CVE Vulnerabilities - 28 February 2026

wpForo: Unauthenticated SQL Injection via Unquoted Identifiers

CVE-2026-28562

wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql(...

8.8

Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse

CVE-2026-28268 GHSA-rfjg-6m84-crj2

**Summary** A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reus...

9.8

Tenda F453 Router: Remote Code Execution Vulnerability

CVE-2026-3376

A security vulnerability has been detected in Tenda F453 1.0.0.3. Affected by this vulnerability is the function fromSafeMacFilter of the file /goform...

7.4

Jackson JSON Parser Can Crash from Extremely Long Numbers

GHSA-72hv-8253-57qq

### Summary The non-blocking (async) JSON parser in `jackson-core` bypasses the `maxNumberLength` constraint (default: 1000 characters) defined in `St...

8.7

Fastify Middie Authentication Bypass via Specially Crafted URLs

CVE-2026-2880 GHSA-8p85-9qpw-fwgw

## Summary A path normalization inconsistency in `@fastify/middie` can result in authentication/authorization bypass when using path-scoped middleware...

8.2

serialize-javascript allows malicious JavaScript to be injected via RegExp and Date

GHSA-5c6j-r48x-rmvq

### Impact The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-766...

8.1

TimePictra Missing Authentication for Critical Configuration Changes

CVE-2026-2844

Missing Authentication for Critical Function vulnerability in Microchip TimePictra allows Configuration/Environment Manipulation.This issue affects Ti...

9.3

Tutor LMS Coupon Code Field Allows Unauthorized Database Access

CVE-2025-13673

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versio...

7.5

WP Mail Logging Plugin for WordPress: Untrusted Input Can Execute Malicious Code

CVE-2026-2471

The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of unt...

7.5

osctrl Software Allows Hackers to Execute Commands on Endpoints

CVE-2026-28279 GHSA-rchw-322g-f7rm

### Summary An OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject ar...

7.4

PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages

CVE-2026-28338 GHSA-8rr6-2qw5-pc7r

### Summary PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted s...

6.8

wpForo Forum Missing Capability Check Allows User Group Tampering

CVE-2026-28557

wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment vi...

7.1

Super Stage WP WordPress plugin allows unauthenticated PHP code execution

CVE-2026-1542

The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object I...

6.5

TimePictra: Malicious Code Can Run on Website

CVE-2026-3010

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimePictra allows Query System ...

9.3

osctrl: Attacker can inject malicious code into query list

CVE-2026-28280 GHSA-4rv8-5cmm-2r22

### Summary A stored Cross-site Scripting (XSS) vulnerability exists in the `osctrl-admin` on-demand query list. A user with query-level permissions c...

6.1

wpForo Forum allows attackers to inject malicious code into profiles

CVE-2026-28558

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars ...

5.1

wpForo Forum Subscribers Can Move or Merge Any Forum Topic

CVE-2026-28556

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via ...

5.3

Unauthenticated access to private forum topics in wpForo Forum

CVE-2026-28559

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics...

6.9

Malcontent Fails to Scan Zip Files with Corrupt Archives

CVE-2026-28407 GHSA-945p-3jhm-6rcp

Previously, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to p...

6.9

pypdf: Creating a malicious PDF can crash your system

CVE-2026-28351 GHSA-f2v5-7jq9-h8cg

### Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using ...

6.9

wpForo Forum: Malicious JavaScript injected in Forum Descriptions

CVE-2026-28561

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum descript...

4.8

wpForo Forum 2.4.14 Allows Hackers to Inject Malicious Code in Forum URLs

CVE-2026-28560

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script ...

4.8

wpForo Forum 2.4.14: Subscribers Can Close or Reopen Any Forum Topic

CVE-2026-28555

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wp...

5.3

wpForo Forum: Subscribers Can Approve or Unapprove Any Forum Post

CVE-2026-28554

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via th...

5.3

SvelteKit form handling can cause Denial of Service

GHSA-fpg4-jhqr-589c

Some relatively small inputs can cause very large files arrays in `form` handlers. If the SvelteKit application code doesn't check `files.length` or i...

1.7