Skip to main content
CVE-2019-25280 MEDIUM This Month

Yahei-PHP Prober 0.4.7 contains a remote HTML injection vulnerability that allows attackers to execute arbitrary HTML code through the 'speed' GET parameter. Attackers can inject malicious HTML code in the 'speed' parameter of prober.php to trigger cross-site scripting in user browser sessions. [CVSS 6.1 MEDIUM]

PHP XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25284 MEDIUM This Month

V-SOL GPON/EPON OLT Platform v2.03 contains multiple reflected cross-site scripting vulnerabilities due to improper input sanitization in various script parameters. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25270 MEDIUM This Month

SOCA Access Control System 180612 contains a cross-site scripting vulnerability in the 'senddata' POST parameter of logged_page.php that allows attackers to inject malicious scripts. [CVSS 6.1 MEDIUM]

PHP XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13034 MEDIUM PATCH This Month

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. [CVSS 5.9 MEDIUM]

Authentication Bypass Curl Suse Red Hat
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-21896 MEDIUM PATCH This Month

Kirby CMS versions 5.0.0-5.2.1 fail to enforce permission checks in the content changes API, allowing authenticated users with restricted roles to modify site content despite having update permissions disabled. This affects only installations with custom permission configurations designed to prevent write access for specific user roles. A patch is available in version 5.2.2.

Authentication Bypass Kirby
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-14505 MEDIUM This Month

The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. [CVSS 5.6 MEDIUM]

Information Disclosure Red Hat
NVD GitHub HeroDevs
CVSS 3.1
5.6
EPSS
0.0%
CVE-2026-22587 MEDIUM This Month

Ideagen DevonWay is vulnerable to stored cross-site scripting in the Reports page, allowing authenticated attackers to inject malicious scripts that execute when other users view affected reports. This vulnerability impacts all users with access to DevonWay reports and enables session hijacking, credential theft, or malware distribution. No patch is currently available; versions 2.62.4 and 2.62 LTS are noted as fixed versions.

XSS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22233 MEDIUM This Month

Stored cross-site scripting in OPEXUS eCASE Audit enables authenticated users to inject malicious JavaScript through the "Estimated Staff Hours" comment field, which executes when other users access the Project Cost tab. This allows attackers with valid credentials to compromise other users' sessions and perform unauthorized actions within the application. No patch is currently available for this vulnerability.

XSS Ecase Audit
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22232 MEDIUM This Month

Stored cross-site scripting in OPEXUS eCASE Audit's Project Setup functionality allows authenticated users to inject malicious JavaScript into the "A or SIC Number" field that executes in other users' browsers when they view the project. An attacker with valid credentials can exploit this to steal session tokens, perform unauthorized actions, or compromise data for all project viewers. No patch is currently available.

XSS Ecase Audit
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22231 MEDIUM This Month

OPEXUS eCASE Audit's Document Check Out feature contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious JavaScript into comments, which executes in the browsers of other users viewing the Action History Log. This could enable attackers with valid credentials to steal session tokens, perform unauthorized actions, or compromise other users' accounts. No patch is currently available for affected installations.

XSS Ecase Audit
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-67825 MEDIUM This Month

An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. [CVSS 5.5 MEDIUM]

Windows Nitro Pdf Pro
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21639 MEDIUM This Month

Remote code execution in Ubiquiti airMAX and airFiber wireless products allows adjacent attackers to execute arbitrary code on affected devices via a flaw in the airMAX Wireless Protocol without requiring authentication. Vulnerable versions include airMAX AC 8.7.20 and earlier, airMAX M 6.3.22 and earlier, airFiber AF60-XG 1.2.2 and earlier, and airFiber AF60 2.6.7 and earlier. Patches are available for all affected products.

RCE Airmax Ac Firmware Airfiber Af60 Firmware Airfiber Af60 Xg Firmware Airmax M Firmware
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-22517 MEDIUM POC This Month

Improper access control in GA4WP: Google Analytics for WordPress versions up to 2.10.0 allows authenticated users to modify or disable analytics functionality through misconfigured permissions. An attacker with low-privilege WordPress access could leverage this vulnerability to manipulate analytics data or disrupt monitoring capabilities. The vulnerability carries a MEDIUM severity rating with no patch currently available.

WordPress Authentication Bypass Google
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22490 MEDIUM This Month

Improper access control in the Bulk Landing Page Creator for WordPress (LPagery) plugin versions through 2.4.9 allows authenticated users to modify or delete landing pages without proper authorization checks. An attacker with low-privilege WordPress access could exploit this to tamper with site content or disrupt operations. No patch is currently available.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69169 MEDIUM This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11. [CVSS 5.4 MEDIUM]

XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22488 MEDIUM This Month

Inadequate access control in IdeaBox Creations Dashboard Welcome for Beaver Builder (versions through 1.0.8) permits unauthorized users to modify data without proper authentication. An unauthenticated attacker can exploit misconfigured security levels to perform unauthorized actions over the network with no user interaction required. No patch is currently available to address this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22486 MEDIUM This Month

The Hakob Re Gallery & Responsive Photo Gallery Plugin through version 1.17.18 contains an authorization bypass that permits unauthenticated attackers to modify gallery content due to improperly enforced access controls. This vulnerability affects all installations of the plugin and could allow attackers to alter or deface photo galleries without authentication. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14819 MEDIUM PATCH This Month

When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. [CVSS 5.3 MEDIUM]

TLS Curl Suse Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0707 MEDIUM PATCH This Month

Keycloak's Authorization header parser improperly tolerates non-RFC 6750 compliant formatting, including tabs and case variations in Bearer token authentication. This lax validation could enable attackers to bypass authentication mechanisms or manipulate token validation logic in applications relying on strict Bearer token parsing. No patch is currently available for this medium-severity vulnerability.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-21860 MEDIUM PATCH This Month

Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allowing attackers to bypass path restrictions by using device names with file extensions or trailing spaces (e.g., CON.txt, AUX ). This denial of service vulnerability affects Windows systems running vulnerable Werkzeug versions and could allow an unauthenticated remote attacker to access restricted files or cause application crashes. A patch is available in version 3.1.5 and later.

Windows Werkzeug Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-21895 MEDIUM PATCH This Month

The RSA crate versions prior to 0.9.10 crash when constructing private keys with invalid prime components (such as 1), allowing an attacker to trigger a denial of service by providing malformed key material. This affects applications using the vulnerable RSA library for cryptographic operations. A patch is available in version 0.9.10 and later.

Industrial Rsa Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0676 MEDIUM This Month

G5Theme Zorka versions up to 1.5.7 contain a missing authorization vulnerability that allows unauthenticated remote attackers to modify data through incorrectly configured access controls. An attacker can exploit this to perform unauthorized state-changing operations without proper authentication or user interaction. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22032 MEDIUM PATCH This Month

Directus versions prior to 11.14.0 contain an open redirect vulnerability in the SAML authentication callback that allows unauthenticated attackers to redirect users to arbitrary external URLs by manipulating the RelayState parameter. The validation checks present during login initiation are not applied to the callback endpoint, enabling phishing and credential theft attacks. A patch is available in version 11.14.0 and later.

Open Redirect Directus
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-22492 MEDIUM This Month

Docket Cache versions through 24.07.04 contain an access control bypass that allows authenticated users to perform unauthorized actions due to improper permission validation. An attacker with valid credentials can exploit this vulnerability to cause denial of service or access restricted functionality. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22489 MEDIUM This Month

Wptexture Image Slider Slideshow versions through 1.8 contain an authorization bypass flaw that allows authenticated users to modify content by manipulating access control parameters. An attacker with user-level access could exploit incorrectly configured security controls to perform unauthorized actions beyond their assigned privileges. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22487 MEDIUM This Month

Baqend Speed Kit versions through 2.0.2 contain an authorization bypass that allows authenticated users to modify data by exploiting misconfigured access control levels. An attacker with valid credentials could escalate privileges to alter information they should not have permission to change. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12640 MEDIUM This Month

The Folders - Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0674 MEDIUM This Month

Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor is affected by missing authorization (CVSS 4.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy