<?xml version="1.0" encoding="utf-8"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Recipes on security-recipes.ai</title><link>https://security-recipes.ai/recipes/</link><description>Recent content in Recipes on security-recipes.ai</description><language>en-us</language><atom:link href="https://security-recipes.ai/recipes/index.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2025-6784 - The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi</title><link>https://security-recipes.ai/prompt-library/cve/cve-2025-6784-the-code-engine-plugin-for-wordpress-is-vulnerable-to-remote-code-execution-in-all-versions-up-to-and-includi/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2025-6784-the-code-engine-plugin-for-wordpress-is-vulnerable-to-remote-code-execution-in-all-versions-up-to-and-includi/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-13114 - The Motors – Car Dealership &amp; Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Si</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-13114-the-motors-car-dealership-classified-listings-plugin-plugin-for-wordpress-is-vulnerable-to-stored-cross-si/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-13114-the-motors-car-dealership-classified-listings-plugin-plugin-for-wordpress-is-vulnerable-to-stored-cross-si/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Motors – Car Dealership &amp; Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Si. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable xss pattern.</description></item><item><title>CVE-2026-13353 - The WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel plugin for WordPress is vulnerab</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-13353-the-wp-ultimate-csv-importer-wordpress-import-export-for-csv-xml-excel-plugin-for-wordpress-is-vulnerab/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-13353-the-wp-ultimate-csv-importer-wordpress-import-export-for-csv-xml-excel-plugin-for-wordpress-is-vulnerab/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The WP Ultimate CSV Importer – WordPress Import &amp; Export for CSV, XML &amp; Excel plugin for WordPress is vulnerab. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-13378 - The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-13378-the-form-vibes-database-manager-for-forms-plugin-for-wordpress-is-vulnerable-to-stored-cross-site-scripting/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-13378-the-form-vibes-database-manager-for-forms-plugin-for-wordpress-is-vulnerable-to-stored-cross-site-scripting/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable xss pattern.</description></item><item><title>CVE-2026-13756 - The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and incl</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-13756-the-wp-grid-builder-plugin-for-wordpress-is-vulnerable-to-privilege-escalation-in-all-versions-up-to-and-incl/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-13756-the-wp-grid-builder-plugin-for-wordpress-is-vulnerable-to-privilege-escalation-in-all-versions-up-to-and-incl/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and incl. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-14262 - The Simple JWT Login – Allows you to use JWT on REST endpoints</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-14262-the-simple-jwt-login-allows-you-to-use-jwt-on-rest-endpoints/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-14262-the-simple-jwt-login-allows-you-to-use-jwt-on-rest-endpoints/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Simple JWT Login – Allows you to use JWT on REST endpoints. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-15155 - The Essential Addons for Elementor – Popular Elementor Templates &amp; Widgets plugin for WordPress is vulnerable</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15155-the-essential-addons-for-elementor-popular-elementor-templates-widgets-plugin-for-wordpress-is-vulnerable/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15155-the-essential-addons-for-elementor-popular-elementor-templates-widgets-plugin-for-wordpress-is-vulnerable/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Essential Addons for Elementor – Popular Elementor Templates &amp; Widgets plugin for WordPress is vulnerable. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-15335 - The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via &#39;email&#39; Form Parameter (fo</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15335-the-booking-package-plugin-for-wordpress-is-vulnerable-to-generic-sql-injection-via-email-form-parameter-fo/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15335-the-booking-package-plugin-for-wordpress-is-vulnerable-to-generic-sql-injection-via-email-form-parameter-fo/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via &#39;email&#39; Form Parameter (fo. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.</description></item><item><title>CVE-2026-15338 - The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all vers</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15338-the-la-studio-element-kit-for-elementor-plugin-for-wordpress-is-vulnerable-to-local-file-inclusion-in-all-vers/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15338-the-la-studio-element-kit-for-elementor-plugin-for-wordpress-is-vulnerable-to-local-file-inclusion-in-all-vers/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all vers. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-2354 - The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-2354-the-swiss-toolkit-for-wp-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-upload-due-to-a-flawed-file-type/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-2354-the-swiss-toolkit-for-wp-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-upload-due-to-a-flawed-file-type/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.</description></item><item><title>CVE-2026-3576 - The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-3576-the-planyo-online-reservation-system-plugin-for-wordpress-is-vulnerable-to-server-side-request-forgery-leading/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-3576-the-planyo-online-reservation-system-plugin-for-wordpress-is-vulnerable-to-server-side-request-forgery-leading/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable ssrf pattern.</description></item><item><title>CVE-2026-4661 - The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-base</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-4661-the-wp-cta-sticky-cta-builder-generate-leads-promote-sales-plugin-for-wordpress-is-vulnerable-to-time-base/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-4661-the-wp-cta-sticky-cta-builder-generate-leads-promote-sales-plugin-for-wordpress-is-vulnerable-to-time-base/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-base. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.</description></item><item><title>CVE-2026-6939 - The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-6939-the-corvuspay-woocommerce-payment-gateway-plugin-for-wordpress-is-vulnerable-to-stored-cross-site-scripting-vi/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-6939-the-corvuspay-woocommerce-payment-gateway-plugin-for-wordpress-is-vulnerable-to-stored-cross-site-scripting-vi/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-7655 - The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-7655-the-surecart-plugin-for-wordpress-is-vulnerable-to-privilege-escalation-via-account-takeover-in-versions-up-to/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-7655-the-surecart-plugin-for-wordpress-is-vulnerable-to-privilege-escalation-via-account-takeover-in-versions-up-to/</guid><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2025-30007 - HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege a</title><link>https://security-recipes.ai/prompt-library/cve/cve-2025-30007-hestiacp-before-1-9-5-contains-an-authenticated-os-command-injection-vulnerability-that-allows-low-privilege-a/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2025-30007-hestiacp-before-1-9-5-contains-an-authenticated-os-command-injection-vulnerability-that-allows-low-privilege-a/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege a. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2025-70796 - An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Techno</title><link>https://security-recipes.ai/prompt-library/cve/cve-2025-70796-an-unauthenticated-path-traversal-vulnerability-exists-in-the-web-management-interface-of-wti-wireless-techno/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2025-70796-an-unauthenticated-path-traversal-vulnerability-exists-in-the-web-management-interface-of-wti-wireless-techno/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Techno. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable path-traversal pattern.</description></item><item><title>CVE-2026-11321 - The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-11321-the-datainjection-plugin-for-glpi-2-15-6-glpi-11-builds-concatenates-user-supplied-csv-field-values-directly/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-11321-the-datainjection-plugin-for-glpi-2-15-6-glpi-11-builds-concatenates-user-supplied-csv-field-values-directly/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.</description></item><item><title>CVE-2026-12685 - The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoo</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-12685-the-escortwp-escortwp-wordpress-theme-through-3-6-2-was-distributed-with-a-vendor-authored-obfuscated-backdoo/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-12685-the-escortwp-escortwp-wordpress-theme-through-3-6-2-was-distributed-with-a-vendor-authored-obfuscated-backdoo/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoo. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-12761 - The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerab</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-12761-the-miniorange-social-login-and-register-discord-google-twitter-linkedin-plugin-for-wordpress-is-vulnerab/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-12761-the-miniorange-social-login-and-register-discord-google-twitter-linkedin-plugin-for-wordpress-is-vulnerab/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerab. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable auth-bypass pattern.</description></item><item><title>CVE-2026-13347 - The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-13347-the-hide-my-wp-lite-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-read-in-versions-up-to-and-including/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-13347-the-hide-my-wp-lite-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-read-in-versions-up-to-and-including/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable path-traversal pattern.</description></item><item><title>CVE-2026-13430 - The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-13430-the-post-export-import-with-media-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-upload-in-all-versions/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-13430-the-post-export-import-with-media-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-upload-in-all-versions/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.</description></item><item><title>CVE-2026-14480 - OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑u</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-14480-openplc-runtime-v3-contains-an-authenticated-arbitrary-file-write-vulnerability-in-the-legacy-web-ui-program-u/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-14480-openplc-runtime-v3-contains-an-authenticated-arbitrary-file-write-vulnerability-in-the-legacy-web-ui-program-u/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑u. Upgrade to v4 and remove the vulnerable path-traversal pattern.</description></item><item><title>CVE-2026-14894 - The Super Forms – Drag &amp; Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-14894-the-super-forms-drag-drop-form-builder-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-upload-in-all/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-14894-the-super-forms-drag-drop-form-builder-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-upload-in-all/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for The Super Forms – Drag &amp; Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.</description></item><item><title>CVE-2026-15070 - The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in al</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15070-the-salon-booking-system-free-version-plugin-for-wordpress-is-vulnerable-to-cross-site-request-forgery-in-al/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15070-the-salon-booking-system-free-version-plugin-for-wordpress-is-vulnerable-to-cross-site-request-forgery-in-al/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in al. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-15143 - A flaw was found in the file_type content detector of guardrails-detectors</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15143-a-flaw-was-found-in-the-file-type-content-detector-of-guardrails-detectors/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15143-a-flaw-was-found-in-the-file-type-content-detector-of-guardrails-detectors/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for A flaw was found in the file_type content detector of guardrails-detectors. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-15282 - The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15282-the-instant-appointment-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-uploads-due-to-missing-file-type/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15282-the-instant-appointment-plugin-for-wordpress-is-vulnerable-to-arbitrary-file-uploads-due-to-missing-file-type/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.</description></item><item><title>CVE-2026-15288 - The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15288-the-sureforms-drag-and-drop-form-builder-for-wordpress-plugin-for-wordpress-is-vulnerable-to-improper-input/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15288-the-sureforms-drag-and-drop-form-builder-for-wordpress-plugin-for-wordpress-is-vulnerable-to-improper-input/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-15290 - The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction &amp; Membership Pl</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15290-the-ultimate-member-user-profile-registration-login-member-directory-content-restriction-membership-pl/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15290-the-ultimate-member-user-profile-registration-login-member-directory-content-restriction-membership-pl/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction &amp; Membership Pl. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.</description></item><item><title>CVE-2026-15291 - The Chat Help – Click to Chat Button &amp; Form plugin for WordPress is vulnerable to Sensitive Information Exposu</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15291-the-chat-help-click-to-chat-button-form-plugin-for-wordpress-is-vulnerable-to-sensitive-information-exposu/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15291-the-chat-help-click-to-chat-button-form-plugin-for-wordpress-is-vulnerable-to-sensitive-information-exposu/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The Chat Help – Click to Chat Button &amp; Form plugin for WordPress is vulnerable to Sensitive Information Exposu. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-15293 - The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass in all versions u</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15293-the-wp-business-intelligence-lite-plugin-for-wordpress-is-vulnerable-to-authorization-bypass-in-all-versions-u/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15293-the-wp-business-intelligence-lite-plugin-for-wordpress-is-vulnerable-to-authorization-bypass-in-all-versions-u/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass in all versions u. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-15298 - The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15298-the-telsender-plugin-for-wordpress-is-vulnerable-to-dom-based-cross-site-scripting-in-all-versions-up-to-and/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15298-the-telsender-plugin-for-wordpress-is-vulnerable-to-dom-based-cross-site-scripting-in-all-versions-up-to-and/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable xss pattern.</description></item><item><title>CVE-2026-15300 - The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the &#39;distance&#39;, &#39;lat&#39;, and &#39;lng&#39; parame</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15300-the-geo-my-wp-plugin-for-wordpress-was-vulnerable-to-sql-injection-via-the-distance-lat-and-lng-parame/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15300-the-geo-my-wp-plugin-for-wordpress-was-vulnerable-to-sql-injection-via-the-distance-lat-and-lng-parame/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the &#39;distance&#39;, &#39;lat&#39;, and &#39;lng&#39; parame. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.</description></item><item><title>CVE-2026-15378 - A flaw was found in the guardrails-detectors component</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-15378-a-flaw-was-found-in-the-guardrails-detectors-component/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-15378-a-flaw-was-found-in-the-guardrails-detectors-component/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for A flaw was found in the guardrails-detectors component. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-1667 - The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-1667-the-seo-plugin-by-squirrly-seo-plugin-for-wordpress-is-vulnerable-to-arbitrary-post-creation-and-stored-cross/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-1667-the-seo-plugin-by-squirrly-seo-plugin-for-wordpress-is-vulnerable-to-arbitrary-post-creation-and-stored-cross/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable xss pattern.</description></item><item><title>CVE-2026-20744 - The charging station websocket endpoint accepts connections without proper authentication, which could lead to</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-20744-the-charging-station-websocket-endpoint-accepts-connections-without-proper-authentication-which-could-lead-to/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-20744-the-charging-station-websocket-endpoint-accepts-connections-without-proper-authentication-which-could-lead-to/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for The charging station websocket endpoint accepts connections without proper authentication, which could lead to. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-21042 - Out-of-bounds write in libsavsac.so prior to SMR Jul-2026 Release 1 allows local attackers to execute arbitrar</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-21042-out-of-bounds-write-in-libsavsac-so-prior-to-smr-jul-2026-release-1-allows-local-attackers-to-execute-arbitrar/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-21042-out-of-bounds-write-in-libsavsac-so-prior-to-smr-jul-2026-release-1-allows-local-attackers-to-execute-arbitrar/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Out-of-bounds write in libsavsac.so prior to SMR Jul-2026 Release 1 allows local attackers to execute arbitrar. Upgrade to SMR Jul-2026 Release in Android 14, 15, 16 and remove the vulnerable memory-corruption pattern.</description></item><item><title>CVE-2026-21045 - Out-of-bounds write in parsing TIFF format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 all</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-21045-out-of-bounds-write-in-parsing-tiff-format-in-libimagecodec-media-quram-so-prior-to-smr-jul-2026-release-1-all/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-21045-out-of-bounds-write-in-parsing-tiff-format-in-libimagecodec-media-quram-so-prior-to-smr-jul-2026-release-1-all/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Out-of-bounds write in parsing TIFF format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 all. Upgrade to SMR Jul-2026 Release in Android 14, 15, 16 and remove the vulnerable memory-corruption pattern.</description></item><item><title>CVE-2026-21046 - Time-of-check time-of-use race condition in fabricKeymaster trustlet prior to SMR Jul-2026 Release 1 allows lo</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-21046-time-of-check-time-of-use-race-condition-in-fabrickeymaster-trustlet-prior-to-smr-jul-2026-release-1-allows-lo/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-21046-time-of-check-time-of-use-race-condition-in-fabrickeymaster-trustlet-prior-to-smr-jul-2026-release-1-allows-lo/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Time-of-check time-of-use race condition in fabricKeymaster trustlet prior to SMR Jul-2026 Release 1 allows lo. Upgrade to SMR Jul-2026 Release in Android 14, 15, 16 and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-21048 - Out-of-bounds write in parsing DNG format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 allo</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-21048-out-of-bounds-write-in-parsing-dng-format-in-libimagecodec-media-quram-so-prior-to-smr-jul-2026-release-1-allo/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-21048-out-of-bounds-write-in-parsing-dng-format-in-libimagecodec-media-quram-so-prior-to-smr-jul-2026-release-1-allo/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Out-of-bounds write in parsing DNG format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 allo. Upgrade to SMR Jul-2026 Release in Android 14, 15, 16 and remove the vulnerable memory-corruption pattern.</description></item><item><title>CVE-2026-21049 - Out-of-bounds write in libpadm.so library prior to SMR Jul-2026 Release 1 allows local attackers to execute ar</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-21049-out-of-bounds-write-in-libpadm-so-library-prior-to-smr-jul-2026-release-1-allows-local-attackers-to-execute-ar/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-21049-out-of-bounds-write-in-libpadm-so-library-prior-to-smr-jul-2026-release-1-allows-local-attackers-to-execute-ar/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Out-of-bounds write in libpadm.so library prior to SMR Jul-2026 Release 1 allows local attackers to execute ar. Upgrade to SMR Jul-2026 Release in Android 14, 15, 16 and remove the vulnerable memory-corruption pattern.</description></item><item><title>CVE-2026-21055 - Improper export of android application components in Bixby prior to version 4.0.70.8 allows local attackers to</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-21055-improper-export-of-android-application-components-in-bixby-prior-to-version-4-0-70-8-allows-local-attackers-to/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-21055-improper-export-of-android-application-components-in-bixby-prior-to-version-4-0-70-8-allows-local-attackers-to/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Improper export of android application components in Bixby prior to version 4.0.70.8 allows local attackers to. Upgrade to 4.0.70.8 and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-22659 - FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows aut</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-22659-flaskbb-through-2-2-0-fixed-in-commit-acc88cf-contains-an-authorization-bypass-vulnerability-that-allows-aut/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-22659-flaskbb-through-2-2-0-fixed-in-commit-acc88cf-contains-an-authorization-bypass-vulnerability-that-allows-aut/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows aut. Upgrade to fixed in commit acc88cf and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-22660 - FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-22660-flaskbb-through-2-2-0-fixed-in-commit-a5da9a5-contains-a-logic-flaw-vulnerability-that-allows-authenticated/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-22660-flaskbb-through-2-2-0-fixed-in-commit-a5da9a5-contains-a-logic-flaw-vulnerability-that-allows-authenticated/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated. Upgrade to https://github.com/flaskbb/flaskbb/commit/a5da9a52 and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-2397 - Improper neutralization of special elements used in an SQL command (&#39;SQL injection&#39;) vulnerability in Adam Ret</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-2397-improper-neutralization-of-special-elements-used-in-an-sql-command-sql-injection-vulnerability-in-adam-ret/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-2397-improper-neutralization-of-special-elements-used-in-an-sql-command-sql-injection-vulnerability-in-adam-ret/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for Improper neutralization of special elements used in an SQL command (&#39;SQL injection&#39;) vulnerability in Adam Ret. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.</description></item><item><title>CVE-2026-2398 - Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-2398-authorization-bypass-through-user-controlled-key-vulnerability-in-adam-retail-automation-ltd/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-2398-authorization-bypass-through-user-controlled-key-vulnerability-in-adam-retail-automation-ltd/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-28564 - Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-28564-insufficient-session-expiration-authentication-bypass-by-capture-replay-vulnerability-in-apache-iotdb/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-28564-insufficient-session-expiration-authentication-bypass-by-capture-replay-vulnerability-in-apache-iotdb/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable auth-bypass pattern.</description></item><item><title>CVE-2026-33382 - Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-33382-several-grafana-api-endpoints-some-of-them-unauthenticated-do-not-limit-the-size-of-the-request-body-before/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-33382-several-grafana-api-endpoints-some-of-them-unauthenticated-do-not-limit-the-size-of-the-request-body-before/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-38057 - The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-38057-the-idirect-iq200-does-not-validate-csrf-tokens-on-state-changing-api-endpoints-after-authentication/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-38057-the-idirect-iq200-does-not-validate-csrf-tokens-on-state-changing-api-endpoints-after-authentication/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. Upgrade to 4.5.2.2 and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-38059 - The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-38059-the-idirect-iq200-exposes-the-api-identity-and-api-rest-api-endpoints-without-authentication/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-38059-the-idirect-iq200-exposes-the-api-identity-and-api-rest-api-endpoints-without-authentication/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. Upgrade to 4.5.2.2 and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-39244 - adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompresse</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-39244-adm-zip-before-0-5-18-is-vulnerable-to-denial-of-service-via-a-crafted-zip-file-with-a-manipulated-uncompresse/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-39244-adm-zip-before-0-5-18-is-vulnerable-to-denial-of-service-via-a-crafted-zip-file-with-a-manipulated-uncompresse/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompresse. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable dos pattern.</description></item><item><title>CVE-2026-39903 - Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnera</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-39903-simple-machines-forum-2-1-prior-to-2-1-8-and-3-0-prior-to-3-0-alpha-5-contains-an-authorization-bypass-vulnera/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-39903-simple-machines-forum-2-1-prior-to-2-1-8-and-3-0-prior-to-3-0-alpha-5-contains-an-authorization-bypass-vulnera/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnera. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-40005 - Improper Limitation of a Pathname to a Restricted Directory (&#39;Path Traversal&#39;) vulnerability in Apache IoTDB</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-40005-improper-limitation-of-a-pathname-to-a-restricted-directory-path-traversal-vulnerability-in-apache-iotdb/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-40005-improper-limitation-of-a-pathname-to-a-restricted-directory-path-traversal-vulnerability-in-apache-iotdb/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for Improper Limitation of a Pathname to a Restricted Directory (&#39;Path Traversal&#39;) vulnerability in Apache IoTDB. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable path-traversal pattern.</description></item><item><title>CVE-2026-40006 - Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Aut</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-40006-memory-allocation-with-excessive-size-value-allocation-of-resources-without-limits-or-throttling-missing-aut/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-40006-memory-allocation-with-excessive-size-value-allocation-of-resources-without-limits-or-throttling-missing-aut/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Memory Allocation with Excessive Size Value, Allocation of Resources Without Limits or Throttling, Missing Aut. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-40007 - Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-40007-uncontrolled-recursion-uncontrolled-resource-consumption-vulnerability-in-apache-iotdb/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-40007-uncontrolled-recursion-uncontrolled-resource-consumption-vulnerability-in-apache-iotdb/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-40008 - Use of Externally-Controlled Input to Select Classes or Code (&#39;Unsafe Reflection&#39;) vulnerability in Apache IoT</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-40008-use-of-externally-controlled-input-to-select-classes-or-code-unsafe-reflection-vulnerability-in-apache-iot/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-40008-use-of-externally-controlled-input-to-select-classes-or-code-unsafe-reflection-vulnerability-in-apache-iot/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for Use of Externally-Controlled Input to Select Classes or Code (&#39;Unsafe Reflection&#39;) vulnerability in Apache IoT. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-40452 - Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-40452-incorrect-authorization-improper-access-control-vulnerability-in-apache-iotdb/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-40452-incorrect-authorization-improper-access-control-vulnerability-in-apache-iotdb/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-40454 - Out-of-bounds Read, Improper Input Validation vulnerability in Apache IoTDB C++ client</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-40454-out-of-bounds-read-improper-input-validation-vulnerability-in-apache-iotdb-c-client/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-40454-out-of-bounds-read-improper-input-validation-vulnerability-in-apache-iotdb-c-client/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Out-of-bounds Read, Improper Input Validation vulnerability in Apache IoTDB C++ client. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable memory-corruption pattern.</description></item><item><title>CVE-2026-41482 - Frappe is a full-stack web application framework</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-41482-frappe-is-a-full-stack-web-application-framework/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-41482-frappe-is-a-full-stack-web-application-framework/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Frappe is a full-stack web application framework. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-41876 - R-SOFT DMS is vulnerable to OS Command Injection in konwertujAction() function</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-41876-r-soft-dms-is-vulnerable-to-os-command-injection-in-konwertujaction-function/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-41876-r-soft-dms-is-vulnerable-to-os-command-injection-in-konwertujaction-function/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for R-SOFT DMS is vulnerable to OS Command Injection in konwertujAction() function. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-41878 - R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-41878-r-soft-dms-is-vulnerable-to-insecure-direct-object-reference-idor-attack-in-multiple-file-download-endpoints/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-41878-r-soft-dms-is-vulnerable-to-insecure-direct-object-reference-idor-attack-in-multiple-file-download-endpoints/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-41879 - R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-41879-r-soft-dms-stores-superadmin-credentials-using-a-non-salted-nested-md5-hash/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-41879-r-soft-dms-stores-superadmin-credentials-using-a-non-salted-nested-md5-hash/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable credential-leak pattern.</description></item><item><title>CVE-2026-41880 - R-SOFT DMS is vulnerable to OS Command Injection in the Optical Character Recognition (OCR) module</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-41880-r-soft-dms-is-vulnerable-to-os-command-injection-in-the-optical-character-recognition-ocr-module/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-41880-r-soft-dms-is-vulnerable-to-os-command-injection-in-the-optical-character-recognition-ocr-module/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for R-SOFT DMS is vulnerable to OS Command Injection in the Optical Character Recognition (OCR) module. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-42952 - Previously, there was no throttling on repeated authentication attempts to the charging station backend, which</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-42952-previously-there-was-no-throttling-on-repeated-authentication-attempts-to-the-charging-station-backend-which/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-42952-previously-there-was-no-throttling-on-repeated-authentication-attempts-to-the-charging-station-backend-which/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Previously, there was no throttling on repeated authentication attempts to the charging station backend, which. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-44383 - Multiple connections to the backend using the same charging station ID are allowed, which could allow an attac</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-44383-multiple-connections-to-the-backend-using-the-same-charging-station-id-are-allowed-which-could-allow-an-attac/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-44383-multiple-connections-to-the-backend-using-the-same-charging-station-id-are-allowed-which-could-allow-an-attac/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Multiple connections to the backend using the same charging station ID are allowed, which could allow an attac. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-44795 - Spinnaker is an open source, multi-cloud continuous delivery platform</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-44795-spinnaker-is-an-open-source-multi-cloud-continuous-delivery-platform/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-44795-spinnaker-is-an-open-source-multi-cloud-continuous-delivery-platform/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Spinnaker is an open source, multi-cloud continuous delivery platform. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-49213 - TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot&#39;s shared SSRF validator in packages/lib/src/ssrf/v</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-49213-typebot-is-a-chatbot-builder-tool-prior-to-3-17-2-typebot-s-shared-ssrf-validator-in-packages-lib-src-ssrf-v/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-49213-typebot-is-a-chatbot-builder-tool-prior-to-3-17-2-typebot-s-shared-ssrf-validator-in-packages-lib-src-ssrf-v/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot&#39;s shared SSRF validator in packages/lib/src/ssrf/v. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable ssrf pattern.</description></item><item><title>CVE-2026-49394 - Frappe is a full-stack web application framework</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-49394-frappe-is-a-full-stack-web-application-framework/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-49394-frappe-is-a-full-stack-web-application-framework/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Frappe is a full-stack web application framework. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-49866 - libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-49866-libp2p-cpu-dos-via-oversized-ihave-and-iwant-control-message-arrays/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-49866-libp2p-cpu-dos-via-oversized-ihave-and-iwant-control-message-arrays/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays. Upgrade to 16.0.0 and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-50551 - SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-50551-siyuan-stored-xss-to-rce-via-unsanitized-attribute-view-asset-cell-content/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-50551-siyuan-stored-xss-to-rce-via-unsanitized-attribute-view-asset-cell-content/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content. Upgrade to 0.0.0-20260628153353-2d5d72223df4 and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-51119 - An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/Create</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-51119-an-issue-in-invixium-ixm-web-v-2-3-85-25-allows-an-attacker-to-escalate-privileges-via-the-systemusers-create/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-51119-an-issue-in-invixium-ixm-web-v-2-3-85-25-allows-an-attacker-to-escalate-privileges-via-the-systemusers-create/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/Create. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-52747 - ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-52747-modsecurity-is-an-open-source-cross-platform-web-application-firewall-waf-engine-for-apache-iis-and-nginx/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-52747-modsecurity-is-an-open-source-cross-platform-web-application-firewall-waf-engine-for-apache-iis-and-nginx/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-53448 - Coturn is a free open source implementation of TURN and STUN Server</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-53448-coturn-is-a-free-open-source-implementation-of-turn-and-stun-server/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-53448-coturn-is-a-free-open-source-implementation-of-turn-and-stun-server/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Coturn is a free open source implementation of TURN and STUN Server. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-53450 - Coturn is a free open source implementation of TURN and STUN Server</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-53450-coturn-is-a-free-open-source-implementation-of-turn-and-stun-server/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-53450-coturn-is-a-free-open-source-implementation-of-turn-and-stun-server/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Coturn is a free open source implementation of TURN and STUN Server. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-53653 - Grav is a file-based Web platform. Prior to 1.7.53 and 2.0.0-rc.8, Grav allows an unauthenticated visitor to e</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-53653-grav-is-a-file-based-web-platform-prior-to-1-7-53-and-2-0-0-rc-8-grav-allows-an-unauthenticated-visitor-to-e/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-53653-grav-is-a-file-based-web-platform-prior-to-1-7-53-and-2-0-0-rc-8-grav-allows-an-unauthenticated-visitor-to-e/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Grav is a file-based Web platform. Prior to 1.7.53 and 2.0.0-rc.8, Grav allows an unauthenticated visitor to e. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-53657 - Lima launches Linux virtual machines, typically on macOS, for running containerd</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-53657-lima-launches-linux-virtual-machines-typically-on-macos-for-running-containerd/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-53657-lima-launches-linux-virtual-machines-typically-on-macos-for-running-containerd/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Lima launches Linux virtual machines, typically on macOS, for running containerd. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-54000 - osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54000-osquery-is-a-sql-powered-operating-system-instrumentation-monitoring-and-analytics-framework/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54000-osquery-is-a-sql-powered-operating-system-instrumentation-monitoring-and-analytics-framework/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-54001 - osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54001-osquery-is-a-sql-powered-operating-system-instrumentation-monitoring-and-analytics-framework/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54001-osquery-is-a-sql-powered-operating-system-instrumentation-monitoring-and-analytics-framework/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-54063 - Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54063-excelize-unbounded-row-index-allocation-in-worksheet-parser-checksheet-oom-panic-dos/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54063-excelize-unbounded-row-index-allocation-in-worksheet-parser-checksheet-oom-panic-dos/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS). Upgrade to 2.11.0 and remove the vulnerable dos pattern.</description></item><item><title>CVE-2026-54066 - SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CV</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54066-siyuan-path-traversal-via-double-url-encoding-in-assets-path-publish-mode-arbitrary-file-read-incomplete-fix-o/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54066-siyuan-path-traversal-via-double-url-encoding-in-assets-path-publish-mode-arbitrary-file-read-incomplete-fix-o/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CV. Upgrade to 0.0.0-20260628153353-2d5d72223df4 and remove the vulnerable path-traversal pattern.</description></item><item><title>CVE-2026-54067 - SiYuan: Stored XSS to RCE via CSS-snippet &lt;style&gt; breakout in renderSnippet()</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54067-siyuan-stored-xss-to-rce-via-css-snippet-style-breakout-in-rendersnippet/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54067-siyuan-stored-xss-to-rce-via-css-snippet-style-breakout-in-rendersnippet/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for SiYuan: Stored XSS to RCE via CSS-snippet &lt;style&gt; breakout in renderSnippet(). Upgrade to 0.0.0-20260628153353-2d5d72223df4 and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-54069 - SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54069-siyuan-unauthenticated-admin-api-access-via-blanket-chrome-extension-origin-allowlist/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54069-siyuan-unauthenticated-admin-api-access-via-blanket-chrome-extension-origin-allowlist/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist. Upgrade to 0.0.0-20260628153353-2d5d72223df4 and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-54070 - SiYuan: Stored XSS in Bazaar marketplace via package README event handlers</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54070-siyuan-stored-xss-in-bazaar-marketplace-via-package-readme-event-handlers/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54070-siyuan-stored-xss-in-bazaar-marketplace-via-package-readme-event-handlers/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for SiYuan: Stored XSS in Bazaar marketplace via package README event handlers. Upgrade to 0.0.0-20260628153353-2d5d72223df4 and remove the vulnerable xss pattern.</description></item><item><title>CVE-2026-54071 - BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54071-babeldoc-arbitrary-code-execution-via-cmap-pickle-deserialization-in-babeldoc-pdfminer-cmapdb-py/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54071-babeldoc-arbitrary-code-execution-via-cmap-pickle-deserialization-in-babeldoc-pdfminer-cmapdb-py/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py. Upgrade to 0.6.3 and remove the vulnerable deserialization pattern.</description></item><item><title>CVE-2026-54072 - Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54072-authorizer-unvalidated-redirect-uri-in-authorize-leaks-oauth2-tokens-to-attacker-controlled-url/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54072-authorizer-unvalidated-redirect-uri-in-authorize-leaks-oauth2-tokens-to-attacker-controlled-url/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL. Upgrade to 0.0.0-20260409051328-bd3f5baf6d3d and remove the vulnerable mcp-auth pattern.</description></item><item><title>CVE-2026-54088 - File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54088-file-browser-command-injection-via-authentication-hook-shell-substitution-pre-authentication-rce/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54088-file-browser-command-injection-via-authentication-hook-shell-substitution-pre-authentication-rce/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE). Upgrade to 2.63.6 and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-54089 - File Browser: Authentication Bypass via Proxy Auth Header Forgery</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54089-file-browser-authentication-bypass-via-proxy-auth-header-forgery/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54089-file-browser-authentication-bypass-via-proxy-auth-header-forgery/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for File Browser: Authentication Bypass via Proxy Auth Header Forgery. Upgrade to Vendor-fixed release and remove the vulnerable auth-bypass pattern.</description></item><item><title>CVE-2026-54149 - MaxKB is an open-source AI assistant for enterprise</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54149-maxkb-is-an-open-source-ai-assistant-for-enterprise/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54149-maxkb-is-an-open-source-ai-assistant-for-enterprise/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for MaxKB is an open-source AI assistant for enterprise. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-54158 - SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54158-siyuan-stored-xss-to-rce-via-attribute-view-cell-rendering-in-genavvaluehtml/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54158-siyuan-stored-xss-to-rce-via-attribute-view-cell-rendering-in-genavvaluehtml/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML(). Upgrade to 0.0.0-20260628153353-2d5d72223df4 and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-54159 - prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54159-prestashop-ps-facetedsearch-php-object-injection-in-faceted-search-cache-allows-unauthenticated-rce/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54159-prestashop-ps-facetedsearch-php-object-injection-in-faceted-search-cache-allows-unauthenticated-rce/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>Critical remediation recipe for prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE. Upgrade to 4.0.4 and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-54174 - melange: Incomplete package integrity verification allows data section substitution</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54174-melange-incomplete-package-integrity-verification-allows-data-section-substitution/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54174-melange-incomplete-package-integrity-verification-allows-data-section-substitution/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for melange: Incomplete package integrity verification allows data section substitution. Upgrade to 0.50.4, 1.2.9 and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-54423 - In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management i</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54423-in-openstack-ironic-before-37-0-1-an-ironic-user-with-the-ability-to-deploy-nodes-using-the-ipmi-management-i/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54423-in-openstack-ironic-before-37-0-1-an-ironic-user-with-the-ability-to-deploy-nodes-using-the-ipmi-management-i/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for In OpenStack Ironic before 37.0.1, an Ironic user with the ability to deploy nodes using the IPMI management i. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-54469 - Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vul</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54469-dell-unisphere-for-powermax-version-s-10-3-0-5-and-prior-contain-s-a-deserialization-of-untrusted-data-vul/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54469-dell-unisphere-for-powermax-version-s-10-3-0-5-and-prior-contain-s-a-deserialization-of-untrusted-data-vul/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Untrusted Data vul. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable deserialization pattern.</description></item><item><title>CVE-2026-54736 - Phalcon is a high-performance, full-stack PHP framework</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54736-phalcon-is-a-high-performance-full-stack-php-framework/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54736-phalcon-is-a-high-performance-full-stack-php-framework/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Phalcon is a high-performance, full-stack PHP framework. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-54919 - cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-54919-cpp-httplib-is-a-c-11-single-file-header-only-cross-platform-http-https-library/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-54919-cpp-httplib-is-a-c-11-single-file-header-only-cross-platform-http-https-library/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-55175 - Spinnaker is an open source, multi-cloud continuous delivery platform</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-55175-spinnaker-is-an-open-source-multi-cloud-continuous-delivery-platform/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-55175-spinnaker-is-an-open-source-multi-cloud-continuous-delivery-platform/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Spinnaker is an open source, multi-cloud continuous delivery platform. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-55213 - h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-55213-h2o-is-an-http-server-with-support-for-http-1-x-http-2-and-http-3/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-55213-h2o-is-an-http-server-with-support-for-http-1-x-http-2-and-http-3/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-55229 - Gotenberg is a Docker-powered stateless API for PDF files</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-55229-gotenberg-is-a-docker-powered-stateless-api-for-pdf-files/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-55229-gotenberg-is-a-docker-powered-stateless-api-for-pdf-files/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Gotenberg is a Docker-powered stateless API for PDF files. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-55233 - OpenResty is a high performance web platform</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-55233-openresty-is-a-high-performance-web-platform/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-55233-openresty-is-a-high-performance-web-platform/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for OpenResty is a high performance web platform. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item><item><title>CVE-2026-55377 - Logto is the modern, open-source auth infrastructure for SaaS and AI apps</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-55377-logto-is-the-modern-open-source-auth-infrastructure-for-saas-and-ai-apps/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-55377-logto-is-the-modern-open-source-auth-infrastructure-for-saas-and-ai-apps/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.</description></item><item><title>CVE-2026-55405 - LangChain4j is a Java library for building LLM-powered applications on the JVM</title><link>https://security-recipes.ai/prompt-library/cve/cve-2026-55405-langchain4j-is-a-java-library-for-building-llm-powered-applications-on-the-jvm/</link><guid>https://security-recipes.ai/prompt-library/cve/cve-2026-55405-langchain4j-is-a-java-library-for-building-llm-powered-applications-on-the-jvm/</guid><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><description>High remediation recipe for LangChain4j is a Java library for building LLM-powered applications on the JVM. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.</description></item></channel></rss>