In WooCommerce version 7.1.0 a critical severity vulnerability CVE-2022-50972 was detected. This vulnerability allows an attacker to execute arbitrary PHP code and write malicious PHP files directly to the web root. This occurs due to improper sanitization of the product-type parameter within the class-wc-meta-box-product-images.php endpoint, which permits the injection of shell commands. To address this issue, users should upgrade WooCommerce to a patched version 7.1.1 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-50972.
In OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 a medium severity vulnerability CVE-2026-40215 was detected. This vulnerability allows remote attackers to potentially cause a server crash (Denial of Service) or leak sensitive heap memory. This occurs due to a race condition triggered during TLS session promotion, which leads to a use-after-free vulnerability. To address this issue, users should upgrade OpenVPN to a patched version 2.6.20 or 2.7.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40215.
Read more CMS
In Umbraco CMS versions 14.0.0 to before 17.4.0 a medium severity vulnerability CVE-2026-46609 was detected. This vulnerability allows an authenticated attacker to inject arbitrary HTML or execute malicious JavaScript in the context of another user’s browser (Stored XSS / HTML Injection). This occurs because the Umbraco Backoffice confirmation dialog fails to properly apply output encoding to user-supplied data from an input field before rendering it. If an attacker injects a malicious payload, it will be executed or displayed when an administrator or another user triggers the affected confirmation dialog. To address this issue, users should upgrade Umbraco CMS to version 17.4.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-46609.
Read more CMS
In Joomla! Core versions 3.9.0 up to and including 5.4.5 and 6.0.0 up to and including 6.1.0 a critical severity vulnerability CVE-2026-48902 was detected. This vulnerability may allow network attackers to intercept sensitive account recovery tokens. This occurs because the password and username reset features improperly generate plain HTTP links, even for HTTPS connections, if the “Force SSL” configuration flag is not explicitly enabled. As a result, the reset links are transmitted without transport encryption, potentially leading to unauthorized account access. To address this issue, users should upgrade Joomla! Core to version 5.4.6 or 6.1.1 (or later) or explicitly enable the “Force SSL” setting. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48902.
Read more CMS
In OpenVPN versions 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 a medium severity vulnerability CVE-2026-35058 was detected. This vulnerability allows an authenticated attacker to cause a Denial of Service (DoS) by crashing the application. This occurs due to improper validation of packet length during the tls-crypt-v2 key extraction process. By sending a specially crafted packet, an attacker can trigger a fatal assertion, which leads to the termination of the service. To address this issue, users should upgrade OpenVPN to a patched version 2.6.20 and 2.7.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-35058.
Read more CMS
In Joomla! Core versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 a high severity vulnerability CVE-2026-48901 was detected. This vulnerability may allow attackers to bypass intended security filters. This occurs because the InputFilter::getInstance() method improperly omits a security-sensitive parameter when constructing the instance cache key. As a result, an incorrectly configured filter object might be retrieved from the cache and reused in a different context, potentially leading to inadequate content filtering and subsequent security issues. To address this issue, users should upgrade Joomla! Core to version 5.4.6 or 6.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48901.
Read more CMS
In Ghost versions 3.24.0 through 6.19.0 a critical severity vulnerability CVE-2026-26980 was detected. This vulnerability allows an unauthenticated attacker to perform arbitrary reads from the database. This occurs due to a SQL Injection flaw within the Content API. A public exploit for this issue is currently available. To address this issue, users should upgrade Ghost to version 6.19.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-26980.
Read more CMS
In PrivateTunnel versions prior to 3.0 and OpenVPN Connect versions prior to 3.1 on Windows a medium severity vulnerability CVE-2014-5455 was detected. This vulnerability allows a local user to gain elevated privileges. This occurs due to an unquoted Windows search path vulnerability in the ptservice service, which enables an attacker to execute arbitrary code by placing a specially crafted program.exe file in the %SYSTEMDRIVE% folder. To address this issue, users should upgrade PrivateTunnel to version 3.0 and OpenVPN Connect to version 3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2014-5455.
Read more CMS
In Joomla! Framework versions Versions 1.0.0 through 3.0.5 and versions 4.0.0through 4.0.1 a medium severity vulnerability CVE-2026-48903 was detected. This vulnerability allows an attacker to execute arbitrary malicious scripts (Cross-Site Scripting, XSS) in the context of the victim’s browser. This occurs due to inadequate content filtering within the checkAttribute methods, which affects various components. To address this issue, users should upgrade Joomla! Framework to version 5.4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48903.
Read more CMS