oolongeya

•Experience

•Vulnerability Reports

All(12)Open Source(1)Python(3)WordPress(6)KISA(2)

• CVE-2026-40173

  Unauthenticated part discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints

  Open SourcedgraphGithub Certified

  9.4 Critical+
  An unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token

• CVE-2026-40071

  pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions

  PythonpyLoadGithub Certified

  5.4 Medium+
  pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model.

• CVE-2026-41133

  Stale Session Privilege After Role/Permission Change

  Pythonpyload-ngGithub Certified

  8.8 High+
  already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions.

• CVE-2026-3589

  Arbitrary Admin User Creation via CSRF

  WordPressWooCommerce200M+ downloads

  7.5 High+
  The plugin does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

• CVE-2026-5133

  Missing Authorization in Content AI Bulk Actions

  WordPressRank Math SEO3M+ downloads

  8.1 High+
  A low-privileged user can submit arbitrary post IDs through Content AI bulk actions and trigger unauthorized processing of protected content.

• CVE-2026-44226

  Unauthenticated traceback disclosure via global exception handler in WebUI

  PythonpyLoadGithub Certified

  5.3 Medium+
  unauthenticated user can reliably trigger a server exception.

• CVE-2026-5143

  Authorization Flaw in updateMetaBulk Endpoint

  WordPressRank Math SEO3M+ downloads

  6.5 Medium+
  Insufficient authorization checks in the term path can allow unauthorized post title modification under ID-collision conditions.

• CVE-2026-5151

  Object-Level Authorization Mismatch in updateSchemas

  WordPressRank Math SEO3M+ downloads

  7.7 High+
  A low-privileged user can pass permission checks with their own object ID and overwrite metadata rows of other users by targeting foreign meta IDs.

• CVE-2026-5427

  Contributor SSRF and Upload Restriction Bypass via Block URL Import

  WordPressKubioWordPress Plugin

  8.8 High+
  A low-privileged contributor can inject attacker-controlled URLs into Kubio block attributes to trigger server-side fetches and save responses into public uploads. This enables SSRF-like access to internal resources and unauthorized data exposure despite normal media upload restrictions.

• CVE-2026-8685

  Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter

  WordPressInfility GlobalWordPress Plugin

  ? ?+
  Subscriber can inject SQL (time-based blind confirmed), which can be used to extract sensitive database data and potentially lead to privilege escalation.

• KVE-2026-0321

  Admin Privilege Escalation

  KISAReport SolutionKISA Certified

  Medium₩3,300,000+
  By taking over admin privileges, restricted features can be controlled.

• KVE-2026-0318

  Admin Privilege Escalation

  KISAReport SolutionKISA Certified

  Medium₩3,300,000+
  By taking over admin privileges, restricted features can be controlled.

•Bug Bounty

All(9)HackerOne(6)Wordfence(3)

• Private Program

  Improper Access Control

  HackerOne Certified

  2026|8.7 High$3,000++
  Private

• Private Program

  Improper Access Control

  HackerOne Certified

  2026|7.5 High$800++
  Private

• PayPal

  Open Redirect

  HackerOne Certified

  2026|3.4 Low$800+
  A malicious phishing link under a PayPal domain can be generated and redirect users to a malicious site when clicked.

• Automattic

  Improper Access Control

  HackerOne Certified

  2026|7.5 High$400+
  The plugin does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

• Spotify

  Improper Access Control

  HackerOne Certified

  2026|6.8 Medium$200+
  Some paywalled episodes returned media URLs and file IDs without authentication, while other PAYMENT_REQUIRED episodes were properly blocked.

• Automattic

  Cross-Site Request Forgery CSRF

  HackerOne Certified

  2026|3.9 Low$100+
  CSRF is possible via a nonce-bypass request.

• Rank Math SEO

  Missing Authorization

  Wordfence Certified

  2026|8.1 High$20+
  A low-privileged user can queue unauthorized bulk processing on protected posts through Content AI bulk actions.

• Rank Math SEO

  Improper Access Control

  Wordfence Certified

  2026|6.5 Medium$20+
  Authorization weakness in updateMetaBulk can lead to unauthorized post title updates in specific ID-collision scenarios.

• Rank Math SEO

  Improper Access Control

  Wordfence Certified

  2026|7.7 High$20+
  An object-level authorization mismatch in updateSchemas allows unauthorized overwrite of foreign post metadata.