Skip to main content
CVE-2026-24852 MEDIUM PATCH This Month

A heap buffer over-read in iccDEV versions prior to 2.3.1.2 allows local attackers with user interaction to leak sensitive heap memory contents or crash the application when processing specially crafted ICC color profiles. The vulnerability stems from unsafe handling of non-null-terminated buffers in the strlen() function during ICC profile processing. Users of the iccDEV library should upgrade to version 2.3.1.2 to remediate this issue.

Buffer Overflow Iccdev
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1466 MEDIUM PATCH This Month

Jirafeau's MIME type validation can be bypassed by sending crafted HTTP requests with invalid MIME types, allowing attackers to trigger browser-based MIME sniffing that may execute malicious JavaScript embedded in SVG or HTML files. An unauthenticated remote attacker can exploit this through a simple network request requiring user interaction to view a malicious preview. A patch is available and the vulnerability affects Jirafeau and related products.

Jira XSS Jirafeau
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1539 MEDIUM PATCH This Month

libsoup's HTTP redirect handling fails to strip Proxy-Authorization headers when requests are forwarded to different hosts, allowing proxy credentials to be exposed to unintended third-party servers. Applications relying on libsoup for HTTP communication are vulnerable to disclosure of sensitive proxy authentication data. No patch is currently available.

Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-33237 MEDIUM This Month

NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. [CVSS 5.5 MEDIUM]

Windows Null Pointer Dereference Denial Of Service
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46306 MEDIUM This Month

The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. [CVSS 5.5 MEDIUM]

Apple Information Disclosure Buffer Overflow macOS iOS
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-13983 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44. [CVSS 5.4 MEDIUM]

Drupal XSS Tagify
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69289 MEDIUM This Month

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. [CVSS 5.4 MEDIUM]

Privilege Escalation Discourse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59900 MEDIUM This Month

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]

XSS Diskpulse Syncbreeze
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59899 MEDIUM This Month

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]

XSS Syncbreeze Diskpulse
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59898 MEDIUM This Month

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]

XSS Diskpulse Syncbreeze
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59897 MEDIUM This Month

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]

XSS Syncbreeze Diskpulse
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59896 MEDIUM This Month

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. [CVSS 5.4 MEDIUM]

XSS Diskpulse Syncbreeze
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13979 MEDIUM PATCH This Month

Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS.This issue affects Mini site: from 0.0.0 before 3.0.2. [CVSS 5.4 MEDIUM]

Drupal Mini Site XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68660 MEDIUM This Month

Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]

Authentication Bypass AI / ML Discourse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1391 MEDIUM This Month

The Vzaar Media Management WordPress plugin through version 1.2 contains a reflected cross-site scripting vulnerability in the PHP_SELF variable that lacks proper input sanitization, allowing unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link and tricking users into clicking it, leading to arbitrary script execution in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-15511 MEDIUM This Month

The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1310 MEDIUM This Month

Unauthenticated attackers can delete arbitrary calendar entries in the Simple Calendar for Elementor WordPress plugin through versions 1.6.6 due to missing authorization checks on an AJAX function that accepts both authenticated and unauthenticated requests. An attacker only needs a valid nonce and the target calendar entry ID to perform the deletion. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1054 MEDIUM This Month

RegistrationMagic (WordPress plugin) versions up to 6.0.7.4. is affected by missing authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-0825 MEDIUM This Month

Unauthenticated attackers can bypass authorization checks in WordPress form plugins (Database for Contact Form 7, WPforms, Elementor forms) through version 1.4.5 to download CSV exports of all form submissions containing sensitive personally identifiable information. The vulnerability exists because the CSV export endpoint lacks proper capability verification and exports complete datasets regardless of user permissions, while an export key is exposed in publicly accessible page source code. This allows attackers to retrieve sensitive data without authentication or proper authorization.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2023-37525 MEDIUM This Month

A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. [CVSS 5.3 MEDIUM]

Java Information Disclosure Bigfix Compliance
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13980 MEDIUM PATCH This Month

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass.This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. [CVSS 5.3 MEDIUM]

Drupal Authentication Bypass Ckeditor 5 Premium Features
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1060 MEDIUM This Month

WP Adminify (WordPress plugin) versions up to 4.0.7.7 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13985 MEDIUM PATCH This Month

Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0. [CVSS 5.3 MEDIUM]

Drupal Entity Share
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24889 MEDIUM PATCH This Month

Arithmetic overflow in Soroban SDK versions up to 25.0.2 allows contracts using user-controlled range bounds in Bytes::slice, Vec::slice, or Prng::gen_range methods to operate on incorrect data ranges or generate unintended random numbers, potentially corrupting contract state. Developers who do not enable overflow-checks in their Rust configuration are vulnerable to this silent data corruption. A patch is available and should be applied immediately to affected Soroban contracts.

Github Rs Soroban Sdk
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13471 MEDIUM This Month

The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) [CVSS 5.3 MEDIUM]

WordPress PHP
NVD WPScan
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24850 MEDIUM PATCH This Month

The RustCrypto ml-dsa crate versions 0.0.4 through 0.1.0-rc.3 incorrectly validate ML-DSA digital signatures by accepting duplicate hint indices that should be strictly increasing per the FIPS 204 specification, allowing attackers to forge valid signatures that should be rejected. This regression was introduced by a comparison operator change in version 0.0.4 and affects any application relying on this crate for signature verification. A patch is available in version 0.1.0-rc.4.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-61730 MEDIUM PATCH This Month

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. [CVSS 5.3 MEDIUM]

TLS Information Disclosure Go Suse Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-70336 MEDIUM This Month

A Stored cross-site scripting (XSS) vulnerability in 'Create New Live Item' in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the 'TITLE', 'SHORT DESCRIPTION' and 'LONG DESCRIPTION' parameters. [CVSS 4.8 MEDIUM]

XSS Podcast Generator
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-66488 MEDIUM This Month

Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. [CVSS 4.6 MEDIUM]

XSS Discourse
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-67723 MEDIUM This Month

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. [CVSS 4.6 MEDIUM]

XSS Discourse
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-13981 MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]

Drupal XSS AI / ML Artificial Intelligence
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1399 MEDIUM This Month

Stored XSS in WP Google Ad Manager Plugin up to version 1.1.0 allows administrators to inject malicious scripts into WordPress pages through insufficiently sanitized admin settings, affecting multi-site installations and configurations with disabled unfiltered_html. Authenticated attackers with administrator privileges can exploit this to execute arbitrary JavaScript that persists and runs for all users visiting affected pages. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1083 MEDIUM This Month

The Appointment Hour Booking plugin for WordPress through version 1.5.60 allows administrators to inject persistent JavaScript into the form builder interface through inadequately sanitized field configuration parameters. Exploitation requires high-level authenticated access and affects only multisite installations or those with unfiltered HTML disabled. Injected scripts execute in the context of other users accessing the form builder, enabling credential theft or unauthorized actions.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1053 MEDIUM This Month

Stored XSS in Ivory Search WordPress plugin up to version 5.5.13 allows administrators to inject malicious scripts into admin settings due to inadequate input sanitization, affecting multi-site installations and those with unfiltered_html disabled. Attackers with admin privileges can execute arbitrary JavaScript that persists and runs for all users accessing affected pages. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1381 MEDIUM This Month

Order Minimum/Maximum Amount Limits for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-13919 MEDIUM This Month

Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry. [CVSS 4.4 MEDIUM]

Windows
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-68659 MEDIUM This Month

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is pat...

Denial Of Service Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1389 MEDIUM This Month

Authenticated attackers with Author-level permissions can read, modify, and delete document library entries belonging to other users in the Document Embedder plugin for WordPress through improper access control checks in multiple AJAX handlers. The vulnerability affects all versions up to 2.0.4 and requires no additional user interaction, allowing privilege escalation within the plugin's document management system. No patch is currently available.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46316 MEDIUM This Month

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. [CVSS 4.3 MEDIUM]

Apple Buffer Overflow Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1398 MEDIUM This Month

The Change WP URL plugin for WordPress through version 1.0 lacks proper nonce validation, allowing unauthenticated attackers to modify the WordPress login URL through cross-site request forgery if they can socially engineer a site administrator into clicking a malicious link. This vulnerability affects all WordPress installations using the vulnerable plugin and enables attackers to redirect administrator access to attacker-controlled pages. No patch is currently available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14616 MEDIUM This Month

The Recooty - Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1380 MEDIUM This Month

Bitcoin Donate Button (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1377 MEDIUM This Month

Unauthenticated attackers can modify WordPress imwptip plugin settings through cross-site request forgery attacks by exploiting missing nonce validation in versions up to 1.1. An attacker can trick site administrators into clicking a malicious link to alter plugin configurations without authentication. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1298 MEDIUM This Month

The Easy Replace Image plugin for WordPress up to version 3.5.2 lacks proper authorization checks on its AJAX image replacement function, allowing authenticated users with Contributor-level privileges to replace arbitrary image attachments with external URLs. This enables attackers to deface sites, conduct phishing attacks, or manipulate content without administrative oversight. No patch is currently available for this medium-severity vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14795 MEDIUM This Month

Stop Spammers Classic (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0818 MEDIUM PATCH This Month

Thunderbird's inline OpenPGP message decryption can leak secret email contents through CSS style injection when remote content loading is enabled, allowing attackers to extract decrypted plaintext via crafted email formatting. This affects Thunderbird versions before 147.0.1 and 140.7.1, requiring user interaction to trigger the vulnerability. No patch is currently available.

Mozilla Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13986 MEDIUM PATCH This Month

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3. [CVSS 4.2 MEDIUM]

Drupal Authentication Bypass Disable Login Page
NVD
CVSS 3.1
4.2
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy