2026-04-09 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2025-14243 | Red Hat - mirror registry for Red Hat OpenShiftRed Hat - mirror registry for Red Hat OpenShift 2 | A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation. | CVSS3.1: 5.3 - MEDIUM | 0 1 | Exploitation: noneAutomatable: yesTechnical Impact: partial | Mirror-registry: openshift mirror registry: user enumeration via authentication error messages | github |
| CVE-2025-14732 | elemntor - Elementor Website Builder – more than just a page builder | The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVSS3.1: 6.4 - MEDIUM | 0 1 2 | Exploitation: noneAutomatable: noTechnical Impact: partial | Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API | github |
| CVE-2021-4473 | Beijing Topsec Network Security Technology Co., Ltd. - Tianxin Internet Behavior Management System | Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC). | CVSS4.0: 9.3 - CRITICAL CVSS3.1: 9.8 - CRITICAL | 0 1 2 3 4 | Exploitation: noneAutomatable: yesTechnical Impact: total | Tianxin Internet Behavior Management System Command Injection via toQuery.php | github |
| CVE-2026-1673 | realmag777 - BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. | CVSS3.1: 4.3 - MEDIUM | 0 1 2 3 | Exploitation: noneAutomatable: noTechnical Impact: partial | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion | github |
This post is licensed under CC BY 4.0 by the author.