Skip to main content
CVE-2026-24412 HIGH POC PATCH This Week

Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution through maliciously crafted ICC color profile data submitted to the CIccTagXmlSegmentedCurve::ToXml() function. Public exploit code exists for this vulnerability, enabling attackers to achieve denial of service, data manipulation, and arbitrary code execution with no authentication required. The vulnerability affects all users of the vulnerable iccDEV library versions and has been resolved in version 2.3.1.2.

Buffer Overflow Iccdev
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-24406 HIGH POC PATCH This Week

Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution when processing maliciously crafted ICC color profiles, with public exploit code currently available. An unauthenticated attacker can trigger the vulnerability through user-supplied input to the CIccTagNamedColor2::SetSize() function, enabling arbitrary code execution, denial of service, or data manipulation. The vulnerability has been patched in version 2.3.1.2.

Buffer Overflow Iccdev
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-24405 HIGH POC PATCH This Week

Heap buffer overflow in iccDEV versions 2.3.1.1 and earlier allows remote code execution through maliciously crafted ICC color profiles when user input is processed by CIccMpeCalculator::Read(). Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary code, cause denial of service, or manipulate application data. The vulnerability is fixed in version 2.3.1.2.

Buffer Overflow Iccdev
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-24403 HIGH POC PATCH This Week

Integer overflow in iccDEV's ICC profile parsing (versions 2.3.1.1 and below) allows remote attackers to corrupt memory or trigger denial of service by crafting malicious profile headers with tampered tag tables or offset fields, with public exploit code available. The vulnerability can potentially enable arbitrary code execution or bypass security checks in applications using affected iccDEV libraries. Users should upgrade to version 2.3.1.2 or later to remediate this risk.

Integer Overflow Memory Corruption Iccdev
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-24411 HIGH POC PATCH This Week

iccDEV versions 2.3.1.1 and earlier contain unsafe handling of user-supplied input in the CIccTagXmlSegmentedCurve::ToXml() function, enabling remote attackers to trigger undefined behavior in ICC profile parsing. Public exploit code exists for this vulnerability, which can lead to denial of service, data manipulation, or arbitrary code execution. Upgrade to version 2.3.1.2 to remediate.

Denial Of Service RCE Code Injection Iccdev
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-24407 HIGH POC PATCH This Week

iccDEV versions 2.3.1.1 and earlier allow remote attackers to trigger undefined behavior in the icSigCalcOp() function through malicious ICC color profiles, enabling denial of service, data manipulation, or potential code execution. The vulnerability stems from unsafe handling of user-controllable input in binary profile data, and public exploit code exists. Affected organizations should upgrade to version 2.3.1.2 or later.

Denial Of Service RCE Code Injection Iccdev
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-24410 HIGH POC PATCH This Week

iccDEV versions 2.3.1.1 and below are vulnerable to null pointer dereference in CIccProfileXml::ParseBasic() when processing maliciously crafted ICC color profiles, allowing remote attackers to trigger denial of service or data manipulation without user interaction. Public exploit code exists for this vulnerability, which affects applications using the iccDEV libraries for color profile handling. The vulnerability has been patched in version 2.3.1.2.

Null Pointer Dereference Iccdev
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-24409 HIGH POC PATCH This Week

Null pointer dereference in iccDEV versions 2.3.1.1 and below allows remote attackers to trigger denial of service or data manipulation via maliciously crafted ICC color profile data, with public exploit code currently available. The vulnerability stems from unsafe handling of user-controllable input in the CIccTagXmlFloatNum<>::ParseXml() function and may enable code execution depending on application context. Upgrade to version 2.3.1.2 to remediate.

Null Pointer Dereference Iccdev
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-24404 HIGH POC PATCH This Week

iccDEV versions 2.3.1.1 and below contain a null pointer dereference in the CIccXmlArrayType() function that allows remote attackers to trigger denial of service, data manipulation, or potentially achieve code execution through crafted ICC profile data. The vulnerability stems from unsafe handling of user-controlled input in binary structured data and has public exploit code available. Upgrade to version 2.3.1.2 or later to remediate.

Null Pointer Dereference Iccdev
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-0911 HIGH This Week

Arbitrary file uploads in the Hustle WordPress plugin (versions up to 7.8.9.2) allow authenticated low-privileged users with granted module permissions to bypass file type validation and upload malicious files, potentially enabling remote code execution. An attacker with Subscriber-level access or higher can exploit improper validation in the action_import_module() function if an administrator grants them Hustle module editing capabilities. No patch is currently available, leaving affected WordPress installations vulnerable until an update is released.

WordPress RCE
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24136 HIGH PATCH This Week

Unauthenticated attackers can exploit an insecure direct object reference vulnerability in Saleor e-commerce platform versions 3.2.0-3.22.28 to retrieve sensitive customer information including personally identifiable data in plain text through the order() GraphQL query. This high-severity vulnerability (CVSS 7.5) affects orders across multiple version branches and has been patched in releases 3.20.110, 3.21.45, and 3.22.29. Organizations unable to patch immediately should implement WAF rules to restrict non-staff access to order queries.

Authentication Bypass Saleor
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1257 HIGH This Week

The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.

WordPress PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24469 HIGH This Week

C++ HTTP Server versions 1.0 and below suffer from a path traversal vulnerability in the RequestHandler::handleRequest method that permits unauthenticated remote attackers to read arbitrary files from the server filesystem through malicious HTTP GET requests containing directory traversal sequences. The vulnerability stems from insufficient input validation on the URL path, which is directly concatenated to the base directory without sanitization. No patch is currently available.

Path Traversal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0800 HIGH This Week

Stored cross-site scripting in the User Submitted Posts WordPress plugin through version 20251210 allows unauthenticated attackers to inject malicious scripts via custom fields due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, potentially compromising user sessions and data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-0807 HIGH This Week

Unauthenticated attackers can exploit a Server-Side Request Forgery vulnerability in the WordPress Frontis Blocks plugin (versions up to 1.1.6) through unvalidated URL parameters in the template proxy endpoints to perform arbitrary web requests from the affected server. This allows an attacker to scan internal networks, access local services, or exfiltrate sensitive data without authentication. No patch is currently available.

WordPress SSRF
NVD
CVSS 3.1
7.2
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy