In Dolibarr versions 22.0.4 and prior a medium severity vulnerability CVE-2026-34036 was detected. This vulnerability allows an authenticated user with no specific privileges to read arbitrary non-PHP files on the server (e.g., .env, .htaccess, configuration backups, logs) by exploiting a Local File Inclusion (LFI) flaw in the `/core/ajax/selectobject.php` endpoint via the `objectdesc` parameter and a fail-open logic in the `restrictedArea()` access control function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-34036.
Read more ERPIn Ghost versions 5.101.6 to 6.19.2 a high severity vulnerability CVE-2026-29784 was detected. This vulnerability allows attackers to exploit incomplete CSRF protections around the /session/verify endpoint, enabling the use of one-time codes (OTCs) in login sessions different from the requesting session. In some scenarios, this could have made it easier for phishers to take over a Ghost site. To address this issue, users should upgrade Ghost to version 6.19.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-29784.
Read more CMSIn Dolibarr ERP/CRM version 10.0.1 a high severity vulnerability CVE-2019-25450 was detected. This vulnerability allows authenticated attackers to execute arbitrary SQL queries via POST parameters such as `actioncode`, `demand_reason_id`, and `availability_id` in the `card.php` endpoint, potentially exposing sensitive database information through boolean-based blind, error-based, or time-based blind SQL injection techniques. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2019-25450.
Read more ERPIn FreeScout versions prior to 1.8.206 a critical severity vulnerability CVE-2026-27637 was detected. This vulnerability allows attackers to compute predictable authentication tokens using `MD5(user_id + created_at + APP_KEY)`, enabling full account takeover, including administrative accounts, without requiring a password. To address this issue, users should upgrade FreeScout to version 1.8.206 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27637.
Read more Customer ServiceIn FreeScout versions prior to 1.8.206 a critical severity vulnerability CVE-2026-27636 was detected. This vulnerability allows authenticated users to upload `.htaccess` files on Apache servers with `AllowOverride All`, bypassing file upload restrictions and enabling remote code execution. To address this issue, users should upgrade FreeScout to version 1.8.206 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27636.
Read more Customer ServiceIn PrestaShop versions prior to 8.2.4 and 9.0.3 a medium severity vulnerability CVE-2026-25597 was detected. This vulnerability allows attackers to perform time-based user enumeration in the front-office login form by measuring response time differences to determine whether a customer account exists. To address this issue, users should upgrade PrestaShop to versions 8.2.4, 9.0.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25597.
Read more E-commerceIn Code Snippets plugin for WordPress versions up to and including 3.9.4 a medium severity vulnerability CVE-2026-1785 was detected. This vulnerability allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) against logged-in administrators, forcing them to download or update cloud snippets without their consent due to missing nonce validation in the `Cloud_Search_List_Table` class. To address this issue, users should upgrade Code Snippets plugin to version 3.9.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1785.
Read more CMSIn WP FOFT Loader plugin for WordPress versions up to and including 2.1.39 a high severity vulnerability CVE-2026-1756 was detected. This vulnerability allows authenticated attackers with Author-level access or higher to upload arbitrary files due to improper file type validation in the `WP_FOFT_Loader_Mimes::file_and_ext` function, potentially enabling remote code execution on the affected site. To address this issue, users should upgrade WP FOFT Loader plugin to version 2.1.40 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1756.
Read more CMSIn WaveSurfer-WP plugin for WordPress versions up to and including 2.8.3 a high severity vulnerability CVE-2026-1909 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the plugin’s audio shortcode `src` attribute, potentially executing scripts whenever a user accesses the affected page. To address this issue, users should upgrade WaveSurfer-WP plugin to version 2.8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1909.
Read more CMS