Cybersecurity & Regolamentazione UE

News & Sicurezza

Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.

25436 risultati

VulnerabilitàAlta
CVE-2026-46331 - net/sched: fix pedit partial COW leading to page cache corruption

CVE ID :CVE-2026-46331 Published : June 16, 2026, 8:16 a.m. | 1 hour, 25 minutes ago Description :In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE16 giu 2026
VulnerabilitàAlta
CVE-2026-10093 - File Sharing & Download Manager <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'fldr_ttl' Parameter

CVE ID :CVE-2026-10093 Published : June 16, 2026, 8:16 a.m. | 1 hour, 25 minutes ago Description :The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE16 giu 2026
VulnerabilitàAlta
CVE-2025-9912 - A local privilege escalation vulnerability in Nokia SR Linux

CVE ID :CVE-2025-9912 Published : June 16, 2026, 8:16 a.m. | 1 hour, 25 minutes ago Description :Nokia SR Linux is vulnerable to a local privilege escalation vulnerability. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privilege. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE16 giu 2026
News
Cisco dicht actief misbruikt Catalyst SD-WAN-lek dat aanvaller root maakt

Cisco dicht actief misbruikt Catalyst SD-WAN-lek dat aanvaller root maakt Cisco is met een beveiligingsupdate gekomen voor een actief misbruikte kwetsbaarheid in de Catalyst SD-WAN Manager waardoor een geauthenticeerde aanvaller root kan worden. Het probleem (CVE-2026-20262 ... Read more Published Date: Jun 16, 2026 (3 days, 2 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-20262

CVEfeed Newsroom16 giu 2026
News
Critical SearchLeak Flaw in Microsoft 365 Copilot Exposed Sensitive Enterprise Data

Critical SearchLeak Flaw in Microsoft 365 Copilot Exposed Sensitive Enterprise Data A newly disclosed SearchLeak vulnerability in Microsoft 365 Copilot Enterprise exposed a critical pathway for attackers to steal sensitive organizational data through a specially crafted URL. The flaw ... Read more Published Date: Jun 16, 2026 (3 days ago) Vulnerabilities has been mentioned in this article. CVE-2026-20253 CVE-2026-42824

CVEfeed Newsroom16 giu 2026
VulnerabilitàAlta
CVE-2026-8443 (CVSS 8.8)

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress's wp_magic_quotes; the resulting decoded array values are then concatenated directly into SQL WHERE clauses without parameterization, and the constructed query is executed via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The handler also returns the executed SQL string in its JSON response, which simplifies oracle construction for blind exploitation.

NVD (NIST)16 giu 2026
VulnerabilitàAlta
CVE-2026-6933 (CVSS 8.8)

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.

NVD (NIST)16 giu 2026
VulnerabilitàAlta
CVE-2026-9187 - Abandoned Contact Form 7 <= 2.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion via 'recover_id' Parameter

CVE ID :CVE-2026-9187 Published : June 16, 2026, 6:16 a.m. | 3 hours, 25 minutes ago Description :The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE16 giu 2026
VulnerabilitàAlta
CVE-2026-5149 - RTMKit <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter

CVE ID :CVE-2026-5149 Published : June 16, 2026, 6:16 a.m. | 3 hours, 25 minutes ago Description :The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE16 giu 2026
VulnerabilitàAlta
CVE-2026-50255 - Optical Disc Archive Software Privilege Escalation

CVE ID :CVE-2026-50255 Published : June 16, 2026, 6:16 a.m. | 3 hours, 25 minutes ago Description :Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier. If this vulnerability is exploited, arbitrary code may be executed with SYSTEM privileges. Severity: 6.7 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE16 giu 2026
VulnerabilitàAlta
CVE-2026-8443 - WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) SQL Injection via 'stypes' Parameter

CVE ID :CVE-2026-8443 Published : June 16, 2026, 6:16 a.m. | 3 hours, 25 minutes ago Description :The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_decode(), which removes the escaping applied by WordPress's wp_magic_quotes; the resulting decoded array values are then concatenated directly into SQL WHERE clauses without parameterization, and the constructed query is executed via $wpdb->get_results() without $wpdb->prepare(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The handler also returns the executed SQL string in its JSON response, which simplifies oracle construction for blind exploitation. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE16 giu 2026
VulnerabilitàAlta
CVE-2026-10780 - Static Block <= 2.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode 'id' Attribute

CVE ID :CVE-2026-10780 Published : June 16, 2026, 6:16 a.m. | 3 hours, 25 minutes ago Description :The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied 'id' attribute and outputting its post_content without verifying the post's status (private, draft, pending) or the requesting user's capability to view it. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary posts, including private and draft static blocks (and any other post type) created by administrators, by embedding the [static_block_content id="X"] shortcode in their own content and previewing it. Severity: 4.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE16 giu 2026

Pagina 293 di 2120

Resta aggiornato sulla cybersecurity

Iscriviti a CodersRegistry per ricevere gli aggiornamenti più importanti su regolamentazione EU e vulnerabilità critiche.