Skip to content

File tree

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4mxr-9xw9-9cr4",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-12818"
8+
],
9+
"details": "Delta Electronics DVP12SE PLCs are susceptible to a resource allocation vulnerability without limits or throttling (CWE-770) within their Modbus TCP service.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V4",
13+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12818"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00011_DVP12SE%20Multiple%20Vulnerabilities%20(CVE-2026-12818,%20CVE-2026-12819)_v1.0.pdf"
25+
}
26+
],
27+
"database_specific": {
28+
"cwe_ids": [
29+
"CWE-770"
30+
],
31+
"severity": "CRITICAL",
32+
"github_reviewed": false,
33+
"github_reviewed_at": null,
34+
"nvd_published_at": "2026-06-30T07:16:31Z"
35+
}
36+
}
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6gcj-mc56-7jf5",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-11581"
8+
],
9+
"details": "The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11581"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://wpscan.com/vulnerability/a9282260-a0f2-4fe2-9acf-3191f4043910"
20+
}
21+
],
22+
"database_specific": {
23+
"cwe_ids": [],
24+
"severity": null,
25+
"github_reviewed": false,
26+
"github_reviewed_at": null,
27+
"nvd_published_at": "2026-06-30T07:16:31Z"
28+
}
29+
}
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-f7jr-jmf8-58m2",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-56137"
8+
],
9+
"details": "RPG MAKER MV and MZ provided by Gotcha Gotcha Games Inc. contain an OS command injection vulnerability. If a user loads a specially crafted save-file, arbitrary OS command may be executed.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56137"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://jvn.jp/en/jp/JVN69681784"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://rpgmakerofficial.com/en/news/4188"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://rpgmakerofficial.com/news/4183"
37+
}
38+
],
39+
"database_specific": {
40+
"cwe_ids": [
41+
"CWE-78"
42+
],
43+
"severity": "HIGH",
44+
"github_reviewed": false,
45+
"github_reviewed_at": null,
46+
"nvd_published_at": "2026-06-30T07:16:32Z"
47+
}
48+
}
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fjmg-grxw-25vg",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-11590"
8+
],
9+
"details": "The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sanitize user-supplied array keys before using them in a SQL statement, allowing unauthenticated users to perform SQL injection attacks.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11590"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://wpscan.com/vulnerability/117853ca-0fd3-4bfa-ad60-799eb5c77bdf"
20+
}
21+
],
22+
"database_specific": {
23+
"cwe_ids": [],
24+
"severity": null,
25+
"github_reviewed": false,
26+
"github_reviewed_at": null,
27+
"nvd_published_at": "2026-06-30T07:16:31Z"
28+
}
29+
}
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fvjp-rchx-7wr5",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-9576"
8+
],
9+
"details": "The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested group_id before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII (name, email, phone, address, payment information) from calendar groups they do not own.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9576"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://wpscan.com/vulnerability/f28759e0-f15e-4014-b0d1-8b58bf412b49"
20+
}
21+
],
22+
"database_specific": {
23+
"cwe_ids": [],
24+
"severity": null,
25+
"github_reviewed": false,
26+
"github_reviewed_at": null,
27+
"nvd_published_at": "2026-06-30T07:16:32Z"
28+
}
29+
}
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qrm2-gj4m-7475",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-12578"
8+
],
9+
"details": "The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V4",
13+
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12578"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00010_DTMSoft%20Project%20File%20Parsing%20Deserialization%20of%20Untrusted%20Data%20Remote%20Code%20(CVE-2026-12578)_v1.0.pdf"
25+
}
26+
],
27+
"database_specific": {
28+
"cwe_ids": [
29+
"CWE-502"
30+
],
31+
"severity": "HIGH",
32+
"github_reviewed": false,
33+
"github_reviewed_at": null,
34+
"nvd_published_at": "2026-06-30T09:16:24Z"
35+
}
36+
}
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-w4vj-qmqh-q69w",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-11589"
8+
],
9+
"details": "The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript (such as HTML or SVG) to a publicly accessible location, leading to Stored Cross-Site Scripting attacks against site users and administrators.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11589"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://wpscan.com/vulnerability/c46479c2-4eef-485f-ae98-1f487efa4263"
20+
}
21+
],
22+
"database_specific": {
23+
"cwe_ids": [],
24+
"severity": null,
25+
"github_reviewed": false,
26+
"github_reviewed_at": null,
27+
"nvd_published_at": "2026-06-30T07:16:31Z"
28+
}
29+
}
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-wvcg-328f-hx5j",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-56809"
8+
],
9+
"details": "Multiple laser printers and MFPs (multifunction printers) which implement Ricoh Web Image Monitor contain a reflected cross-site scripting vulnerability. An arbitrary script may be executed on the web browser of the user who accesses Web Image Monitor.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56809"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://jp.ricoh.com/security/products/vulnerabilities/vul?id=ricoh-2026-000005"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://jvn.jp/en/jp/JVN48718197"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2026-000005"
37+
}
38+
],
39+
"database_specific": {
40+
"cwe_ids": [
41+
"CWE-79"
42+
],
43+
"severity": "MODERATE",
44+
"github_reviewed": false,
45+
"github_reviewed_at": null,
46+
"nvd_published_at": "2026-06-30T07:16:32Z"
47+
}
48+
}
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-ww5c-p3qw-8xxf",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-12240"
8+
],
9+
"details": "The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to trigger a user data export while a subscriber-level (or higher) user has stored a crafted serialized XLSXWriter object payload as their display name.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12240"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://plugins.trac.wordpress.org/browser/export-user-data/tags/2.2.6/library/core/helper.php#L171"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39f12ff1-63ee-4131-a708-49633f22ccd4?source=cve"
29+
}
30+
],
31+
"database_specific": {
32+
"cwe_ids": [
33+
"CWE-502"
34+
],
35+
"severity": "HIGH",
36+
"github_reviewed": false,
37+
"github_reviewed_at": null,
38+
"nvd_published_at": "2026-06-30T07:16:31Z"
39+
}
40+
}
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-xpw2-pg2w-j67h",
4+
"modified": "2026-06-30T09:31:35Z",
5+
"published": "2026-06-30T09:31:35Z",
6+
"aliases": [
7+
"CVE-2026-12819"
8+
],
9+
"details": "Delta Electronics DVP12SE PLC exposes a Modbus TCP service over a specified port without authentication or access control, permitting unauthenticated interaction with security-sensitive PLC functions.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V4",
13+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12819"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00011_DVP12SE%20Multiple%20Vulnerabilities%20(CVE-2026-12818,%20CVE-2026-12819)_v1.0.pdf"
25+
}
26+
],
27+
"database_specific": {
28+
"cwe_ids": [
29+
"CWE-306"
30+
],
31+
"severity": "CRITICAL",
32+
"github_reviewed": false,
33+
"github_reviewed_at": null,
34+
"nvd_published_at": "2026-06-30T07:16:32Z"
35+
}
36+
}

0 commit comments

Comments
 (0)