Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Gravity SMTP security patch release for CVE-2026-4020

Security Patch Release
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

Gravity SMTP released version 2.1.5 to fix CVE-2026-4020, closing a medium-severity information disclosure flaw in the WordPress plugin. The patch addresses a bug that let unauthenticated visitors pull API keys, secrets, and OAuth tokens from plugin data. The update is urgent because the plugin is installed on about 100,000 sites and exploit traffic is already active.

Related Happenings

Everest Forms Pro plugin patch for CVE-2026-3300

Security Patch Release
H score43 First: 06.06.2026 17:09 Last: 06.06.2026 17:09 Sources 1

About this happening: The **Everest Forms developer** released a patch for **CVE-2026-3300** in **Everest Forms Pro** on **March 18**, closing an **unauthenticated arbitrary code execution** flaw affec...

Open Happening

The vendor security patch release for CVE-2026-8206

Security Patch Release
H score89 First: 03.06.2026 01:12 Last: 03.06.2026 01:12 Sources 1

About this happening: **Kirki - Freeform Page Builder, Website Builder & Customizer** shipped **version 6.0.7** to fix **CVE-2026-8206**, a privilege-escalation flaw that could let attackers take over...

Open Happening

WP Maps Pro 6.1.1 security patch for CVE-2026-8732

Security Patch Release
H score49 First: 31.05.2026 17:06 Last: 31.05.2026 17:06 Sources 1

About this happening: **WP Maps Pro 6.1.1** was released to fix **CVE-2026-8732**, giving WordPress administrators a patch for a flaw that enabled **unauthenticated administrator-account creation**. Th...

Open Happening

GitHub CVE-2026-3854 security patch release

Security Patch Release
H score34 First: 29.04.2026 15:41 Last: 29.04.2026 15:41 Sources 1

About this happening: **GitHub** released **security fixes** for **CVE-2026-3854**, patching **GitHub.com** and supported **GitHub Enterprise Server** builds after a critical **remote code execution**...

Open Happening

Nginx-ui 2.3.4 patch for CVE-2026-33032

Security Patch Release
H score60 First: 15.04.2026 16:00 Last: 15.04.2026 16:00 Sources 1

About this happening: **nginx-ui maintainers** shipped **version 2.3.4** to fix **CVE-2026-33032**, closing a critical security gap for **MCP-enabled** deployments. The patch matters because the flaw c...

Latest development: 15.04.2026 17:45

After Pluto Security disclosed the issue in **March 2026**, the maintainers shipped **version 2.3.4** to address **CVE-2026-33032**. The patch closed the vulnerability in the product's **AI (MCP) integration** before broader exploitation details were reported.

Open Happening

Timeline

  1. 20.06.2026 12:56 1 articles · 2h ago

    Gravity SMTP exploit traffic spikes after early May activity begins

    Campaign Scope Update

    Exploit traffic targeting CVE-2026-4020 in Gravity SMTP begins in early May 2026 and spikes around June 6, 2026, with more than 4,000,000 requests in a single day and more than 17 million blocked attempts overall.

    Show sources
    Open in new tab
  2. 20.06.2026 12:56 2 articles · 2h ago

    Gravity SMTP releases version 2.1.5 to fix CVE-2026-4020

    Mitigation Patch Update

    Gravity SMTP version 2.1.5 patches CVE-2026-4020, a medium-severity information disclosure flaw in the WordPress plugin that exposed sensitive data through the /wp-json/gravitysmtp/v1/tests/mock-data REST API endpoint when ?page=gravitysmtp-settings was appended, including API keys, secrets, OAuth tokens, and full System Report data. Site owners using connected email services such as Amazon SES, Google, Mailjet, Resend, and Zoho are advised to update and rotate credentials after patching.

    Show sources
    Open in new tab