THREAT ALERT

EMERGENCY CVE-2026-20963 9.8 Microsoft Office SharePoint contains a deserialization vulnerability (CVE-2026-20963) that allows authenticated users to execute arbitrary code over the network through crafted serialized objects. KEV-listed with public PoC, this CVSS 8.8 vulnerability enables any SharePoint user to escalate to server-level code execution, making it a critical threat for organizations relying on SharePoint for document management and collaboration. | ACT NOW CVE-2026-22200 7.5 Arbitrary file disclosure in osTicket 1.18.x before 1.18.3 and 1.17.x before 1.17.7 allows unauthenticated attackers to read sensitive server files by injecting malicious PHP filter expressions into ticket descriptions that are processed during PDF export. The vulnerability exploits insufficient sanitization in the mPDF library integration, enabling attackers to embed arbitrary file contents as images in generated PDFs when exporting tickets. Public exploit code exists and the issue affects default configurations where guest ticket creation is enabled. | EMERGENCY CVE-2026-21891 9.4 ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not properly validated during login. Attackers can access the system using known service account names with any password. PoC available, EPSS 13.6%. | ACT NOW CVE-2025-66376 7.2 Zimbra Collaboration Suite (ZCS) 10.x contains a stored XSS vulnerability in the Classic UI that allows attackers to execute arbitrary JavaScript through CSS @import directives in HTML emails. KEV-listed, this vulnerability (CVE-2025-66376) enables session hijacking and account takeover when administrators or users view malicious emails, making it a high-value target for email-based espionage campaigns. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — January 17, 2026

38 CVEs tracked today. 2 Critical, 4 High, 28 Medium, 4 Low.

CVE-2025-15403 CRITICAL CVSS 9.8
The RegistrationMagic WordPress plugin up to version 6.0 allows unauthenticated privilege escalation, enabling attackers to create admin accounts and take over WordPress sites.

WordPress Privilege Escalation PHP
CVE-2025-10484 CRITICAL CVSS 9.8
The WooCommerce mobile phone registration plugin has an authentication bypass vulnerability allowing unauthenticated attackers to log in as any user, including administrators, with EPSS 0.42%.

WordPress Authentication Bypass PHP
CVE-2026-1059 HIGH CVSS 7.3
SQL injection in FeMiner Warehouse Management System's /src/chkuser.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided patches despite early notification. The flaw affects all versions up to commit 9cad1f1b179a98b9547fd003c23b07c7594775fa and enables attackers to potentially read, modify, or delete sensitive warehouse data.

PHP SQLi Warehouse Management System
CVE-2026-1050 HIGH CVSS 7.3
SQL injection in the REST authentication endpoint of risesoft-y9 Digital-Infrastructure up to version 9.6.7 allows unauthenticated remote attackers to manipulate input parameters and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification. The attack requires no user interaction and can compromise data confidentiality, integrity, and availability.

Java SQLi
CVE-2026-0517 HIGH CVSS 7.5
Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthenticated attackers can crash the server by sending specially crafted packets. This vulnerability requires no user interaction and is easily exploitable over the network, though no patch is currently available. Organizations running affected versions should implement network-level mitigations to restrict access to the vulnerable service.

Denial Of Service Secure Access
CVE-2025-14478 HIGH CVSS 7.5
Demo Importer Plus (WordPress plugin) is affected by improper restriction of xml external entity reference (CVSS 7.5).

WordPress PHP XXE
CVE-2026-1066 MEDIUM CVSS 6.3
Kodbox versions up to 1.61.10 contain a command injection vulnerability in the compression handler component that allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Command Injection Kodbox
CVE-2026-1064 MEDIUM CVSS 4.7
Bastillion up to version 4.0.1 contains a command injection vulnerability in the System Management Module that allows remote attackers with high privileges to execute arbitrary commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch. The impact is limited to low-level confidentiality, integrity, and availability compromise.

Java Command Injection
CVE-2026-1063 MEDIUM CVSS 4.7
Command injection in Bastillion's public key management system (versions up to 4.0.1) allows remote attackers with high privileges to execute arbitrary commands through the AuthKeysKtrl.java component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The attack requires network access and high-level authentication but carries minimal complexity once access is obtained.

Java Command Injection
CVE-2026-1062 MEDIUM CVSS 6.3
Teamwork Management System versions up to 2.28.0. is affected by server-side request forgery (ssrf) (CVSS 6.3).

Java SSRF Teamwork Management System
CVE-2026-1061 MEDIUM CVSS 6.3
Unrestricted file upload in Teamwork Management System (TMS) versions up to 2.28.0 allows authenticated attackers to upload malicious files by manipulating the filename parameter in the FileController. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for organizations using affected versions.

Java Teamwork Management System
CVE-2026-0833 MEDIUM CVSS 6.4
Stored cross-site scripting in the Team Section Block plugin for WordPress through version 2.0.0 allows authenticated contributors and above to inject malicious scripts into pages by manipulating social network link URLs due to improper input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. An unpatched WordPress installation with this plugin poses a persistent attack vector for authenticated users with lower privilege levels.

WordPress XSS
CVE-2026-0820 MEDIUM CVSS 4.3
Authenticated attackers with Subscriber-level privileges can upload malicious signatures to arbitrary orders in the RepairBuddy WordPress plugin (versions up to 4.1116) due to missing capability checks, allowing them to modify order metadata and trigger unauthorized status changes. The vulnerability stems from insufficient access controls on the signature upload handler and requires only basic user authentication to exploit. Patch availability is not currently provided for this integrity-impacting vulnerability.

WordPress Authentication Bypass
CVE-2026-0808 MEDIUM CVSS 5.3
The Spin Wheel WordPress plugin through version 2.1.0 fails to validate prize selection on the server side, allowing unauthenticated attackers to manipulate the 'prize_index' parameter and arbitrarily select high-value prizes. This input validation flaw enables attackers to bypass the intended randomization mechanism and consistently win premium rewards. No patch is currently available for affected installations.

WordPress
CVE-2026-0725 MEDIUM CVSS 4.4
Stored XSS in the Integrate Dynamics 365 CRM WordPress plugin through version 1.1.1 allows authenticated administrators to inject malicious scripts into plugin settings due to inadequate input sanitization. An attacker with admin privileges can execute arbitrary JavaScript that runs whenever users access affected pages. No patch is currently available.

WordPress Industrial XSS
CVE-2026-0691 MEDIUM CVSS 4.4
The CM E-Mail Blacklist plugin for WordPress through version 1.6.2 contains a stored XSS vulnerability in the 'black_email' parameter due to inadequate input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript that executes for all users accessing affected pages, though exploitation is limited to multi-site installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
CVE-2026-0518 MEDIUM CVSS 4.8
Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to inject malicious scripts into the console interface. An authenticated admin can exploit this to interfere with other administrators' sessions and potentially steal sensitive information through the compromised console. The vulnerability requires high privileges and user interaction but can impact multiple administrators due to its scope across the application.

XSS Secure Access
CVE-2025-15532 MEDIUM CVSS 5.3
A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. [CVSS 5.3 MEDIUM]

Denial Of Service Open5gs
CVE-2025-15531 MEDIUM CVSS 5.3
A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. [CVSS 5.3 MEDIUM]

Denial Of Service Open5gs
CVE-2025-15530 MEDIUM CVSS 5.3
A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. [CVSS 5.3 MEDIUM]

Denial Of Service Open5gs
CVE-2025-14632 MEDIUM CVSS 4.4
The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
CVE-2025-14463 MEDIUM CVSS 5.3
The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, p...

WordPress PHP
CVE-2025-14450 MEDIUM CVSS 6.5
The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. [CVSS 6.5 MEDIUM]

WordPress PHP
CVE-2025-14078 MEDIUM CVSS 5.3
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/che...

WordPress PHP
CVE-2025-14075 MEDIUM CVSS 5.3
The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing...

WordPress Information Disclosure PHP
CVE-2025-14029 MEDIUM CVSS 5.3
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. [CVSS 5.3 MEDIUM]

WordPress PHP
CVE-2025-13725 MEDIUM CVSS 6.5
The Gutenberg Thim Blocks - Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. [CVSS 6.5 MEDIUM]

WordPress PHP
CVE-2025-12984 MEDIUM CVSS 4.9
The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
CVE-2025-12825 MEDIUM CVSS 5.3
User Registration Using Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 5.3).

WordPress PHP
CVE-2025-12718 MEDIUM CVSS 5.8
Quick Contact Form (WordPress plugin) versions up to 8.2.6. is affected by improper input validation (CVSS 5.8).

WordPress PHP
CVE-2025-12168 MEDIUM CVSS 4.3
Phrase TMS Integration for WordPress (WordPress plugin) is affected by missing authorization (CVSS 4.3).

WordPress PHP
CVE-2025-12129 MEDIUM CVSS 5.3
All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure PHP
CVE-2025-12002 MEDIUM CVSS 5.9
Feeds for YouTube Pro (WordPress plugin) versions up to 2.6.0 is affected by path traversal (CVSS 5.9).

WordPress PHP
CVE-2025-8615 MEDIUM CVSS 6.4
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
CVE-2026-1049 LOW CVSS 3.5
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. [CVSS 3.5 LOW]

XSS
CVE-2026-1048 LOW CVSS 3.5
A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. [CVSS 3.5 LOW]

Zoom XSS
CVE-2026-0682 LOW CVSS 2.2
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. [CVSS 2.2 LOW]

WordPress SSRF
CVE-2026-0519 LOW CVSS 3.4
Secure Access versions up to 14.20 is affected by insertion of sensitive information into log file (CVSS 3.4).

Information Disclosure

Today's Vulnerabilities Vulnerabilities