Skip to main content
CVE-2026-21427 HIGH This Week

Arbitrary code execution in PIONEER CORPORATION product installers through DLL search path manipulation allows local attackers with user interaction to execute malicious code with installer privileges. The vulnerability affects multiple products and requires user interaction to trigger, potentially compromising system integrity during software installation. No patch is currently available.

Privilege Escalation RCE
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2025-67914 HIGH This Week

Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.This issue affects VidMov: from n/a through <= 2.3.8. [CVSS 7.5 HIGH]

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-22230 HIGH This Week

OPEXUS eCASE Audit contains an access control bypass that allows authenticated users to circumvent administrative restrictions by manipulating client-side JavaScript or crafting direct HTTP requests to re-enable disabled functions and buttons. This vulnerability affects eCASE Platform versions prior to 11.14.1.0 and could enable attackers to perform unauthorized actions that administrators have explicitly blocked. No patch is currently available for affected deployments.

Authentication Bypass Ecase Audit
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-22521 HIGH This Week

PHP Local File Inclusion in G5Theme Handmade Framework versions up to 3.9 enables authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. An attacker with valid credentials can exploit this vulnerability to access sensitive configuration files, source code, or other protected data without requiring user interaction. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68151 HIGH PATCH This Week

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limit...

DNS Denial Of Service Coredns Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21868 HIGH This Week

Flagforge versions 2.3.2 and earlier suffer from a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint that accepts unvalidated usernames containing regex metacharacters, allowing unauthenticated remote attackers to trigger excessive CPU consumption and deny service to legitimate users. The MongoDB regex engine processes these malicious patterns inefficiently, making the platform unavailable without administrator intervention. No patch is currently available; users should implement WAF rules to filter regex metacharacters from username inputs as a temporary mitigation.

MongoDB Denial Of Service Flagforge
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14360 HIGH This Week

Blockons WordPress plugin (through 1.2.15) has missing authorization allowing unauthenticated access to restricted functionality with full CIA impact.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14358 HIGH This Week

REHub Framework for WordPress (through 19.9.5) has missing authorization allowing unauthenticated access to restricted functionality with full CIA impact.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67925 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67931 HIGH This Week

Insertion of Sensitive Information Into Sent Data vulnerability in AITpro BulletProof Security bulletproof-security allows Retrieve Embedded Sensitive Data.This issue affects BulletProof Security: from n/a through <= 6.9. [CVSS 7.5 HIGH]

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-65518 HIGH This Week

Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. [CVSS 7.5 HIGH]

PHP Denial Of Service Plesk Obsidian
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22245 HIGH PATCH This Week

Mastodon's IP address filtering bypass (CWE-918) permits attackers to craft requests using unblocked IP ranges to reach local and loopback services, potentially exposing private resources and internal APIs. An unauthenticated remote attacker can exploit incomplete private address range validation in Mastodon instances to perform Server-Side Request Forgery (SSRF) attacks. Patched versions 4.5.4, 4.4.11, 4.3.17, and 4.2.29 are available.

SSRF Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-22715 HIGH This Week

Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. [CVSS 8.1 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22235 HIGH This Week

Ecase Ecomplaint versions up to 9.0.45.0 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Authentication Bypass Ecase Ecomplaint
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14436 HIGH This Week

The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-68891 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68874 HIGH This Week

Shahjada Visitor Stats Widget visitor-stats-widget is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68873 HIGH This Week

chloédigital PRIMER by chloédigital primer-by-chloedigital is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68892 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus@hotmail.com Scroll rss excerpt scroll-rss-excerpt allows Reflected XSS.This issue affects Scroll rss excerpt: from n/a through <= 5.0. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68890 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hands01 e-shops e-shops-cart2 allows DOM-Based XSS.This issue affects e-shops: from n/a through <= 1.0.4. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67933 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in taskbuilder Taskbuilder taskbuilder allows Reflected XSS.This issue affects Taskbuilder: from n/a through <= 4.0.9. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67932 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through < 2.0.19. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67930 HIGH This Week

Vernon Systems Limited eHive Search ehive-search is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67927 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.8.8. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67922 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9. [CVSS 6.1 MEDIUM]

XSS Grand Restaurant
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67918 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67916 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Jobify jobify allows Reflected XSS.This issue affects Jobify: from n/a through <= 4.3.0. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-27004 HIGH This Week

LambertGroup Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-27002 HIGH This Week

LambertGroup CountDown With Image or Video Background countdown-with-background is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-22725 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in loopus WP Virtual Assistant VirtualAssistant allows Stored XSS.This issue affects WP Virtual Assistant: from n/a through <= 3.0. [CVSS 5.4 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-13504 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Real Estate Pro real-estate-pro allows Reflected XSS.This issue affects Real Estate Pro: from n/a through <= 2.1.4. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-12551 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins ListingHub listinghub allows Reflected XSS.This issue affects ListingHub: from n/a through 1.2.6. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68889 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS.This issue affects Pinpoll: from n/a through <= 4.0.0. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68887 HIGH This Week

CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy