news - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
CRITICAL 9.4	CVE-2026-46399	Authenticated Remote Code Execution via File Overwrite_CVE-2026-46399 HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file o...	haxtheweb	haxcms-nodejs < 26.0.0	Jun 5, 2026	CVE
CRITICAL 9.3	CVE-2026-46396	HAX CMS has a stored XSS via that allows access to sensitive client-side data and account takeover_CVE-2026-46396</span> </h3> <p class="advisory-desc" title="HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue."> <span class="desc-text">HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to ...</span> </p> </a> </td> <td class="col-vendor"> haxtheweb </td> <td class="col-product"> haxcms-nodejs <span class="product-version">< 26.0.0</span> </td> <td class="col-date"> <time class="advisory-date">Jun 5, 2026</time> </td> <td class="col-type"> <span class="advisory-type type-cve">CVE</span> </td> </tr> <tr class="advisory-row" data-post-id="60227"> <td class="col-severity"> <span class="severity-badge severity-critical"> CRITICAL <span class="cvss-score">9.3</span> </span> </td> <td class="col-id"> <span class="advisory-id" title="CVE-2026-46395"> CVE-2026-46395 </span> </td> <td class="col-title"> <a href="https://zero.redgem.net/?p=60227" class="advisory-title-link"> <h3 class="advisory-title" title="HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation_CVE-2026-46395"> <span class="title-text">HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation_CVE-2026-46395</span> </h3> <p class="advisory-desc" title="HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request. First, the function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input. Then, after computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system’s master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token. Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of `privateKey+salt`. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly. The `/system/api/connectionSettings` endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key. The PHP backend implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens. Version 26.0.0 fixes the issue."> <span class="desc-text">HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js bac...</span> </p> </a> </td> <td class="col-vendor"> haxtheweb </td> <td class="col-product"> haxcms-nodejs <span class="product-version">< 26.0.0</span> </td> <td class="col-date"> <time class="advisory-date">Jun 5, 2026</time> </td> <td class="col-type"> <span class="advisory-type type-cve">CVE</span> </td> </tr> <tr class="advisory-row" data-post-id="60226"> <td class="col-severity"> <span class="severity-badge severity-high"> HIGH <span class="cvss-score">7.7</span> </span> </td> <td class="col-id"> <span class="advisory-id" title="CVE-2026-46394"> CVE-2026-46394 </span> </td> <td class="col-title"> <a href="https://zero.redgem.net/?p=60226" class="advisory-title-link"> <h3 class="advisory-title" title="HAX CMS Vulnerable to Command Injection using Git.php_CVE-2026-46394"> <span class="title-text">HAX CMS Vulnerable to Command Injection using Git.php_CVE-2026-46394</span> </h3> <p class="advisory-desc" title="HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them via proc_open(). An attacker who can control parameters passed into Git operations can execute arbitrary OS commands with the privileges of the web server. Out of 17 functions that invoke shell commands only 1 function (`commit()`) correctly uses `escapeshellarg()`. When combined with another vulnerability that allows configuration manipulation, this issue can lead to full remote code execution and complete system compromise. Version 26.0.0 patches the issue."> <span class="desc-text">HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the G...</span> </p> </a> </td> <td class="col-vendor"> haxtheweb </td> <td class="col-product"> haxcms-php <span class="product-version">< 26.0.0</span> </td> <td class="col-date"> <time class="advisory-date">Jun 5, 2026</time> </td> <td class="col-type"> <span class="advisory-type type-cve">CVE</span> </td> </tr> <tr class="advisory-row" data-post-id="60225"> <td class="col-severity"> <span class="severity-badge severity-high"> HIGH <span class="cvss-score">7.1</span> </span> </td> <td class="col-id"> <span class="advisory-id" title="CVE-2026-46393"> CVE-2026-46393 </span> </td> <td class="col-title"> <a href="https://zero.redgem.net/?p=60225" class="advisory-title-link"> <h3 class="advisory-title" title="HAXcms createSite SSRF Enables Arbitrary File Read_CVE-2026-46393"> <span class="title-text">HAXcms createSite SSRF Enables Arbitrary File Read_CVE-2026-46393</span> </h3> <p class="advisory-desc" title="HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Version 26.0.0 contains a fix."> <span class="desc-text">HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions ...</span> </p> </a> </td> <td class="col-vendor"> haxtheweb </td> <td class="col-product"> haxcms-nodejs <span class="product-version">< 26.0.0</span> </td> <td class="col-date"> <time class="advisory-date">Jun 5, 2026</time> </td> <td class="col-type"> <span class="advisory-type type-cve">CVE</span> </td> </tr> <tr class="advisory-row" data-post-id="60224"> <td class="col-severity"> <span class="severity-badge severity-high"> HIGH <span class="cvss-score">8.7</span> </span> </td> <td class="col-id"> <span class="advisory-id" title="CVE-2026-46392"> CVE-2026-46392 </span> </td> <td class="col-title"> <a href="https://zero.redgem.net/?p=60224" class="advisory-title-link"> <h3 class="advisory-title" title="HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch in HTML Upload Validation_CVE-2026-46392"> <span class="title-text">HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch in HTML Upload Validation_CVE-2026-46392</span> </h3> <p class="advisory-desc" title="HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) is still served as `text/html` but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix."> <span class="desc-text">HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates uplo...</span> </p> </a> </td> <td class="col-vendor"> haxtheweb </td> <td class="col-product"> haxcms-php <span class="product-version">< 26.0.0</span> </td> <td class="col-date"> <time class="advisory-date">Jun 5, 2026</time> </td> <td class="col-type"> <span class="advisory-type type-cve">CVE</span> </td> </tr> <tr class="advisory-row" data-post-id="60223"> <td class="col-severity"> <span class="severity-badge severity-high"> HIGH <span class="cvss-score">8.7</span> </span> </td> <td class="col-id"> <span class="advisory-id" title="CVE-2026-46391"> CVE-2026-46391 </span> </td> <td class="col-title"> <a href="https://zero.redgem.net/?p=60223" class="advisory-title-link"> <h3 class="advisory-title" title="HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis_CVE-2026-46391"> <span class="title-text">HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis_CVE-2026-46391</span> </h3> <p class="advisory-desc" title="HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Version 26.0.0 fixes the issue."> <span class="desc-text">HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis,...</span> </p> </a> </td> <td class="col-vendor"> haxtheweb </td> <td class="col-product"> @haxtheweb/open-apis <span class="product-version">>= 9.0.1, < 26.0.0</span> </td> <td class="col-date"> <time class="advisory-date">Jun 5, 2026</time> </td> <td class="col-type"> <span class="advisory-type type-cve">CVE</span> </td> </tr> <tr class="advisory-row" data-post-id="60222"> <td class="col-severity"> <span class="severity-badge severity-medium"> MEDIUM <span class="cvss-score">6.9</span> </span> </td> <td class="col-id"> <span class="advisory-id" title="CVE-2026-46390"> CVE-2026-46390 </span> </td> <td class="col-title"> <a href="https://zero.redgem.net/?p=60222" class="advisory-title-link"> <h3 class="advisory-title" title="HAX CMS has Unauthenticated Git Access via User-Controlled Key_CVE-2026-46390"> <span class="title-text">HAX CMS has Unauthenticated Git Access via User-Controlled Key_CVE-2026-46390</span> </h3> <p class="advisory-desc" title="HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue."> <span class="desc-text">HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is e...</span> </p> </a> </td> <td class="col-vendor"> haxtheweb </td> <td class="col-product"> haxcms-php <span class="product-version">>= 2.0.0, < 26.0.0</span> </td> <td class="col-date"> <time class="advisory-date">Jun 5, 2026</time> </td> <td class="col-type"> <span class="advisory-type type-cve">CVE</span> </td> </tr> <tr class="advisory-row" data-post-id="60221"> <td class="col-severity"> <span class="severity-badge severity-critical"> CRITICAL <span class="cvss-score">10</span> </span> </td> <td class="col-id"> <span class="advisory-id" title="CVE-2026-46389"> CVE-2026-46389 </span> </td> <td class="col-title"> <a href="https://zero.redgem.net/?p=60221" class="advisory-title-link"> <h3 class="advisory-title" title="UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`_CVE-2026-46389"> <span class="title-text">UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator`_CVE-2026-46389</span> </h3> <p class="advisory-desc" title="UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue."> <span class="desc-text">UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. I...</span> </p> </a> </td> <td class="col-vendor"> defenseunicorns </td> <td class="col-product"> uds-identity-config <span class="product-version">>= 0.11.0, < 0.26.1</span> </td> <td class="col-date"> <time class="advisory-date">Jun 5, 2026</time> </td> <td class="col-type"> <span class="advisory-type type-cve">CVE</span> </td> </tr> <tr class="advisory-row" data-post-id="60220"> <td class="col-severity"> <span class="severity-badge severity-critical"> CRITICAL <span class="cvss-score">9.8</span> </span> </td> <td class="col-id"> <span class="advisory-id" title="CVE-2026-10580"> CVE-2026-10580 </span> </td> <td class="col-title"> <a href="https://zero.redgem.net/?p=60220" class="advisory-title-link"> <h3 class="advisory-title" title="Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API_CVE-2026-10580"> <span class="title-text">Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API_CVE-2026-10580</span> </h3> <p class="advisory-desc" title="The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors — a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access — causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials — most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/ with a {"password":""} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site."> <span class="desc-text">The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all ...</span> </p> </a> </td> <td class="col-vendor"> hippooo </td> <td class="col-product"> Hippoo Mobile App for WooCommerce </td> <td class="col-date"> <time class="advisory-date">Jun 5, 2026</time> </td> <td class="col-type"> <span class="advisory-type type-cve">CVE</span> </td> </tr> </tbody> </table> </div> <nav class="pagination" role="navigation" aria-label="Posts navigation"> <div class="pagination-links"> <a class="prev page-numbers" href="https://zero.redgem.net/?paged=9&page=15&tag=news">← Prev</a> <a class="page-numbers" href="https://zero.redgem.net/?page=15&tag=news">1</a> <span class="page-numbers dots">…</span> <a class="page-numbers" href="https://zero.redgem.net/?paged=8&page=15&tag=news">8</a> <a class="page-numbers" href="https://zero.redgem.net/?paged=9&page=15&tag=news">9</a> <span aria-current="page" class="page-numbers current">10</span> <a class="page-numbers" href="https://zero.redgem.net/?paged=11&page=15&tag=news">11</a> <a class="page-numbers" href="https://zero.redgem.net/?paged=12&page=15&tag=news">12</a> <span class="page-numbers dots">…</span> <a class="page-numbers" href="https://zero.redgem.net/?paged=5999&page=15&tag=news">5,999</a> <a class="next page-numbers" href="https://zero.redgem.net/?paged=11&page=15&tag=news">Next →</a> </div> </nav> <div class="redgem-banner"> <div class="banner-content"> <div class="banner-icon"> <svg width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5"><path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/><path d="M9 12l2 2 4-4"/></svg> </div> <div class="banner-text"> <h3>Protect Your Attack Surface with RedGem</h3> <p>AI-powered asset discovery, dark web monitoring, CVE alerting, and vulnerability scanning — all in one platform.</p> </div> <div class="banner-actions"> <a href="https://www.redgem.net" class="btn-primary" target="_blank" rel="noopener">Start Free Trial</a> <a href="https://www.redgem.net/demo" class="btn-secondary" target="_blank" rel="noopener">Request Demo</a> </div> </div> </div> </div> </div> </main><!-- #primary --> </div><!-- #content --> <footer id="colophon" class="site-footer"> <div class="footer-accent"></div> <div class="container"> <div class="footer-top"> <div class="footer-brand"> <div class="footer-logo"> <img src="https://www.redgem.net/logo.png" alt="zero redgem" width="100" height="80" class="footer-logo-img" /> </div> <p class="footer-tagline">Your trusted source for security vulnerabilities, exploits, and CVE intelligence. Part of the RedGem security platform.</p> <div class="footer-social"> <a href="#" aria-label="Twitter" title="Follow us on Twitter"> <svg width="16" height="16" viewBox="0 0 24 24" fill="currentColor"><path d="M18.244 2.25h3.308l-7.227 8.26 8.502 11.24H16.17l-5.214-6.817L4.99 21.75H1.68l7.73-8.835L1.254 2.25H8.08l4.713 6.231zm-1.161 17.52h1.833L7.084 4.126H5.117z"/></svg> </a> <a href="#" aria-label="GitHub" title="View on GitHub"> <svg width="16" height="16" viewBox="0 0 24 24" fill="currentColor"><path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23A11.509 11.509 0 0112 5.803c1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576C20.566 21.797 24 17.3 24 12c0-6.627-5.373-12-12-12z"/></svg> </a> <a href="https://zero.redgem.net/?feed=rss2" aria-label="RSS Feed" title="RSS Feed"> <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M4 11a9 9 0 0 1 9 9"/><path d="M4 4a16 16 0 0 1 16 16"/><circle cx="5" cy="19" r="1"/></svg> </a> </div> </div> <div class="footer-links-grid"> <div class="footer-section"> <h4>Quick Links</h4> <ul> <li><a href="https://zero.redgem.net/">Home</a></li> <li><a href="https://zero.redgem.net/?s=">Search</a></li> </ul> </div> <div class="footer-section"> <h4>RedGem Platform</h4> <ul> <li><a href="https://www.redgem.net" target="_blank" rel="noopener">Main Platform</a></li> <li><a href="https://www.redgem.net" target="_blank" rel="noopener">Asset Discovery</a></li> <li><a href="https://www.redgem.net" target="_blank" rel="noopener">Leakage Detection</a></li> <li><a href="https://www.redgem.net" target="_blank" rel="noopener">Vulnerability Scanners</a></li> </ul> </div> <div class="footer-section"> <h4>Security Resources</h4> <ul> <li><a href="https://cve.mitre.org/" target="_blank" rel="noopener">CVE Database</a></li> <li><a href="https://nvd.nist.gov/" target="_blank" rel="noopener">NVD</a></li> <li><a href="https://www.exploit-db.com/" target="_blank" rel="noopener">Exploit-DB</a></li> <li><a href="https://www.securityfocus.com/" target="_blank" rel="noopener">SecurityFocus</a></li> </ul> </div> </div> </div> <div class="footer-bottom"> <div class="footer-info"> <p>© 2026 zero redgem. All rights reserved.</p> <p>Powered by <a href="https://wordpress.org/" target="_blank" rel="noopener">WordPress</a> · RedGem Security Theme</p> </div> <div class="footer-badges"> <span class="footer-badge"> <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z"/></svg> Secured </span> <span class="footer-badge"> <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M22 11.08V12a10 10 0 1 1-5.93-9.14"/><polyline points="22 4 12 14.01 9 11.01"/></svg> Verified Data </span> </div> </div> </div> </footer> </div><!-- #page --> <script id="security-news-script-js-extra"> var securityNewsAjax = {"ajaxurl":"//zero.redgem.net/wp-admin/admin-ajax.php","nonce":"3c802768c6"}; //# sourceURL=security-news-script-js-extra </script> <script src="https://zero.redgem.net/wp-content/themes/security-news/js/theme.js?ver=2.14.0" id="security-news-script-js"></script> <script id="wp-emoji-settings" type="application/json"> {"baseUrl":"https://s.w.org/images/core/emoji/17.0.2/72x72/","ext":".png","svgUrl":"https://s.w.org/images/core/emoji/17.0.2/svg/","svgExt":".svg","source":{"concatemoji":"https://zero.redgem.net/wp-includes/js/wp-emoji-release.min.js?ver=6.9.4"}} </script> <script type="module"> /! This file is auto-generated / const a=JSON.parse(document.getElementById("wp-emoji-settings").textContent),o=(window._wpemojiSettings=a,"wpEmojiSettingsSupports"),s=["flag","emoji"];function i(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function c(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0);const a=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);return t.every((e,t)=>e===a[t])}function p(e,t){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var n=e.getImageData(16,16,1,1);for(let e=0;e<n.data.length;e++)if(0!==n.data[e])return!1;return!0}function u(e,t,n,a){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\udde8\ud83c\uddf6","\ud83c\udde8\u200b\ud83c\uddf6")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!a(e,"\ud83e\u1fac8")}return!1}function f(e,t,n,a){let r;const o=(r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):document.createElement("canvas")).getContext("2d",{willReadFrequently:!0}),s=(o.textBaseline="top",o.font="600 32px Arial",{});return e.forEach(e=>{s[e]=t(o,e,n,a)}),s}function r(e){var t=document.createElement("script");t.src=e,t.defer=!0,document.head.appendChild(t)}a.supports={everything:!0,everythingExceptFlag:!0},new Promise(t=>{let n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),c.toString(),p.toString()].join(",")+"));",a=new Blob([e],{type:"text/javascript"});const r=new Worker(URL.createObjectURL(a),{name:"wpTestEmojiSupports"});return void(r.onmessage=e=>{i(n=e.data),r.terminate(),t(n)})}catch(e){}i(n=f(s,u,c,p))}t(n)}).then(e=>{for(const n in e)a.supports[n]=e[n],a.supports.everything=a.supports.everything&&a.supports[n],"flag"!==n&&(a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&a.supports[n]);var t;a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&!a.supports.flag,a.supports.everything\|\|((t=a.source\|\|{}).concatemoji?r(t.concatemoji):t.wpemoji&&t.twemoji&&(r(t.twemoji),r(t.wpemoji)))}); //# sourceURL=https://zero.redgem.net/wp-includes/js/wp-emoji-loader.min.js </script> </body> </html>

Recent Advisories

Authenticated Remote Code Execution via File Overwrite_CVE-2026-46399