Skip to main content
CVE-2026-24632 MEDIUM This Month

DOM-based cross-site scripting (XSS) in the Delay Redirects browser extension through version 1.0.0 enables attackers to inject malicious scripts that execute in users' browsers. An attacker can exploit this vulnerability to steal sensitive data, session cookies, or perform actions on behalf of affected users. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24629 MEDIUM This Month

Stored cross-site scripting in Ability Inc's Web Accessibility with Max Access toolbar (versions through 2.1.0) enables authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. An attacker with administrative access could manipulate the toolbar to store XSS payloads that compromise confidentiality, integrity, and availability of the affected web application. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24626 MEDIUM This Month

Stored cross-site scripting in LogicHunt Logo Slider WordPress plugin versions up to 4.9.0 enables authenticated attackers with high privileges to inject malicious scripts that execute in other users' browsers. An attacker could leverage this to steal session tokens, deface content, or perform actions on behalf of affected users. No patch is currently available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24620 MEDIUM This Month

PluginOps Landing Page Builder page-builder-add is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24614 MEDIUM This Month

Devsbrain Flex QR Code Generator flex-qr-code-generator is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24621 MEDIUM This Month

Vladimir Statsenko Terms descriptions terms-descriptions is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-9290 MEDIUM This Month

An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values.

Information Disclosure Eap100 Bridge Kit Firmware Er605 Firmware Eap723 Firmware Eap215 Bridge Kit Firmware +52
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24584 MEDIUM This Month

Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24594 MEDIUM This Month

livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24137 MEDIUM PATCH This Month

The Golang sigstore framework versions 1.10.3 and below fail to validate cache directory paths in the legacy TUF client, allowing a malicious TUF repository to overwrite arbitrary files on disk within the calling process's permission scope. This impacts direct users of the TUF client in sigstore/sigstore and older Cosign versions, though public Sigstore deployments are protected by metadata validation from trusted collaborators. No patch is currently available for this medium-severity path traversal vulnerability.

Golang Github Red Hat Suse
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-22992 MEDIUM PATCH This Month

The Linux kernel's Ceph authentication handler fails to properly propagate errors from mon_handle_auth_done(), allowing the msgr2 protocol to proceed with session establishment even when authentication fails in secure mode. This can trigger a NULL pointer dereference in prepare_auth_signature(), causing a denial of service on systems using Ceph for storage or communication. Local attackers with privileges to interact with Ceph authentication can crash the kernel or cause system instability.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71154 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. [CVSS 5.5 MEDIUM]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22993 MEDIUM PATCH This Month

The Linux kernel's idpf driver contains a NULL pointer dereference in its RSS LUT handling that can be triggered when ethtool commands access the RSS lookup table immediately after a soft reset. Local users with standard privileges can crash the system by performing queue count changes followed by ethtool operations on the affected network interface. A patch is available to properly manage RSS LUT state during soft resets based on queue count changes.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22987 MEDIUM PATCH This Month

A null pointer dereference in the Linux kernel's traffic control action module (act_api) causes a denial of service during network namespace teardown when invalid error pointers are dereferenced. A local attacker with low privileges can trigger this crash by manipulating tc actions during system shutdown or container termination. A patch is available to guard against ERR_PTR entries during action cleanup.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22985 MEDIUM PATCH This Month

The Linux kernel's idpf driver crashes with a NULL pointer dereference when ethtool RSS operations are performed before the network interface is brought up, affecting systems using this driver. A local attacker with unprivileged user access can trigger a denial of service by executing RSS configuration commands on a down interface. The vulnerability is resolved by initializing the RSS lookup table during vport creation rather than at interface startup.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22983 MEDIUM PATCH This Month

The Linux kernel's network stack contains a null pointer dereference vulnerability in message handling that could cause a denial of service when the msg_get_inq field is improperly written by the callee function. Local attackers with basic privileges can trigger this condition by reusing kernel-internal msghdr structures, resulting in system crashes or service interruption. A patch is available to prevent writes to this input field and eliminate the unsafe branching logic.

Linux Null Pointer Dereference Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22981 MEDIUM PATCH This Month

A null pointer dereference in the Linux kernel's idpf driver allows local attackers with user privileges to cause a denial of service by triggering improper netdevice state management during reset operations. The vulnerability occurs when the driver fails to properly detach and close network devices before deallocating vport resources, leaving pointers unprotected from concurrent callback access. A patch is available to resolve this issue by implementing proper device state synchronization during reset handling.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71151 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory and information leak in smb3_reconfigure() In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the function returns immediately without freeing and erasing the newly allocated new_password and new_password2. [CVSS 5.5 MEDIUM]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22994 MEDIUM PATCH This Month

A reference count leak in the Linux kernel's bpf_prog_test_run_xdp() function allows local users to cause a denial of service by preventing network device cleanup and exhausting system resources. The vulnerability stems from a missing cleanup call in the error handling path that fails to release a reference obtained during XDP metadata conversion. A local attacker with user privileges can trigger this leak to hang network device unregistration operations.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22989 MEDIUM PATCH This Month

The Linux kernel nfsd subsystem crashes when attempting to unlock a filesystem via administrative interface while the nfsd service is not running, as the unlock operation accesses freed state structures. A local user with administrative privileges can trigger a denial of service by attempting filesystem unlock operations against a stopped nfsd server.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22982 MEDIUM PATCH This Month

The ocelot network driver in the Linux kernel is susceptible to a null pointer dereference crash when adding a network interface under a link aggregation group, affecting systems using the ocelot_vsc7514 frontend. A local attacker with unprivileged access can trigger this denial of service condition by performing specific network interface configuration operations. A patch is available that adds proper pointer validation before accessing port structures.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22979 MEDIUM PATCH This Month

A memory leak in the Linux kernel's skb_segment_list() function affects GRO packet processing and can cause denial of service through kernel memory exhaustion when processing forwarded packets. Local attackers with unprivileged access can trigger this vulnerability through crafted network traffic to exhaust available memory. A patch is available to resolve the improper memory accounting between parent and child socket buffers.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71153 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix memory leak in get_file_all_info() In get_file_all_info(), if vfs_getattr() fails, the function returns immediately without freeing the allocated filename, leading to a memory leak. [CVSS 5.5 MEDIUM]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71150 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. [CVSS 5.5 MEDIUM]

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71149 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. [CVSS 5.5 MEDIUM]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71147 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. [CVSS 5.5 MEDIUM]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71146 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: fix leaked ct in error paths There are some situations where ct might be leaked as error paths are skipping the refcounted check and return immediately. [CVSS 5.5 MEDIUM]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71160 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [CVSS 5.5 MEDIUM]

Linux Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71161 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. [CVSS 5.5 MEDIUM]

Linux Red Hat Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71158 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: ensure worker is torn down When an IRQ worker is running, unplugging the device would cause a crash. The sealevel hardware this driver was written for was not hotpluggable, so I never realized it. [CVSS 5.5 MEDIUM]

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22276 MEDIUM This Month

Elastic Cloud Storage versions up to 3.8.1.7 is affected by cleartext storage of sensitive information (CVSS 5.5).

Information Disclosure Objectscale Elastic Cloud Storage
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-24548 MEDIUM This Month

Prince Radio Player versions 2.0.91 and earlier are vulnerable to Server-Side Request Forgery (SSRF), enabling unauthenticated remote attackers to make arbitrary requests from the affected server. This could allow attackers to access internal resources, scan internal networks, or interact with backend services that should not be directly accessible.

SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24631 MEDIUM This Month

Mikado-Themes Rosebud rosebud is affected by authorization bypass through user-controlled key (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24622 MEDIUM This Month

Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit is affected by missing authorization (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24595 MEDIUM This Month

Zoho CRM Lead Magnet versions up to 1.8.1.5 suffer from improper access control that allows authenticated users to perform unauthorized actions on resources they should not have access to. An attacker with valid credentials could exploit misconfigured security levels to read or modify sensitive lead data without proper authorization. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24581 MEDIUM This Month

WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce is affected by missing authorization (CVSS 5.4).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24570 MEDIUM This Month

Edwiser Bridge versions 4.3.2 and earlier contain an access control flaw that allows authenticated users to perform unauthorized actions due to improperly configured security levels. An attacker with valid credentials could exploit this vulnerability to gain unintended access to sensitive functions or data. No patch is currently available for this MEDIUM severity vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24561 MEDIUM This Month

Improper access control in FluentBoards through version 1.91.1 allows authenticated users to bypass authorization checks and gain unauthorized access to restricted resources. An attacker with valid credentials could exploit misconfigured security levels to view or modify data they should not have permission to access. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24560 MEDIUM This Month

Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn is affected by missing authorization (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24551 MEDIUM This Month

The Monetag Official Plugin for WordPress versions up to 1.1.3 contains an authorization bypass that allows authenticated attackers to exploit misconfigured access controls and gain unauthorized access to sensitive functionality. An attacker with low-level user privileges can bypass permission checks to read or modify restricted data without proper authorization. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24540 MEDIUM This Month

Prince Integrate Google Drive integrate-google-drive is affected by missing authorization (CVSS 5.4).

Google Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24587 MEDIUM This Month

The AJAX Hits Counter + Popular Posts Widget plugin through version 0.10.210305 contains an authorization bypass flaw that allows authenticated attackers to exploit misconfigured access controls and gain unauthorized access to sensitive functionality. An attacker with low-level credentials can perform actions beyond their assigned permissions without user interaction. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-52023 MEDIUM This Month

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]

PHP Information Disclosure Gemscms Backend
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-24536 MEDIUM This Month

Webpushr web push notification plugin versions 4.38.0 and earlier expose sensitive embedded system data to unauthorized parties through an information disclosure vulnerability. An unauthenticated remote attacker can retrieve this sensitive information without user interaction, potentially compromising system configuration details and credentials. No patch is currently available.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24523 MEDIUM This Month

WP FullCalendar through version 1.6 exposes sensitive system information to unauthenticated remote attackers, allowing them to retrieve embedded data without authentication. The vulnerability affects WordPress installations using the vulnerable plugin and requires no user interaction to exploit. No patch is currently available.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-52022 MEDIUM This Month

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. [CVSS 5.3 MEDIUM]

PHP Information Disclosure Gemscms Backend
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24634 MEDIUM This Month

Rustaurius Ultimate Reviews ultimate-reviews is affected by authorization bypass through user-controlled key (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24633 MEDIUM This Month

The Add Expires Headers & Optimized Minify plugin through version 3.1.0 contains a missing authorization flaw that permits unauthenticated attackers to bypass access control restrictions and read sensitive information. This vulnerability affects all installations of the plugin up to the patched version and could allow attackers to view confidential data through network access without authentication. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24625 MEDIUM This Month

Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads is affected by missing authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24619 MEDIUM This Month

PopCash PopCash.Net Code Integration Tool popcashnet-code-integration-tool is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 4 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy