Skip to main content
CVE-2026-23550 CRITICAL POC Act Now

Modular DS WordPress plugin (through 2.5.1) has incorrect privilege assignment allowing unauthenticated privilege escalation. Maximum CVSS 10.0 with scope change, EPSS 6.8%.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
6.8%
CVE-2026-22686 CRITICAL POC PATCH Act Now

enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Error object is exposed to sandboxed code, which can use its prototype chain to access the host Node.js runtime. Maximum CVSS 10.0 with scope change. PoC available, patch available.

Node.js AI / ML Enclave
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-22857 CRITICAL POC PATCH Act Now

FreeRDP IRP thread handler has a use-after-free where the IRP is freed by Complete() then accessed on the error path. Fixed in 3.20.1.

Use After Free Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22854 CRITICAL POC PATCH Act Now

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC available.

Buffer Overflow Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22852 CRITICAL POC PATCH Act Now

FreeRDP client before 3.20.1 has a heap buffer overflow in AUDIN format processing. A malicious RDP server can corrupt memory and crash the client. PoC available.

Memory Corruption Denial Of Service Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-70968 CRITICAL POC Act Now

FreeImage 3.18.0 has a use-after-free in the TARGA plugin's loadRLE function. Processing a malicious TGA file can lead to code execution. PoC available.

Use After Free Freeimage Red Hat Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22237 CRITICAL Act Now

BLUVOYIX exposes internal API documentation publicly, allowing attackers to discover and abuse internal functionality.

Information Disclosure Bluvoyix
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-14502 CRITICAL Act Now

News and Blog Designer Bundle for WordPress (through 1.1) has LFI via the template parameter, enabling unauthenticated arbitrary PHP file inclusion and execution.

WordPress PHP LFI
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-37184 CRITICAL Act Now

An Orchestrator service allows unauthenticated attackers to bypass MFA and create admin accounts without multi-factor authentication. This undermines the security of the entire authentication system.

Authentication Bypass Edgeconnect Sd Wan Orchestrator
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-22238 CRITICAL Act Now

BLUVOYIX admin APIs allow unauthenticated creation of admin users, enabling complete platform takeover.

Privilege Escalation Authentication Bypass Bluvoyix
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-22236 CRITICAL Act Now

BLUVOYIX platform has unauthenticated API access allowing full customer data extraction and platform compromise.

Authentication Bypass Bluvoyix
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-14301 CRITICAL Act Now

Integration Opvius AI for WooCommerce (through 1.3.0) has unauthenticated path traversal allowing arbitrary file download and deletion. No authentication, no nonce verification, no path validation.

WordPress PHP Path Traversal
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22708 CRITICAL Act Now

Cursor AI code editor before 2.3 allows prompt injection to bypass the Agent's Allowlist mode. Shell built-ins can execute without appearing in the allowlist, enabling environment poisoning and arbitrary command execution.

Code Injection AI / ML Cursor
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy