Skip to main content
CVE-2026-21569 HIGH This Week

XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote files, significantly compromising confidentiality and availability. The vulnerability requires high privileges to exploit but accepts no user interaction, affecting multiple Crowd versions until patching to 7.1.3 or later. No patch is currently available for all affected versions.

Atlassian Confluence XXE Crowd
NVD VulDB
CVSS 3.0
7.9
EPSS
0.1%
CVE-2025-57283 HIGH PATCH This Week

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. [CVSS 7.8 HIGH]

Node.js Command Injection Browserstack Local Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-23014 HIGH PATCH This Week

Linux kernel perf subsystem denial of service via improper hrtimer cleanup allows local users with standard privileges to cause a system crash when perf events are freed with active hrtimerss still pending. The vulnerability stems from insufficient timer cancellation during event destruction, enabling resource exhaustion. No patch is currently available.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-46691 HIGH This Week

Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. [CVSS 7.8 HIGH]

Authentication Bypass Dell Premiercolor
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-61731 HIGH PATCH This Week

Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. [CVSS 7.8 HIGH]

Go Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33220 HIGH This Week

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause heap memory access after the memory is freed. [CVSS 7.8 HIGH]

Denial Of Service Privilege Escalation Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33219 HIGH PATCH This Week

NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIA kernel module where an attacker could cause an integer overflow or wraparound. [CVSS 7.8 HIGH]

Linux Integer Overflow Denial Of Service Privilege Escalation Information Disclosure +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33218 HIGH This Week

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. [CVSS 7.8 HIGH]

Linux Windows Integer Overflow Denial Of Service Privilege Escalation +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-33217 HIGH This Week

NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. [CVSS 7.8 HIGH]

Windows Use After Free Denial Of Service Privilege Escalation Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-68662 HIGH This Week

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. [CVSS 7.6 HIGH]

SSRF Discourse
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-24833 HIGH This Week

DotNetNuke versions prior to 9.13.10 and 10.2.0 allow arbitrary script execution in the Persona Bar administrative interface through unsanitized richtext content in module descriptions. An authenticated attacker with module installation privileges can inject malicious scripts that execute in the context of administrative users, potentially compromising sensitive data or administrative functions. This vulnerability requires high privileges and user interaction to exploit, with no public patch currently available for affected versions.

.NET Dotnetnuke
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-24837 HIGH PATCH This Week

Stored cross-site scripting in DNN versions 9.0.0 through 9.13.9 and 10.0.0 through 10.1.x allows high-privileged users with UI interaction to inject malicious scripts into module friendly names that execute within the Persona Bar administrative interface. An authenticated attacker with sufficient permissions could exploit this to perform administrative actions or compromise other users' sessions. No patch is currently available for affected versions.

.NET Dotnetnuke
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-24836 HIGH PATCH This Week

Stored cross-site scripting in DNN versions 9.0.0 through 9.13.9 and 10.0.0 through 10.1.x allows authenticated administrators with high privileges to inject malicious scripts into log notes that execute within the PersonaBar interface. An attacker with admin credentials could perform actions as the victim or steal session data when the logs are viewed. Upgrade to DNN 9.13.10 or 10.2.0 to remediate this vulnerability.

.NET Dotnetnuke
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-1280 HIGH This Week

The Frontend File Manager Plugin for WordPress through version 23.5 lacks proper authorization checks on a file sharing AJAX endpoint, allowing unauthenticated attackers to enumerate and exfiltrate sensitive uploaded files via sequential ID manipulation. By exploiting this flaw, an attacker can email arbitrary files to themselves or others, potentially exposing restricted administrative data. No patch is currently available for this high-severity vulnerability.

WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59895 HIGH This Week

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. [CVSS 7.5 HIGH]

Denial Of Service Code Injection Syncbreeze Diskpulse
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14840 HIGH PATCH This Week

Http Client Manager versions up to 9.3.13 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).

Drupal Http Client Manager Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23743 HIGH This Week

Discourse is an open source discussion platform. [CVSS 7.5 HIGH]

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0702 HIGH This Week

Unauthenticated attackers can exploit time-based SQL injection in the VidShop plugin for WordPress (versions up to 1.1.4) through the unescaped 'fields' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to inject malicious SQL commands without authentication. No patch is currently available for this high-severity flaw affecting WooCommerce installations.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-40537 HIGH This Week

SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. [CVSS 7.5 HIGH]

Authentication Bypass Web Help Desk
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0832 HIGH This Week

New User Approve (WordPress plugin) versions up to 3.2.2. is affected by missing authorization (CVSS 7.3).

WordPress
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-1400 HIGH This Week

Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.

WordPress PHP RCE AI / ML
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-14610 HIGH This Week

The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config....

WordPress PHP SSRF
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-68479 HIGH This Week

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. [CVSS 7.1 HIGH]

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-13917 HIGH This Week

WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. [CVSS 7.0 HIGH]

Privilege Escalation
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-68119 HIGH PATCH This Week

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. [CVSS 7.0 HIGH]

Buffer Overflow RCE Go Red Hat Suse
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-68933 MEDIUM This Month

Discourse is an open source discussion platform. [CVSS 6.9 MEDIUM]

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-24784 MEDIUM PATCH This Month

Stored cross-site scripting in DNN versions 9.0.0 through 10.1.x allows content editors to inject malicious scripts into module headers and footers that execute in the browsers of other users. An authenticated editor with content creation privileges can exploit this to steal session tokens, perform actions on behalf of other users, or redirect them to malicious sites. Updates to version 9.13.10 or 10.2.0 are required to remediate the vulnerability.

.NET Dotnetnuke
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-57796 MEDIUM This Month

Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach allows stored values to be decrypted offline if the encrypted data are obtained. [CVSS 6.8 MEDIUM]

Information Disclosure Blue
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-13918 MEDIUM This Month

Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. [CVSS 6.7 MEDIUM]

Broadcom Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-68934 MEDIUM This Month

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not f...

Denial Of Service Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-1514 MEDIUM This Month

The 2100 Technology Document Management System contains an authorization bypass that permits authenticated users to access and read all official documents by manipulating front-end code. An attacker with valid credentials can exploit this vulnerability to disclose sensitive documents without requiring additional privileges or user interaction. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69218 MEDIUM This Month

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. [CVSS 6.5 MEDIUM]

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21865 MEDIUM This Month

Discourse versions before 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allow moderators with insufficient permissions to convert private messages into public topics, potentially exposing sensitive user communications. The vulnerability affects any Discourse instance where untrusted moderators have access to moderation features. Site administrators can mitigate this by temporarily removing moderator privileges or disabling personal message access for moderator groups until patching to a fixed version.

Industrial Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24742 MEDIUM This Month

Discourse versions before 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allow non-admin moderators to access restricted staff action logs containing sensitive data such as webhook secrets, API keys, private messages, and restricted category information. An attacker with moderator privileges could extract confidential information and use leaked webhook credentials to spoof events to integrated services. No patch is currently available for this access control bypass.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68666 MEDIUM This Month

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. [CVSS 6.5 MEDIUM]

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24134 MEDIUM PATCH This Month

headless content management system. versions up to 0.2.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).

Authentication Bypass Studiocms
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14039 MEDIUM This Month

The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_simple_folio_item_client_name' and '_simple_folio_item_link' meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14865 MEDIUM This Month

The Passster - Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1295 MEDIUM This Month

The Buy Now Plus plugin for WordPress versions up to 1.0.2 allows authenticated users with Contributor access or higher to execute arbitrary JavaScript in pages through improper sanitization of the 'buynowplus' shortcode attributes. This stored cross-site scripting vulnerability enables attackers to inject malicious scripts that execute whenever visitors view affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1244 MEDIUM This Month

Stored cross-site scripting in Forms Bridge - Infinite integrations plugin for WordPress versions up to 4.2.5 allows authenticated contributors and higher-privilege users to inject malicious scripts through the 'id' shortcode parameter. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14283 MEDIUM This Month

The BlockArt Blocks - Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12709 MEDIUM This Month

The Interactions - Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9082 MEDIUM This Month

The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-8072 MEDIUM This Month

The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24775 MEDIUM PATCH This Month

Insufficient input validation in OpenProject's BlockNote editor extension allows authenticated users to craft malicious documents containing relative links that trigger arbitrary GET requests to any URL within the OpenProject instance when opened. An attacker with document creation privileges can exploit this to access sensitive information or perform unauthorized actions on behalf of other users. A patch is available in OpenProject 17.0.2 and op-blocknote-extensions 0.0.22.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1548 LOW POC Monitor

Command injection in Totolik A7000R firmware (version 4.1cu.4154) via the CloudACManualUpdateUserdata function allows authenticated remote attackers to execute arbitrary commands through a crafted url parameter. Public exploit code exists for this vulnerability and no patch is currently available.

Command Injection A7000r Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-1547 LOW POC Monitor

Command injection in Totolik A7000R firmware allows authenticated remote attackers to execute arbitrary commands through the plugin_name parameter in the setUnloadUserData function. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid credentials but no user interaction.

Command Injection A7000r Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.8%
CVE-2025-14063 MEDIUM This Month

The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-1544 LOW POC Monitor

D-Link DIR-823X routers are vulnerable to remote command injection through the lan_gateway parameter in the /goform/set_mode function, allowing authenticated attackers to execute arbitrary OS commands. Public exploit code is available for this vulnerability, and affected devices are no longer receiving security updates from the vendor. The attack requires network access and valid credentials but has a low CVSS score of 6.3 due to limited impact scope.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1546 LOW POC Monitor

SQL injection in jshERP up to version 3.6 allows authenticated remote attackers to manipulate the barCodes parameter in the DepotItem import function, potentially enabling unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available. The vendor has not responded to early notification of this issue.

SQLi Jsherp
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy