The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API.

CVE Database V5

Detailed information about CVE-2026-2694: CWE-285 Improper Authorization in stellarwp The Events Calendar affecting stellarwp The Events Calendar. Get real-time

CVE-2026-2694: CWE-285 Improper Authorization in stellarwp The Events Calendar - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-2694: CWE-285 Improper Authorization in stellarwp The Events Calendar

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, a reflected HTML injection vulnerability exists in the Projects module where the `filter` URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While `<script>` and `<iframe>` are blocked, `<svg>`, `<a>`, and formatting tags (`<h1>`, `<b>`, `<u>`) render without restriction — enabling SVG-based phishing buttons, external redirect links, and content spoofing within the trusted application origin. Version 2.0.0 fixes this issue.

Detailed information about CVE-2026-27116: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go-vikunja vikunja af

CVE-2026-27116: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go-vikunja vikunja - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-27116: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go-vikunja vikunja

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a path traversal vulnerability. Some of these files contain hard-coded credentials. The vulnerability allows an attacker to read configuration files containing hard-coded credentials. The attacker could then authenticate to the database or other services if those credentials are reused. The attacker must be authenticated and have the required permissions. However, the vulnerability is easy to exploit and the application source code is public. This problem is fixed in LORIS v26.0.5 and v27.0.2 and above, and v28.0.0 and above. As a workaround, the electrophysiogy_browser in LORIS can be disabled by an administrator using the module manager.

Detailed information about CVE-2026-26985: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aces Loris affecting aces L

CVE-2026-26985: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aces Loris - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-26985: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aces Loris

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the restoreConfig function in vikunja/pkg/modules/dump/restore.go of the go-vikunja/vikunja repository fails to sanitize file paths within the provided ZIP archive. A maliciously crafted ZIP can bypass the intended extraction directory to overwrite arbitrary files on the host system. Additionally, we’ve discovered that a malformed archive triggers a runtime panic, crashing the process immediately after the database has been wiped permanently. The application trusts the metadata in the ZIP archive. It uses the Name attribute of the zip.File struct directly in os.OpenFile calls without validation, allowing files to be written outside the intended directory. The restoration logic assumes a specific directory structure within the ZIP. When provided with a "minimalist" malicious ZIP, the application fails to validate the length of slices derived from the archive contents. Specifically, at line 154, the code attempts to access an index of len(ms)-2 on an insufficiently populated slice, triggering a panic. Version 2.0.0 fixes the issue.

Detailed information about CVE-2026-27819: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go-vikunja vikunja affectin

CVE-2026-27819: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go-vikunja vikunja - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-27819: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go-vikunja vikunja

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as <script> tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is accessed via its direct URL, it is rendered inline in the browser under the application's origin. As a result, embedded JavaScript executes in the context of the authenticated user. Because the authentication token is stored in localStorage, it is accessible via JavaScript and can be retrieved by a malicious payload. Version 2.0.0 patches this issue.

Detailed information about CVE-2026-27616: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go-vikunja vikunja af

CVE-2026-27616: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go-vikunja vikunja - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-27616: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go-vikunja vikunja

Detailed information about CVE-2024-30733. Get real-time updates, technical details, and mitigation strategies.

CVE-2024-30733

CVE-2024-30733

Technical Details

Community Reviews

Related Threats

CVE-2026-2694: CWE-285 Improper Authorization in stellarwp The Events Calendar

CVE-2026-27116: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go-vikunja vikunja

CVE-2026-26985: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in aces Loris

CVE-2026-27819: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go-vikunja vikunja

CVE-2026-27616: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go-vikunja vikunja

Actions

External Links

Need more coverage?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility