Skip to main content
CVE-2026-0534 HIGH PATCH This Week

Stored cross-site scripting in the Autodesk Fusion desktop application allows remote attackers to embed malicious HTML in a part's attribute that, when clicked by a victim, executes script in the application context. Because Fusion is a desktop Electron-style client rather than a sandboxed browser, successful exploitation can escalate to local file read or arbitrary code execution in the user's process. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%, 4th percentile).

XSS RCE Fusion
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-69039 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion.This issue affects Bailly: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-10856 HIGH This Week

Solvera Software Services Trade Inc. Teknoera is affected by unrestricted upload of file with dangerous type (CVSS 8.1).

File Upload
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-4764 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection.This issue affects Hotel Guest Hotspot: through 22012026. [CVSS 8.0 HIGH]

SQLi Hotel Guest Hotspot
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-69311 HIGH This Week

Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.1. [CVSS 7.6 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-68059 HIGH This Week

Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2. [CVSS 7.6 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-68058 HIGH This Week

e-plugins Institutions Directory institutions-directory is affected by missing authorization (CVSS 7.6).

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-68057 HIGH This Week

e-plugins Hospital Doctor Directory hospital-doctor-directory is affected by missing authorization (CVSS 7.6).

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-67967 HIGH This Week

Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Directory: from n/a through <= 1.3.3. [CVSS 7.6 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-22470 HIGH This Week

FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin is affected by sql injection (CVSS 7.6).

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-27380 HIGH This Week

HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content. [CVSS 7.6 HIGH]

RCE XSS On Prem Enterprise Server
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-23975 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability enabling unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-23978 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated attackers to include and execute arbitrary remote PHP files.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-22402 HIGH This Week

Pavothemes Triply versions 2.4.7 and earlier contain a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass access controls and potentially execute code or expose sensitive data. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68913 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Miion miion allows PHP Local File Inclusion.This issue affects Miion: from n/a through <= 1.2.7. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68905 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion.This issue affects JNews - Pay Writer: from n/a through <= 11.0.0. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53968 HIGH This Week

This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication requests, leading to a denial-of-service (DoS) condition. [CVSS 7.5 HIGH]

Denial Of Service Authentication Bypass Evmapa
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21520 HIGH PATCH This Week

Unauthenticated attackers can remotely access sensitive information in Microsoft Copilot Studio due to improper access controls, requiring no authentication or user interaction. This network-based vulnerability exposes confidential data to unauthorized disclosure with no patch currently available.

Command Injection AI / ML Copilot Studio
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23957 HIGH PATCH This Week

Seroval versions 1.4.0 and below are vulnerable to denial of service through malformed deserialization payloads that specify excessively large array lengths, causing the parsing process to consume excessive CPU resources and become unresponsive. An unauthenticated remote attacker can exploit this without user interaction by sending a crafted serialized object to any application using the vulnerable library. The vulnerability has been patched in version 1.4.1.

Deserialization Denial Of Service Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68907 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Hostme v2 hostmev2 allows Path Traversal.This issue affects Hostme v2: from n/a through <= 7.0. [CVSS 7.5 HIGH]

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24390 HIGH This Week

QantumThemes Kentha Elementor Widgets kentha-elementor is affected by php remote file inclusion (CVSS 7.5).

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22401 HIGH This Week

Pavothemes Freshio versions 2.4.2 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read sensitive files on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, enabling disclosure of confidential information such as configuration files and source code. This vulnerability currently lacks a published patch and has a low exploitation prevalence rate.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69319 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.This issue affects Beaver Builder: from n/a through <= 2.9.4.1. [CVSS 7.5 HIGH]

Code Injection
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67955 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-10024 HIGH This Week

EXERT Computer Technologies Software Ltd. Co. Education Management System is affected by authorization bypass through user-controlled key (CVSS 7.5).

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68882 HIGH This Week

Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Scalenut: from n/a through <= 1.1.3. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68017 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Antideo Antideo Email Validator antideo-email-validator allows Blind SQL Injection.This issue affects Antideo Email Validator: from n/a through <= 1.0.10. [CVSS 7.5 HIGH]

SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-63017 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion.This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69313 HIGH This Week

Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68035 HIGH This Week

Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive Data.This issue affects Tabby Checkout: from n/a through <= 5.8.4. [CVSS 7.5 HIGH]

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-13927 HIGH This Week

Gitlab versions up to 18.6.4 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1330 HIGH This Week

MeetingHub Paperless Meetings contains an arbitrary file read vulnerability that enables unauthenticated remote attackers to download sensitive system files through path traversal exploitation. The vulnerability affects all installations without authentication requirements, allowing attackers to access confidential data with high confidentiality impact. No patch is currently available for this issue.

Path Traversal Meetinghub Paperless Meetings
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24006 HIGH PATCH This Week

Seroval versions 1.4.0 and below are vulnerable to denial of service attacks due to unbounded recursion when serializing deeply nested objects, allowing remote attackers to crash applications by exceeding the call stack limit. The vulnerability affects the deserialization library's handling of complex data structures without depth validation. Version 1.4.1 introduces a configurable depthLimit parameter to prevent exploitation of this resource exhaustion condition.

Deserialization Denial Of Service Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23956 HIGH PATCH GHSA This Week

Seroval versions 1.4.0 and below allow remote attackers to cause denial of service through maliciously crafted RegExp patterns during deserialization, either by exhausting memory with oversized patterns or triggering catastrophic backtracking (ReDoS). The vulnerability requires no authentication or user interaction and affects any application using the library to deserialize untrusted serialized data. A patch is available in version 1.4.1.

Denial Of Service Deserialization Seroval
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68902 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal.This issue affects Anona: from n/a through <= 8.0. [CVSS 7.3 HIGH]

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22464 HIGH This Week

wphocus My auctions allegro my-auctions-allegro-free-edition is affected by php remote file inclusion (CVSS 7.5).

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23962 HIGH This Week

Mastodon is a free, open-source social network server based on ActivityPub. [CVSS 7.5 HIGH]

Denial Of Service Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-10855 HIGH This Week

Solvera Software Services Trade Inc. Teknoera is affected by authorization bypass through user-controlled key (CVSS 7.5).

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20736 HIGH PATCH This Week

Gitea fails to properly validate repository ownership when processing attachment deletion requests, allowing an authenticated attacker to delete files from repositories they no longer have access to by routing deletion requests through a different accessible repository. This authorization bypass affects all users who have uploaded attachments to shared repositories and could result in loss of critical project documentation or resources. A patch is available to address this improper access control vulnerability.

Authentication Bypass Gitea
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-13928 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints. [CVSS 7.5 HIGH]

Gitlab Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23967 HIGH PATCH This Week

Sm-Crypto versions up to 0.3.14. is affected by improper verification of cryptographic signature (CVSS 7.5).

Information Disclosure Sm Crypto
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23965 HIGH PATCH This Week

SM2 signature forgery in sm-crypto prior to version 0.4.0 allows unauthenticated attackers to create valid signatures for arbitrary public keys, potentially enabling message authentication bypass in applications using the library's default configuration. An attacker can also manipulate message prefixes to meet specific formatting constraints when sufficient redundancy exists in the message space. A patch is available in version 0.4.0 and later.

Information Disclosure Sm Crypto
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21524 HIGH PATCH This Week

Azure Data Explorer exposes sensitive information to unauthenticated remote attackers through a network-accessible vulnerability requiring only user interaction. An attacker can retrieve confidential data without authorization, potentially compromising customer information stored in affected Azure deployments. No patch is currently available for this high-severity vulnerability.

Azure Azure Data Explorer
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-21521 HIGH PATCH This Week

Information disclosure in Microsoft 365 Word Copilot enables unauthenticated attackers to extract sensitive data through improper handling of escape and control sequences in network communications. The vulnerability requires user interaction to trigger and affects the Copilot AI/ML service with a CVSS score of 7.4. No patch is currently available.

Information Disclosure AI / ML 365 Word Copilot
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-0723 HIGH This Week

GitLab CE/EE versions 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 are vulnerable to two-factor authentication bypass when an attacker has knowledge of a victim's credential ID and can forge device responses. This allows an unauthenticated attacker to circumvent 2FA protections and gain unauthorized access to accounts. No patch is currently available.

Gitlab
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-67684 HIGH This Week

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]

PHP RCE LFI Path Traversal Quick.Cart
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2025-69193 HIGH This Week

Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 7.3 HIGH]

WordPress PHP
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-69192 HIGH This Week

Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Pro: from n/a through <= 2.1.5. [CVSS 7.3 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-69191 HIGH This Week

Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingHub: from n/a through <= 1.2.7. [CVSS 7.3 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-69190 HIGH This Week

Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Listihub: from n/a through <= 1.0.6. [CVSS 7.3 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.1%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy