24h | 7d | 30d

CVE-2026-2505

Overview

  • elzahlan
  • Categories Images
18 Apr 2026
Published
18 Apr 2026
Updated
CVSS v3.1
MEDIUM (5.4)
EPSS
0.03%
KEV

Description

The Categories Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.1, via the 'z_taxonomy_image' shortcode. This is due to the shortcode rendering path passing attacker-controlled class input into a fallback image builder that concatenates HTML attributes without proper escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute when users interact with the injected frontend page via the 'class' shortcode attribute.

Statistics

  • 1 Post
Last activity: 10 hours ago

Fediverse

Profile picture fallback
OffSequence @offseq

🛡️ CVE-2026-2505: MEDIUM severity stored XSS in Categories Images plugin (≤3.3.1) lets Contributor+ users inject scripts via the 'class' attribute. Restrict access & watch for a patch. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 10h ago

CVE-2026-6042

Overview

  • musl
  • libc
10 Apr 2026
Published
10 Apr 2026
Updated
CVSS v4.0
MEDIUM (4.8)
EPSS
0.01%
KEV

Description

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.

Statistics

  • 1 Post
Last activity: 1 hour ago

Fediverse

Profile picture fallback
Fiona @airtower

Does anyone know how to report errors to https://db.gcve.eu/? Just their info@ mail? I looked up CVE-2026-6042 and CVE-2026-40200 there because I was annoyed that the NVD database (which #Buildroot uses for automated vulnerability checks) still didn't have them correctly labeled with the CPE (so automated tools can't identify the package is vulnerable).

Result: CVE-2026-40200 is correctly labeled (good!), while CVE-2026-6042 is not (different vendor/product). Mistakes happen, an organization that's trying to run as serious vulnerability DB really needs to provide an obvious "report errors here" mail address (or other means, but really… mail). ​:neocat_glare:​ #CVE #GCVE

  • 0
  • 0
  • 0
  • 1h ago

CVE-2026-40200

Overview

  • musl-libc
  • musl
10 Apr 2026
Published
14 Apr 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.02%
KEV

Description

An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical).

Statistics

  • 1 Post
Last activity: 1 hour ago

Fediverse

Profile picture fallback
Fiona @airtower

Does anyone know how to report errors to https://db.gcve.eu/? Just their info@ mail? I looked up CVE-2026-6042 and CVE-2026-40200 there because I was annoyed that the NVD database (which #Buildroot uses for automated vulnerability checks) still didn't have them correctly labeled with the CPE (so automated tools can't identify the package is vulnerable).

Result: CVE-2026-40200 is correctly labeled (good!), while CVE-2026-6042 is not (different vendor/product). Mistakes happen, an organization that's trying to run as serious vulnerability DB really needs to provide an obvious "report errors here" mail address (or other means, but really… mail). ​:neocat_glare:​ #CVE #GCVE

  • 0
  • 0
  • 0
  • 1h ago
Showing 31 to 33 of 33 CVEs