Skip to main content
CVE-2025-71157 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add support to add/delete a sub IB device through netlink") grabs a reference using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), we need to drop that reference before returning -EOPNOTSUPP error. [CVSS 7.8 HIGH]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71156 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling until NAPI registration Currently, interrupts are automatically enabled immediately upon request. [CVSS 7.8 HIGH]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-71145 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. [CVSS 7.8 HIGH]

Linux Use After Free Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0772 HIGH This Week

Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.

RCE Deserialization AI / ML Langflow
NVD
CVSS 3.0
7.5
EPSS
0.9%
CVE-2026-24624 HIGH This Week

Blind SQL injection in Neoforum version 1.0 and earlier allows high-privileged attackers to execute arbitrary SQL commands over the network without user interaction, potentially compromising data confidentiality and integrity. The vulnerability stems from inadequate sanitization of user inputs in SQL queries, and no patch is currently available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-15349 HIGH This Week

Anritsu ShockLine SCPI Race Condition Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Anritsu ShockLine. [CVSS 7.5 HIGH]

RCE Race Condition Shockline
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2026-24531 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-24635 HIGH This Week

DevsBlink EduBlink Core through version 2.0.7 contains a local file inclusion vulnerability in its PHP file handling that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass proper input validation and access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24609 HIGH This Week

The Laurent theme for PHP versions 3.1 and earlier contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files on the affected system. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive data outside the intended application directory. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24608 HIGH This Week

Laurent Core plugin for PHP through version 2.4.1 contains a local file inclusion vulnerability in its filename handling for include/require statements, allowing authenticated attackers to read arbitrary files from the affected system. With a CVSS score of 7.5, this vulnerability enables confidentiality and integrity compromise, though exploitation requires valid credentials and no patch is currently available.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24538 HIGH This Week

Omnipress through version 1.6.6 contains a local file inclusion vulnerability in its PHP program that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive files outside the intended directory. This vulnerability requires user interaction but poses significant risk to confidentiality with no available patch at this time.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0790 HIGH This Week

8180 Ip Audio Alerter Firmware versions up to 5.5 contains a vulnerability that allows attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio A (CVSS 7.5).

Golang Information Disclosure 8180 Ip Audio Alerter Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0789 HIGH This Week

The ALGO 8180 IP Audio Alerter web interface improperly exposes authentication cookies in HTTP response bodies, enabling unauthenticated remote attackers to steal sensitive credentials and gain unauthorized access to affected devices. This information disclosure vulnerability requires no authentication or user interaction to exploit and affects the device's web-based management interface. No patch is currently available for this vulnerability.

Golang Information Disclosure 8180 Ip Audio Alerter Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69907 HIGH This Week

An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. [CVSS 7.5 HIGH]

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22271 HIGH This Week

Elastic Cloud Storage versions up to 3.8.1.7 is affected by cleartext transmission of sensitive information (CVSS 7.5).

Information Disclosure Objectscale Elastic Cloud Storage
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24138 HIGH This Week

Unauthenticated Server-Side Request Forgery (SSRF) in FOG 1.5.10.1754 and earlier allows remote attackers to read internal files and access local services by manipulating the url parameter in getversion.php when newService=1 is present. The vulnerability requires no authentication or user interaction and affects the confidentiality of sensitive data accessible from the affected system. No patch is currently available.

PHP SSRF
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-52026 HIGH This Week

An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. [CVSS 7.5 HIGH]

Information Disclosure Gemscms Backend
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22991 HIGH PATCH This Week

A null pointer dereference vulnerability in the Linux kernel's libceph library occurs when free_choose_arg_map() is called after a partial memory allocation failure, allowing a local attacker with low privileges to cause a denial of service. The vulnerability exists because the function does not validate pointers before dereferencing them during cleanup operations. A patch is available to add proper pointer checks and make the cleanup routine resilient to incomplete allocations.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22990 HIGH PATCH This Week

A local privileged user can trigger a kernel panic in the Linux kernel's Ceph client by providing a maliciously corrupted incremental osdmap with an unexpected epoch value, causing a denial of service. The vulnerability stems from overzealous assertion logic that should instead gracefully reject invalid osdmap data. A patch is available to replace the fatal BUG_ON check with proper validation.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-11976 HIGH This Week

The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. [CVSS 7.3 HIGH]

WordPress
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-0776 HIGH This Week

Discord Client's discord_rpc module improperly loads files from an unsecured search path, enabling local attackers with low-privilege code execution to escalate privileges and run arbitrary code with elevated user context. This vulnerability requires prior local code execution capability and affects systems running vulnerable Discord Client installations. No patch is currently available.

Privilege Escalation
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2026-0771 HIGH This Week

Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.

Python RCE Code Injection AI / ML Langflow
NVD
CVSS 3.0
7.1
EPSS
0.1%
CVE-2026-24623 HIGH This Week

Reflected cross-site scripting (XSS) in Neoforum version 1.0 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers when they interact with crafted links, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and authenticated access, limiting its immediate impact but still posing a risk in multi-user forum environments. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67230 HIGH This Week

Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. [CVSS 7.1 HIGH]

Privilege Escalation Builder
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-0775 HIGH PATCH This Week

npm cli contains an insecure module loading mechanism that enables local privilege escalation on Node.js installations. An attacker with low-privileged code execution can exploit this flaw to gain elevated privileges and execute arbitrary code with target user permissions. No patch is currently available for this vulnerability.

Node.js Privilege Escalation RCE
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-14947 MEDIUM This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24630 MEDIUM This Month

Design Stylish Cost Calculator stylish-cost-calculator is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24617 MEDIUM This Month

Stored XSS in Easy Modal WordPress plugin through version 2.1.0 enables authenticated attackers to inject malicious scripts that execute in the browsers of other users. An attacker with login credentials can store arbitrary JavaScript through improper input validation, affecting all visitors who view the compromised content. No patch is currently available to remediate this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24565 MEDIUM This Month

The B Accordion WordPress plugin through version 2.0.0 exposes sensitive data in transmitted communications due to improper handling of embedded information. An authenticated attacker can intercept and retrieve this sensitive data, potentially compromising confidential information. No patch is currently available for this vulnerability.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24528 MEDIUM This Month

DOM-based cross-site scripting in pixelgrade Nova Blocks through version 2.1.9 enables authenticated attackers to inject malicious scripts that execute in users' browsers with limited privileges. An attacker with valid credentials can craft requests to manipulate the page generation process, potentially compromising confidentiality, integrity, and availability across different security contexts. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24526 MEDIUM This Month

The Email Inquiry & Cart Options for WooCommerce plugin through version 3.4.3 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting improper input neutralization. An attacker with user-level access can craft requests that execute arbitrary JavaScript in victims' browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24616 MEDIUM This Month

Damian WP Popups plugin for WordPress versions up to 2.2.0.3 contains an authorization bypass that allows authenticated users to access sensitive information through improperly configured access controls. An attacker with low-privilege WordPress credentials could exploit this to read confidential data without proper authorization. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24585 MEDIUM This Month

Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration is affected by missing authorization (CVSS 6.5).

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24566 MEDIUM This Month

iNET Webkit through version 1.2.4 contains a missing authorization control vulnerability that allows authenticated users to bypass access control restrictions and gain unauthorized read access to sensitive information. An attacker with valid credentials could exploit improperly configured security levels to access data they should not have permission to view. No patch is currently available for this vulnerability.

NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24558 MEDIUM This Month

Stored XSS in ABG Rich Pins version 1.1 and earlier permits authenticated users to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with plugin access could deface content or steal session data from site visitors. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24555 MEDIUM This Month

Stored cross-site scripting in ArtPlacer Widget versions 2.23.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers when viewing affected web pages. An unauthenticated attacker can exploit improper input validation during web page generation to compromise user sessions and steal sensitive data. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24550 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Kaira Blockons versions up to 1.2.15 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session tokens or performing actions on their behalf. The vulnerability requires user interaction to trigger and has limited scope, but impacts both confidentiality and integrity. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22274 MEDIUM This Month

Elastic Cloud Storage versions up to 3.8.1.7 is affected by cleartext transmission of sensitive information (CVSS 6.5).

Information Disclosure Dell Objectscale Elastic Cloud Storage
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0767 MEDIUM This Month

Open WebUI transmits authentication credentials in cleartext over the network, enabling adjacent attackers to intercept and obtain sensitive information without authentication. This information disclosure vulnerability can facilitate unauthorized access and further compromise of affected systems. No patch is currently available.

Information Disclosure Open Webui
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24601 MEDIUM This Month

Stored XSS in Penci Pay Writer versions up to 1.5 allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising sensitive data or session information. The vulnerability stems from insufficient input validation during web page generation and requires user interaction to trigger. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24600 MEDIUM This Month

Stored cross-site scripting in PenciDesign Penci Review through version 3.5 enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising user sessions and data. The vulnerability requires user interaction to trigger and affects the web application's page generation functionality. No patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24591 MEDIUM This Month

yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion is affected by cross-site scripting (xss) (CVSS 5.4).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24576 MEDIUM This Month

COP UX Flat through version 5.4.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages, affecting all users who view the compromised content. An attacker with user-level access can craft malicious input that persists in the application and executes in victims' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14069 MEDIUM This Month

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15522 MEDIUM This Month

The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0914 MEDIUM This Month

Stored cross-site scripting in the WP DSGVO Tools WordPress plugin through version 3.1.36 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via the 'lw_content_block' shortcode due to improper input sanitization. When visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14745 MEDIUM This Month

The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0788 MEDIUM This Month

8180 Ip Audio Alerter Firmware versions up to 5.5 is affected by cross-site scripting (xss) (CVSS 6.1).

Golang XSS 8180 Ip Audio Alerter Firmware
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1386 MEDIUM This Month

Firecracker contains a vulnerability that allows attackers to a local host user with write access to the pre-created jailer directories to ove (CVSS 6.0).

Linux Firecracker Red Hat Suse
NVD GitHub
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-67231 MEDIUM This Month

A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload. [CVSS 5.9 MEDIUM]

XSS Builder
NVD
CVSS 3.1
5.9
EPSS
0.0%
Prev Page 3 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy