Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Weekly Report All digests

Vulnerability Surge: 1,516 CVEs, 111 Critical, Router Command Injection Wave Apr 06 – Apr 13, 2026

Overview During the reporting period of April 6-13, 2026, vuln.today data recorded 1,516 published CVEs, representing a 24% increase from the...

1,224 CVEs Published: 498 Critical/High, 280 Unpatched, 2 KEV Entries Mar 30 – Apr 06, 2026

Overview During the reporting period 2026-03-30 to 2026-04-06, vuln.today data recorded 1,224 published CVEs with the following severity...

Threat Landscape 30/03-06/04/2026: Chrome Zero-Day, TrueConf Supply Chain, ShareFile Kill Chain Audio

1,597 CVEs: 649 Unpatched Critical/High, Trivy Supply Chain Attack Mar 23 – Mar 30, 2026

Overview During the reporting period (2026-03-23 to 2026-03-30), vuln.today data identified 1,597 CVEs: 154 CRITICAL, 605 HIGH, 631 MEDIUM, 58...

Threat Landscape 23/03-30/03/2026: Supply Chain Attacks and Auth Failures Surge Audio

1,272 CVEs: 431 Unpatched Critical/High, Authentication Bypass Leads Mar 16 – Mar 23, 2026

Overview For the reporting period 2026-03-16 to 2026-03-23, vuln.today data recorded 1,272 published CVEs: 105 CRITICAL, 448 HIGH, 573 MEDIUM, 89...

1,400 CVEs: 612 Unpatched Critical/High, Chrome KEV Exploits, Router RCE Mar 09 – Mar 16, 2026

Overview Vuln.today data for the period March 9-16, 2026 recorded 1,400 published CVEs: 122 CRITICAL, 549 HIGH, 604 MEDIUM, 52 LOW, and 73 UNKNOWN...

ICT Providers at Risk

View all

Last 30 days

Upcoming Zero-Day Disclosures 361 331 overdue

View all

to view ZDI disclosures

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

ZDI Disclosures – Apr 17 6 1d

View all

ZDI-CAN-28708 4.9

MEDIUM Cisco

This vulnerability affects Cisco, a major networking and cybersecurity infrastructure vendor. The flaw has a medium severity rating and can be exploited remotely by authenticated attackers with high privileges, resulting in confidentiality compromise but no integrity or availability impact. Security teams should monitor for this advisory's resolution by the April 2026 deadline and ensure privileged account access controls are strictly enforced on affected Cisco systems.

Cisco Potential RCE Potential Privilege Escalation

ZDI-CAN-28593 7.8

HIGH X.Org

X.Org is the open-source organization responsible for the X Window System, the fundamental display server used in most Linux and Unix environments. This vulnerability has a CVSS score of 7.8 (HIGH) and requires local access with low-privilege user authentication to exploit, but once successful, it grants an attacker high-level compromises to confidentiality, integrity, and availability with no user interaction needed. Security teams should prioritize patching X.Org systems after the April 17, 2026 vendor deadline and monitor for any suspicious local privilege escalation attempts on systems still running vulnerable versions.

Linux Potential RCE Potential Privilege Escalation

ZDI-CAN-28157 3.5

LOW Microsoft

Microsoft has patched a low-severity information disclosure vulnerability (CVSS 3.5) that requires adjacent network access and user interaction to exploit, with no authentication needed but only allowing limited confidentiality impact. The vulnerability cannot be exploited remotely and causes no integrity or availability damage, making it a relatively contained risk. Security teams should monitor for this advisory's official patch release and prioritize it as a low-priority update unless it affects critical systems handling sensitive data.

Windows Microsoft Potential Privilege Escalation

ZDI-CAN-28709 7.2

HIGH Cisco

Cisco, a major networking and cybersecurity equipment manufacturer, has a high-severity vulnerability (CVSS 7.2) that can be exploited remotely over the network by an authenticated attacker with high privileges, potentially compromising confidentiality, integrity, and availability of affected systems. The attack requires no user interaction and impacts only the vulnerable system itself. Security teams should monitor for this vulnerability across their Cisco infrastructure and prepare for patching once Cisco releases fixes by the April 2026 deadline.

Cisco Potential RCE Potential Privilege Escalation

ZDI-CAN-28624 7.2

HIGH LiteLLM

LiteLLM, a popular open-source library that provides a unified interface for multiple large language models, has a high-severity vulnerability (CVSS 7.2) that can be exploited remotely by authenticated users with high privileges to achieve complete compromise of confidentiality, integrity, and authenticity. The attack requires network access and high-level permissions but no user interaction, making it a significant risk in environments where LiteLLM is deployed with administrative access. Security teams should monitor for patches after the April 2026 vendor deadline and assess whether their implementations expose LiteLLM to trusted internal users who could potentially abuse elevated privileges.

Python AI / ML Potential RCE

ZDI-CAN-28115 7.8

HIGH Bosch Rexroth

Bosch Rexroth is a major industrial automation and hydraulics manufacturer whose products are widely deployed in manufacturing and infrastructure environments. This high-severity local vulnerability (CVSS 7.8) requires no authentication and user interaction to execute, allowing an attacker with local access to achieve complete compromise including confidentiality, integrity, and availability impacts on affected systems. Security teams should monitor for exploitation attempts targeting Bosch Rexroth industrial control systems and ensure local access controls are strictly enforced until patches become available after April 2026.

Industrial Scada Potential Privilege Escalation

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — April 16, 2026

41 CVEs tracked today. 7 Critical, 10 High, 24 Medium, 0 Low.

CVE-2026-40959 CRITICAL CVSS 9.3
Lua sandbox escape in Luanti 5.x (formerly Minetest) game engine allows malicious mod code to break out of LuaJIT security restrictions and execute arbitrary code on the host system. Affects all Luanti 5.0.0 through 5.15.1 when compiled with LuaJIT instead of standard Lua. Attackers with ability to distribute crafted mods can achieve complete system compromise with scope change (S:C in CVSS), escalating from sandboxed mod execution to full host access. No authentication required but local access needed (AV:L). Patch available in version 5.15.2 via two upstream commits. EPSS data not available; no confirmed active exploitation or public POC at time of analysis.

Information Disclosure
CVE-2026-40504 CRITICAL CVSS 9.3
Heap buffer overflow in Creolabs Gravity scripting language before 0.9.6 enables remote code execution when applications evaluate untrusted scripts containing many string literals at global scope. The vulnerability stems from insufficient bounds checking in gravity_fiber_reassign(), allowing heap metadata corruption. VulnCheck disclosed this issue with a vendor-released patch (commit 18b9195) available. CVSS 9.3 reflects the critical network-accessible, unauthenticated attack vector. No active exploitation (CISA KEV) or public POC identified at time of analysis, but technical details in GitHub issue #437 could facilitate exploit development.

Heap Overflow Buffer Overflow RCE
CVE-2026-32179 CRITICAL CVSS 9.8
Integer underflow in Microsoft QUIC's ACK frame parser enables remote unauthenticated privilege escalation. The vulnerability (CWE-191: integer wrap-around) affects Microsoft's native QUIC library implementations (both OpenSSL and SChannel variants) distributed via NuGet packages. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and vendor-confirmed patch available (commit 1e6e999b), this represents a critical network-exposed flaw in QUIC protocol implementations. No active exploitation confirmed (not in CISA KEV) and public exploit code status unknown at time of analysis, but the straightforward attack vector (network-accessible protocol parsing) and authentication bypass capability warrant immediate patching priority for systems using Microsoft QUIC libraries.

Authentication Bypass Integer Overflow Microsoft
CVE-2026-6350 CRITICAL CVSS 9.3
Remote unauthenticated code execution in Openfind MailGates (5.0-6.0) and MailAudit (5.0-6.0) via stack-based buffer overflow allows complete system compromise. Attackers can send crafted network requests to exploit CWE-121 buffer overflow conditions without authentication, achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. Vendor patches available (MailGates 6.1.10.054, 5.2.10.099; MailAudit 6.1.10.054, 5.2.10.099). CVSS 9.3 with network attack vector (AV:N), low complexity (AC:L), and no privileges required (PR:N) creates critical exposure for internet-facing mail security appliances. EPSS data unavailable; no confirmed active exploitation or public POC identified at time of analysis.

Stack Overflow Buffer Overflow RCE
CVE-2026-6349 CRITICAL CVSS 10.0
OS Command Injection in HGiga iSherlock-base and iSherlock-audit versions 4.5 and 5.5 allows remote unauthenticated attackers to execute arbitrary operating system commands on the server with full system privileges. All four product variants (iSherlock-base-4.5, iSherlock-audit-4.5, iSherlock-base-5.5, iSherlock-audit-5.5) are affected in versions below build 476 (base) and 261 (audit). Vendor-released patch available per Taiwan CERT (TWCERT) advisory. CVSS 4.0 score of 10.0 reflects maximum severity with network attack vector, no authentication required, and high impact to all CIA triad properties including scope change. No public exploit identified at time of analysis.

Command Injection Isherlock Base 4 5 Isherlock Audit 4 5 Isherlock Base 5 5 Isherlock Audit 5 5
CVE-2026-6348 CRITICAL CVSS 9.3
WinMatrix agent escalates privileges to SYSTEM without authentication, enabling authenticated local users to execute arbitrary code with full administrative control on both the local machine and all networked hosts where the agent is deployed. This environmental spread capability (CVSS scope change: H) transforms a local vulnerability into an enterprise-wide threat. Taiwan CERT issued advisories in January 2026 for versions 3.5.13 through 3.5.26.15. No public exploit identified at time of analysis, but CVSS 9.3 reflects catastrophic potential impact given the agent's privileged access and network propagation capability. EPSS data not available for new 2026 CVE.

Authentication Bypass RCE
CVE-2026-3596 CRITICAL CVSS 9.8
Unauthenticated remote attackers can escalate to administrator privileges on WordPress sites running Riaxe Product Customizer plugin ≤2.1.2. The plugin exposes an AJAX endpoint ('install-imprint') without authentication checks that allows arbitrary WordPress option manipulation, enabling attackers to create administrator accounts by modifying registration settings. CVSS 9.8 (Critical) reflects the complete site compromise potential. EPSS data not provided but exploitation requires only HTTP access to any vulnerable WordPress installation with this plugin active-no special conditions beyond plugin presence.

Authentication Bypass WordPress Privilege Escalation
CVE-2026-41015 HIGH CVSS 7.4
Command injection in radare2's rabin2 PDB parser allows local attackers to execute arbitrary commands when the tool is compiled without SSL support on UNIX systems. The vulnerability (CWE-78) affected a narrow window between commits 01ca2f6 and 9236f44 (post-6.1.2, pre-6.1.3), spanning less than one week in the development timeline. CVSS 7.4 (HIGH) reflects local attack vector with high complexity but no authentication required. No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists. EPSS data not provided. Fixed in commit 9236f44a28 per GitHub PR #25651.

Command Injection
CVE-2026-40960 HIGH CVSS 8.1
Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. CVSS 8.1 reflects local attack vector with high complexity but no authentication required and scope change with high confidentiality/integrity/availability impact. GitHub security advisory and two fix commits confirm patch availability. No CISA KEV listing or public exploit code identified at time of analysis.

Information Disclosure
CVE-2026-40503 HIGH CVSS 7.1
Path traversal in OpenHarness allows authenticated gateway users with chat access to read arbitrary files on the server via the '/memory show' slash command. Affecting all versions prior to commit dd1d235, attackers can inject directory traversal sequences to escape the project memory directory and access any file readable by the OpenHarness process. CVSS 7.1 reflects high confidentiality impact with low-privilege network access. Vendor patch available via GitHub commit dd1d235450dd987b20bff01b7bfb02fe8620a0af. No public exploit identified at time of analysis, EPSS data unavailable.

Path Traversal
CVE-2026-40502 HIGH CVSS 8.7
Remote command injection in OpenHarness gateway handler allows authenticated remote chat users to execute administrative commands like /permissions full_auto without authorization, escalating privileges to modify security controls of running instances. Vulnerability exploits insufficient command validation in chat interface. Fixed in commit dd1d235. CVSS 8.7 (High) with network attack vector and low complexity. EPSS data unavailable; not listed in CISA KEV. VulnCheck advisory and GitHub patch available.

Authentication Bypass Command Injection
CVE-2026-40474 HIGH CVSS 7.6
Authenticated low-privileged users in wger can modify installation-wide gym configuration via /config/gym-config/edit due to missing permission enforcement, enabling vertical privilege escalation. The GymConfigUpdateView declares 'config.change_gymconfig' permission but inherits WgerFormMixin instead of WgerPermissionMixin, causing the permission check to never execute. Exploiting this allows attackers to manipulate default gym assignments affecting all users, with GymConfig.save() automatically reassigning user profiles and creating gym configurations tenant-wide. CVSS 7.6 (High) with network attack vector, low complexity, and low privileges required. No active exploitation (KEV) or public POC identified at time of analysis, though GitHub advisory provides detailed reproduction steps.

Authentication Bypass Docker Python Privilege Escalation
CVE-2026-22619 HIGH CVSS 7.8
Arbitrary code execution in Eaton Intelligent Power Protector (IPP) software via insecure library loading allows local authenticated attackers with low privileges to execute code with elevated integrity impact across security boundaries. Attack complexity is high, requiring the attacker to have access to the software package installation files. EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis. Eaton has released a patched version available through their download center.

RCE
CVE-2026-6351 HIGH CVSS 8.7
CRLF Injection in Openfind MailGates/MailAudit allows remote unauthenticated attackers to read arbitrary system files via HTTP header manipulation. Affects MailGates/MailAudit versions 5.0-6.0 (prior to 5.2.10.099 and 6.1.10.054 respectively). CVSS 8.7 with network vector, low complexity, and no authentication required indicates critical real-world risk. Taiwan CERT advisory published; no CISA KEV listing or public exploit code identified at time of analysis, suggesting early disclosure phase.

Code Injection
CVE-2026-5050 HIGH CVSS 7.5
Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.

Information Disclosure Jwt Attack WordPress Google
CVE-2026-3614 HIGH CVSS 8.8
Privilege escalation in AcyMailing WordPress plugin (versions 9.11.0-10.8.1) allows authenticated Subscriber-level users to gain administrator access through a multi-stage attack chain. Attackers exploit a missing capability check in the wp_ajax_acymailing_router AJAX handler to access admin-only configuration controllers, enable autologin features, inject malicious cms_id values into newsletter subscribers, and authenticate as any WordPress user including administrators. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the low attack complexity (AC:L) and detailed public code references increase exploitation risk for installations with subscriber registration enabled.

Authentication Bypass WordPress Privilege Escalation
CVE-2026-3599 HIGH CVSS 7.5
SQL injection in Riaxe Product Customizer for WordPress (all versions ≤2.1.2) allows unauthenticated remote attackers to extract sensitive database contents via crafted REST API requests. The vulnerability exists in the /wp-json/InkXEProductDesignerLite/add-item-to-cart endpoint where the 'options' parameter keys within 'product_data' lack proper SQL escaping. CVSS 7.5 (High) with attack vector network/low complexity/no authentication required. Wordfence discovery indicates active researcher attention. No CISA KEV listing or public exploit code identified at time of analysis, but EPSS data unavailable for risk calibration.

WordPress SQLi
CVE-2026-41034 MEDIUM CVSS 5.0
ONLYOFFICE DocumentServer before 9.3.0 contains an untrusted pointer dereference vulnerability in XLS file processing that enables authenticated remote attackers to leak sensitive memory and bypass ASLR protections. The vulnerability affects XLS conversion workflows through multiple vectors including pictFmla.cbBufInCtlStm manipulation, allowing information disclosure without requiring user interaction. CVSS 5.0 reflects moderate risk given network accessibility and the authentication barrier, though the scope change to CVSS:C indicates potential cross-boundary impact.

Information Disclosure Buffer Overflow
CVE-2026-41030 MEDIUM CVSS 6.2
ONLYOFFICE DesktopEditors versions before 9.3.0 allow local attackers to perform arbitrary file operations with SYSTEM privileges via the update service, resulting in denial of service through resource exhaustion or file manipulation. The vulnerability requires local access and operates without user interaction, making it a significant privilege-escalation risk in multi-user or compromised-account scenarios.

Information Disclosure
CVE-2026-40962 MEDIUM CVSS 4.9
Integer overflow in FFmpeg's CENC subsample data parsing (libavformat/mov.c) before version 8.1 enables out-of-bounds memory writes on local systems processing specially crafted MP4 files. The vulnerability requires attacker-controlled media file input and non-default system configuration, limiting exploitation to local contexts; no active exploitation or public exploit code has been identified. With a CVSS score of 4.9 and low attack complexity requirement, this represents a moderate local integrity and confidentiality risk primarily affecting users who process untrusted video files from untrusted sources.

Integer Overflow Buffer Overflow
CVE-2026-40594 MEDIUM CVSS 4.8
Race condition in pyLoad's Flask session cookie handler allows unauthenticated attackers to manipulate the SESSION_COOKIE_SECURE flag globally across all concurrent requests by spoofing the X-Forwarded-Proto header. On deployments behind a TLS-terminating proxy, this enables session cookie downgrade attacks resulting in plaintext cookie transmission; on default plain HTTP deployments, it causes session denial of service by forcing the Secure flag and breaking all concurrent user sessions. The vulnerability requires no authentication and exploits a multi-threaded race window in the Cheroot WSGI server (request_queue_size=512) combined with missing proxy origin validation (acknowledged TODO in code).

Denial Of Service Kubernetes Python
CVE-2026-40505 MEDIUM CVSS 4.8
MuPDF mutool fails to sanitize PDF metadata before displaying it in terminal output, allowing local attackers to inject ANSI escape sequences through crafted PDF files. When a user runs mutool info on a malicious PDF, embedded escape codes can clear the terminal and display fabricated text for social engineering attacks such as fake login prompts or spoofed shell commands. This is a low-severity local vulnerability (CVSS 3.3) requiring user interaction, with a vendor-released patch available.

RCE
CVE-2026-40353 MEDIUM
Stored cross-site scripting (XSS) in wger fitness application allows authenticated users to inject malicious JavaScript via unescaped license attribution fields in ingredient and image models, which executes when any visitor views the affected page. The vulnerability persists in the database and can be exploited to steal session cookies, perform unauthorized actions as other users, or conduct phishing attacks. Affected versions allow low-privilege authenticated users (any non-temporary account) to create ingredients with JavaScript payloads in the `license_author` field, which bypasses all input sanitization and is rendered with Django's `|safe` filter, disabling auto-escaping.

XSS Python
CVE-2026-40118 MEDIUM CVSS 5.1
UDP Console in Arcserve allows information disclosure when an administrator configures the activation server hostname to an arbitrary or malicious URL, causing the product to unintentionally communicate with and leak data to the attacker-controlled domain. The vulnerability requires user interaction (configuring a malicious hostname) and affects all versions of Arcserve UDP Console, with CVSS 6.3 (network-accessible, low complexity) indicating moderate real-world risk. No active exploitation or public proof-of-concept has been identified at the time of analysis.

Information Disclosure
CVE-2026-22618 MEDIUM CVSS 5.9
Insecure HTTP response header configuration in Eaton Intelligent Power Protector (IPP) software enables attackers to perform web-based attacks including information disclosure and content modification. The vulnerability requires network access, unusual attack complexity, and user interaction (CVSS AV:N/AC:H/PR:N/UI:R), affecting all versions of IPP software prior to the patched release. No public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure
CVE-2026-22617 MEDIUM CVSS 5.7
Eaton Intelligent Power Protector (IPP) software uses insecure cookie configuration that allows network attackers to intercept session cookies via man-in-the-middle attack when high-privilege users interact with the application. CVSS 5.7 reflects the requirement for high privileges and user interaction, combined with high confidentiality and integrity impact. Eaton has released a patched version available on their download center.

Information Disclosure
CVE-2026-22616 MEDIUM CVSS 6.5
Eaton Intelligent Power Protector (IPP) software allows brute-force credential attacks against the web interface login page due to missing rate-limiting controls, enabling remote attackers to enumerate valid credentials and gain unauthorized access without authentication. CVSS 6.5 reflects moderate confidentiality and integrity impact via network access. Eaton has released a patched version available from their download center.

Information Disclosure
CVE-2026-22615 MEDIUM CVSS 6.0
Eaton Intelligent Power Protector (IPP) software allows authenticated administrators with local system access to execute arbitrary commands via XML input validation bypass, requiring user interaction. The vulnerability impacts all versions of IPP software prior to the latest patched release available on Eaton's download center. CVSS score of 6.0 reflects high integrity and availability impact but is constrained by elevated privilege requirements and high attack complexity.

RCE
CVE-2026-5363 MEDIUM CVSS 5.4
TP-Link Archer C7 v5 and v5.8 routers use weak RSA-1024 encryption for admin password transmission during web login, allowing adjacent attackers with network traffic interception capability to perform cryptanalytic attacks (brute-force or key factorization) to recover plaintext credentials and gain unauthorized administrative access. EPSS score of P (Probable) and active POC availability indicate realistic exploitation risk in local network environments; however, exploitation requires both network adjacency and successful cryptanalysis of a 1024-bit RSA key, limiting attack scope to motivated adversaries on shared networks (e.g., compromised WiFi).

Authentication Bypass TP-Link
CVE-2026-5070 MEDIUM CVSS 6.4
Stored cross-site scripting in the Vantage WordPress theme up to version 1.20.32 allows authenticated contributors and higher-privileged users to inject malicious scripts into gallery block text content that execute for all site visitors. The vulnerability stems from insufficient output escaping in the gallery template, enabling attackers with contributor-level access to compromise page integrity and potentially steal session tokens or deface content.

XSS WordPress
CVE-2026-4032 MEDIUM CVSS 6.1
Stored Cross-Site Scripting (XSS) in CodeColorer plugin for WordPress versions up to 0.10.1 allows unauthenticated attackers to inject malicious JavaScript via the 'class' parameter in the 'cc' comment shortcode, which executes in the browsers of users viewing the affected page. Exploitation requires comments to be enabled and guest comments permitted on the target post. The vulnerability has a CVSS score of 6.1 with low complexity and no authentication required, but user interaction (visiting the affected page) is necessary for the payload to execute.

XSS WordPress
CVE-2026-3885 MEDIUM CVSS 6.4
Stored Cross-Site Scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.9 allows authenticated contributors and above to inject arbitrary JavaScript into WordPress pages via the 'su_box' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of all users who access the affected pages, potentially compromising site visitors' sessions and data. No public exploit code has been identified at the time of analysis, though the vulnerability is straightforward to reproduce and weaponize.

XSS WordPress
CVE-2026-3878 MEDIUM CVSS 6.4
Stored Cross-Site Scripting (XSS) in WP Docs plugin for WordPress (all versions through 2.2.9) allows authenticated attackers with subscriber-level access to inject malicious scripts via the 'wpdocs_options[icon_size]' parameter due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user accessing the affected page, enabling session hijacking, credential theft, or malware distribution with no user interaction required beyond normal site browsing. No public exploit code has been identified, but the vulnerability is technically straightforward to exploit given valid subscriber credentials.

XSS WordPress
CVE-2026-3861 MEDIUM CVSS 6.5
LINE client for iOS prior to 26.3.0 can be remotely exploited via crafted web pages opened in the in-app browser to trigger repeated OS-level dialogs, causing temporary denial of service to the affected iOS device. This requires user interaction to open the malicious page but needs no authentication, making it accessible to any attacker who can deliver a link to a victim. No active exploitation has been confirmed in CISA KEV, but the vulnerability is publicly disclosed with proof-of-concept details available on HackerOne.

Information Disclosure Apple
CVE-2026-3773 MEDIUM CVSS 6.5
SQL injection in Accessibility Suite by Ability, Inc WordPress plugin (versions up to 4.20) allows authenticated attackers with Subscriber-level access to extract sensitive database information via an unescaped 'scan_id' parameter. The vulnerability is unauthenticated remote network-accessible but requires low-privilege login credentials; no public exploit code or active exploitation has been identified at the time of analysis.

WordPress SQLi
CVE-2026-3595 MEDIUM CVSS 5.3
Riaxe Product Customizer plugin for WordPress versions up to 2.1.2 allows unauthenticated attackers to delete arbitrary user accounts via a REST API endpoint lacking permission checks. The POST /wp-json/InkXEProductDesignerLite/customer/delete_customer route accepts a list of user IDs and directly deletes them without authentication or authorization validation, enabling attackers to remove administrator accounts and cause complete site lockout. This is confirmed by Wordfence and affects all installations running the vulnerable plugin version.

Authentication Bypass WordPress
CVE-2026-3581 MEDIUM CVSS 5.3
Unauthenticated attackers can modify stored map latitude and longitude options in the Basic Google Maps Placemarks WordPress plugin through version 1.10.7 due to missing authorization checks on administrative functions. The vulnerability allows remote, unauthenticated modification of critical map configuration without requiring user interaction, affecting any WordPress site running the vulnerable plugin with default settings. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress Google
CVE-2026-3551 MEDIUM CVSS 4.4
Stored Cross-Site Scripting (XSS) in Custom New User Notification plugin for WordPress versions up to 1.2.0 allows authenticated administrators to inject arbitrary JavaScript into plugin settings pages via unescaped admin form fields (User Mail Subject, User From Name, User From Email, Admin Mail Subject, Admin From Name, Admin From Email). When any user accesses the plugin settings page, the injected scripts execute in their browser context, enabling privilege escalation in WordPress multisite environments where subsite administrators target super administrators. No public exploit code or active exploitation has been identified; the attack requires Administrator-level credentials, limiting real-world risk despite moderate CVSS score.

XSS WordPress
CVE-2026-3428 MEDIUM CVSS 5.4
Privilege escalation in ASUS Member Center (华硕大厅) versions 1.6.6.4 and earlier allows authenticated local users to achieve Administrator-level privilege escalation by exploiting a Time-of-check Time-of-use (TOC-TOU) race condition during the update process. An attacker can substitute a malicious payload for the legitimate downloaded update immediately after integrity verification completes but before execution, causing the compromised code to run with administrative privileges upon user consent. CVSS 5.4 reflects the requirement for local access, user interaction, and elevated (but non-Administrator) initial privileges; however, the vulnerability achieves full privilege escalation to Administrator with moderate technical difficulty.

Privilege Escalation Member Center
CVE-2026-3299 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in WP YouTube Lyte plugin for WordPress versions up to 1.7.29 allows authenticated contributors and above to inject arbitrary JavaScript via the 'lyte' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages. No public exploit code or active exploitation has been confirmed at time of analysis; patch is available in version 1.7.30 and later.

XSS WordPress
CVE-2026-1880 MEDIUM CVSS 5.4
Privilege escalation in ASUS DriverHub through version 1.0.6.11 allows local authenticated users to modify update validation resources, bypassing security checks to execute arbitrary code with elevated privileges during driver updates. The vulnerability exploits improper file permission assignment in the update process, requiring user interaction to trigger the elevated execution. CVSS 5.4 indicates moderate severity; exploitation requires local access and authenticated user status with specific file system conditions.

Privilege Escalation Driverhub

Today's Vulnerabilities Vulnerabilities