Skip to main content
CVE-2026-1298 MEDIUM This Month

The Easy Replace Image plugin for WordPress up to version 3.5.2 lacks proper authorization checks on its AJAX image replacement function, allowing authenticated users with Contributor-level privileges to replace arbitrary image attachments with external URLs. This enables attackers to deface sites, conduct phishing attacks, or manipulate content without administrative oversight. No patch is currently available for this medium-severity vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14795 MEDIUM This Month

Stop Spammers Classic (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0818 MEDIUM PATCH This Month

Thunderbird's inline OpenPGP message decryption can leak secret email contents through CSS style injection when remote content loading is enabled, allowing attackers to extract decrypted plaintext via crafted email formatting. This affects Thunderbird versions before 147.0.1 and 140.7.1, requiring user interaction to trigger the vulnerability. No patch is currently available.

Mozilla Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13986 MEDIUM PATCH This Month

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3. [CVSS 4.2 MEDIUM]

Drupal Authentication Bypass Disable Login Page
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-23553 LOW PATCH Monitor

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. [CVSS 2.9 LOW]

Linux
NVD
CVSS 3.1
2.9
EPSS
0.0%
CVE-2026-0483 This Week

Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72.

XSS
NVD
EPSS
0.1%
CVE-2025-26386 This Week

Johnson Controls iSTAR Configuration Utility (ICU) has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility (ICU) version 6.9.7 and prior.

Buffer Overflow Stack Overflow
NVD
EPSS
0.1%
CVE-2025-59901 This Week

Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the '/monitor_directory?sid=' endpoint, caused by insufficient validation of the 'monitor_directory' parameter sent by POST.

XSS
NVD
EPSS
0.0%
CVE-2026-1237 Monitor

Vulnerable cross-model authorization in juju.

Information Disclosure
NVD GitHub
EPSS
0.0%
CVE-2025-41351 Monitor

Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate ‘self-signed’ access URLs.

Authentication Bypass
NVD
EPSS
0.0%
CVE-2025-7740 Monitor

Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment.

Information Disclosure
NVD
EPSS
0.0%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy