown User Registration & Membership CVE
MEDIUM 6.8 CVE-2026-10077

YOOtheme Pro < 5.0.35 - Author+ Stored XSS via UIkit Data Attributes_CVE-2026-10077

The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permit...

Unknown yootheme CVE
MEDIUM 5.3 CVE-2026-57760

WordPress Sendcloud Shipping plugin <= 1.0.29 - Broken Access Control vulnerability_CVE-2026-57760

Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This ...

Sendcloud Sendcloud Shipping n/a CVE
MEDIUM 6.4 CVE-2026-14449

POST-based reflected XSS via the thanks parameter in form components_CVE-2026-14449

u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components

u5CMS u5CMS CVE
MEDIUM 5.3 CVE-2026-58653

PraisonAI – Authorization Bypass via Unvalidated project_id in Issue Create/Update_CVE-2026-58653

PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can cr...

PraisonAI PraisonAI CVE
MEDIUM 5.4 CVE-2026-4772

Stored XSS in TR7’s WAF-ASP_CVE-2026-4772

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. WAF-ASP allows Store...

TR7 Cyber ​​Defense Inc. WAF-ASP v1.0.324.900 CVE
MEDIUM 4.6 CVE-2026-4770

DOM-Based XSS in TR7’s WAF-ASP_CVE-2026-4770

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. Web Application Fire...

TR7 Cyber ​​Defense Inc. WAF-ASP v1.0.42.239 CVE
MEDIUM 5.1 CVE-2026-54431

Improper Data Validation in liboauth2_CVE-2026-54431

In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. R...

OpenIDC liboauth2 CVE
MEDIUM 5.1 CVE-2026-54430

Server-Site Request Forgery in liboauth2_CVE-2026-54430

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and k...

OpenIDC liboauth2 CVE
MEDIUM 6.5 CVE-2026-57764

WordPress Surbma | Yoast SEO Breadcrumb Shortcode plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability_CVE-2026-57764

Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode

Surbma Surbma | Yoast SEO Breadcrumb Shortcode n/a CVE