Skip to main content
CVE-2026-21936 MEDIUM PATCH This Month

Mysql Cluster contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).

Oracle MySQL MSSQL Denial Of Service Mysql Cluster +3
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-1223 MEDIUM This Month

BROWAN COMMUNICATIONS PrismX MX100 AP controller stores SMTP credentials in plaintext accessible via the web interface, enabling authenticated administrators to retrieve sensitive password data. The vulnerability requires high-level privileges to exploit but poses a significant risk to email service credentials used by the device. No patch is currently available to remediate this exposure.

Authentication Bypass
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-21959 MEDIUM PATCH This Month

Unauthorized data disclosure in Oracle Workflow Loader (versions 12.2.3-12.2.15) allows high-privileged attackers with network access to extract sensitive information from the Oracle E-Business Suite environment. The vulnerability requires administrator-level credentials and HTTP connectivity but can result in complete exposure of workflow-accessible data. A patch is available to remediate this confidentiality issue.

Oracle Workflow
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-13925 MEDIUM This Month

Aspera Console versions up to 3.4.7 is affected by insertion of sensitive information into log file (CVSS 4.9).

IBM Aspera Console
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-21925 MEDIUM PATCH CISA This Month

Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 4.8).

Oracle Java Authentication Bypass
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-36059 MEDIUM This Month

Business Automation Workflow versions up to 24.0.0 is affected by execution with unnecessary privileges (CVSS 4.7).

IBM Business Automation Workflow
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-21981 MEDIUM This Month

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 4.6 MEDIUM]

Oracle Virtualbox Denial Of Service Vm Virtualbox
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-21975 MEDIUM This Month

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. [CVSS 4.5 MEDIUM]

Oracle Java Denial Of Service Java Virtual Machine Suse
NVD
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-1042 MEDIUM This Month

Stored XSS in WP Hello Bar plugin up to version 1.02 allows authenticated administrators to inject malicious scripts through the 'digit_one' and 'digit_two' parameters due to inadequate input validation. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1045 MEDIUM This Month

Stored XSS in the Viet contact WordPress plugin versions up to 1.3.2 allows authenticated administrators to inject malicious scripts into admin settings due to inadequate input sanitization and output escaping. The injected scripts execute when other users access affected pages, impacting multi-site WordPress installations and sites with unfiltered_html disabled. Exploitation requires administrator-level access and no patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0554 MEDIUM This Month

NotificationX plugin for WordPress versions up to 3.1.11 lacks proper authorization checks on REST API endpoints, allowing authenticated users with Contributor-level permissions to reset analytics data for any campaign regardless of ownership. This capability bypass enables low-privileged attackers to tamper with campaign analytics across the WordPress installation. The vulnerability affects WordPress deployments using the affected plugin versions, with no patch currently available.

WordPress Industrial
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1051 MEDIUM This Month

The Newsletter WordPress plugin through version 9.1.0 contains a cross-site request forgery vulnerability in the hook_newsletter_action() function due to insufficient nonce validation, allowing unauthenticated attackers to unsubscribe legitimate users if they can trick a logged-in administrator into clicking a malicious link. This attack requires user interaction but poses a direct integrity risk to newsletter subscriber lists. No patch is currently available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-21979 MEDIUM This Month

Unauthorized data access in Oracle Planning and Budgeting Cloud Service (version 25.04.07) can be achieved by high-privileged attackers with local infrastructure access through the EPM Agent component. The vulnerability requires user interaction from a non-attacker and allows complete compromise of accessible Planning and Budgeting data. No patch is currently available.

Oracle
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-21922 MEDIUM This Month

Planning And Budgeting Cloud Service contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 4.2).

Oracle Planning And Budgeting Cloud Service
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2025-36411 LOW Monitor

IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. [CVSS 3.5 LOW]

IBM CSRF
NVD
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-36410 LOW Monitor

Applinx versions up to 11.1.0 contains a vulnerability that allows attackers to an authenticated user to perform unauthorized administrative actions on the serv (CVSS 3.1).

IBM
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-21977 LOW Monitor

Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. [CVSS 3.1 LOW]

Oracle
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-21947 LOW CISA Monitor

Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. [CVSS 3.1 LOW]

Oracle Java XSS
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-21965 LOW Monitor

Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a partial denial of service (partial DOS) of MySQL (CVSS 2.7).

Oracle MySQL MSSQL Denial Of Service
NVD VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-21640 LOW Monitor

HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. [CVSS 2.7 LOW]

PHP
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-21930 LOW Monitor

Sun Zfs Storage Appliance Kit versions up to 8.8.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle ZFS Storage Appli (CVSS 2.3).

Oracle
NVD
CVSS 3.1
2.3
EPSS
0.0%
CVE-2026-1218 LOW Monitor

XXE injection in Bjskzy Zhiyou ERP through the RichClientService component allows authenticated attackers to read sensitive files and manipulate XML data from the network. Public exploit code exists for this vulnerability affecting versions up to 11.0, and the vendor has not provided a patch despite early disclosure notification.

XXE
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-0672 PATCH Monitor

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Code Injection
NVD GitHub VulDB
EPSS
0.2%
CVE-2026-0865 PATCH Monitor

User-controlled header names and values containing newlines can allow injecting HTTP headers.

Code Injection
NVD GitHub VulDB
EPSS
0.2%
CVE-2025-15367 PATCH Monitor

The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Command Injection
NVD GitHub VulDB
EPSS
0.1%
CVE-2026-1183 This Week

HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter.

XSS
NVD
EPSS
0.1%
CVE-2025-41081 This Week

Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'.

PHP XSS
NVD
EPSS
0.1%
CVE-2025-40679 This Week

HTML Injection vulnerability in Isshue by Bdtask, consisting os an HTML injection due to a lack os proper validation of user input by sending a POST request to '/category_product_search', affecting the 'product_name' parameter.

XSS
NVD
EPSS
0.1%
CVE-2025-40644 This Week

Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'.

PHP XSS
NVD
EPSS
0.1%
CVE-2025-14027 Monitor

Multiple denial-of-service vulnerabilities exist in the affected product. These issues can be triggered through various crafted inputs, including malformed Class 3 messages, memory leak conditions, and other resource exhaustion scenarios.

Denial Of Service
NVD
EPSS
0.1%
CVE-2025-41084 This Week

Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized.

XSS
NVD
EPSS
0.1%
CVE-2025-15282 PATCH Monitor

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

Code Injection
NVD GitHub VulDB
EPSS
0.0%
CVE-2025-11468 PATCH Monitor

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

Code Injection
NVD GitHub VulDB
EPSS
0.0%
CVE-2025-11743 Monitor

affected product. The security issue occurs when a malformed CIP forward open message is sent. This contains a vulnerability that allows attackers to a major nonrecoverable fault a restart is required to recover.

Denial Of Service
NVD
EPSS
0.0%
CVE-2025-14377 Monitor

A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024.

Information Disclosure
NVD
EPSS
0.0%
CVE-2026-0895 PATCH This Week

The extension extends TYPO3’ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 .

Typo3 Deserialization
NVD GitHub
EPSS
0.0%
CVE-2025-14376 Monitor

A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024.

Information Disclosure
NVD
EPSS
0.0%
CVE-2025-14883 Awaiting Data

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Information Disclosure
NVD
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy