PatchSiren

hubspotdev CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM hubspotdev CVE published 2026-07-17

CVE-2026-9656

The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure, allowing authenticated attackers with contributor-level access to extract the site's plaintext HubSpot OAuth refresh token. This token can be used to access or modify data in the connected HubSpot tenant. The vulnerability affects all versions up to, and including, 11.3.62. The [truncated]