Skip to main content
CVE-2026-24434 MEDIUM This Month

Tenda AC7 firmware through V03.03.03.01_cn lacks CSRF protections on administrative web functions, enabling attackers to trick authenticated administrators into executing unauthorized configuration changes. An unauthenticated attacker can craft malicious requests that, when visited by an admin, modify router settings without their knowledge or consent. No patch is currently available.

CSRF Ac7 Firmware
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1755 MEDIUM This Month

Stored cross-site scripting in WordPress Menu Icons by ThemeIsle plugin (versions up to 0.13.20) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the attachment image alt meta field due to improper input sanitization. The injected scripts execute in the browsers of visitors accessing the affected pages, enabling session hijacking, credential theft, or malware distribution.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1210 MEDIUM This Month

Authenticated contributors and above can inject malicious scripts into WordPress pages through the Happy Addons for Elementor plugin (versions up to 3.20.7) via improper sanitization of the '_elementor_data' meta field, resulting in stored XSS that executes for all users viewing affected pages. An attacker with contributor-level permissions can leverage this to steal credentials, perform actions on behalf of administrators, or deface website content. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1592 MEDIUM This Month

Stored cross-site scripting in Foxit PDF Editor Cloud's Create New Layer feature allows authenticated attackers to execute arbitrary JavaScript by injecting malicious code that persists when layers are accessed by other users. The vulnerability affects pdfonline.foxit.com versions prior to 2026-02-03 and requires user interaction to trigger. No patch is currently available.

XSS Pdf Editor Cloud
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1591 MEDIUM This Month

Foxit PDF Editor Cloud contains a stored XSS vulnerability in its file upload functionality where malicious usernames are not properly sanitized before being displayed in the upload file list, enabling authenticated attackers to execute arbitrary JavaScript in other users' browsers. The vulnerability affects pdfonline.foxit.com versions prior to 2026-02-03 and currently has no available patch. An attacker with valid credentials could craft a malicious username to compromise account security or steal sensitive document data from other users viewing the file list.

XSS Pdf Editor Cloud
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-58342 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 6.2).

Samsung Linux Exynos 1480 Firmware Exynos 980 Firmware Exynos 1080 Firmware +8
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-58341 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 6.2).

Samsung Linux Exynos 980 Firmware Exynos W930 Firmware Exynos 850 Firmware +8
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-58344 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 6.2).

Samsung Linux Exynos 1280 Firmware Exynos 980 Firmware Exynos 1580 Firmware +8
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-58340 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 6.2).

Samsung Linux Exynos 980 Firmware Exynos 1080 Firmware Exynos 850 Firmware +8
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-67851 MEDIUM PATCH This Month

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. [CVSS 6.1 MEDIUM]

Moodle
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-24426 MEDIUM This Month

The Tenda AC7 firmware web management interface fails to properly sanitize user input, enabling reflected cross-site scripting (XSS) attacks that can inject malicious scripts into a victim's browser. An unauthenticated attacker can exploit this vulnerability to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. No patch is currently available for affected firmware versions V03.03.03.01_cn and earlier.

XSS Ac7 Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25148 MEDIUM PATCH This Month

Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attacks during server-side rendering, allowing attackers to inject malicious scripts that execute in users' browsers within the affected application context. The vulnerability requires user interaction and affects applications using vulnerable Qwik versions. A patch is available in version 1.19.0 and later.

XSS Qwik
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25149 MEDIUM PATCH This Month

Qwik versions up to 1.19.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Open Redirect Qwik
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-61645 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. [CVSS 6.1 MEDIUM]

Mediawiki PHP XSS Red Hat
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1802 MEDIUM This Month

Ziroom ZHOME A0101 version 1.0.1.0 contains a command injection vulnerability in the macAddrClone function that can be exploited remotely through manipulation of the macType parameter, allowing unauthenticated attackers to execute arbitrary commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to disclosure requests. An attacker can leverage this flaw to achieve remote code execution with network access and no user interaction required.

Command Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
2.1%
CVE-2026-24938 MEDIUM This Month

Stored XSS in Better Search plugin version 4.2.1 and earlier enables authenticated attackers with high privileges to inject malicious scripts that persist in web pages and execute in other users' browsers. The vulnerability requires user interaction to trigger but can compromise confidentiality, integrity, and availability across the application scope. No patch is currently available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-64098 MEDIUM PATCH This Month

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 5.9 MEDIUM]

Integer Overflow Debian Linux Fast Dds
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24441 MEDIUM This Month

Tenda AC7 firmware V03.03.03.01_cn and earlier transmits account credentials in cleartext over HTTP, enabling network-positioned attackers to intercept and obtain authentication material without user interaction. This cleartext credential exposure in HTTP responses creates a high confidentiality risk for affected device users. No patch is currently available for this vulnerability.

Information Disclosure Ac7 Firmware
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24932 MEDIUM This Month

Improper TLS/SSL certificate validation in ADM's DDNS update function (versions 4.1.0-4.3.3.ROF1 and 5.0.0-5.1.1.RCI1) enables remote man-in-the-middle attacks to intercept HTTPS communications and extract sensitive data including user email, MD5 hashed passwords, and device serial numbers. An unauthenticated attacker on the network can exploit this weakness without user interaction to compromise DDNS update credentials. No patch is currently available for affected versions.

TLS Data Master
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24933 MEDIUM This Month

Data Master versions 4.1.0-4.3.3 and 5.0.0-5.1.1 fail to validate SSL/TLS certificates during HTTPS communication, enabling unauthenticated attackers to conduct man-in-the-middle attacks and intercept sensitive data including emails, password hashes, and device serial numbers. The vulnerability affects API communication with no available patch, leaving affected installations at persistent risk of credential and information disclosure.

Authentication Bypass Data Master
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25151 MEDIUM PATCH This Month

Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]

CSRF Qwik
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25155 MEDIUM PATCH This Month

Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attackers to bypass Content-Type validation through crafted headers. An attacker can exploit this to perform cross-site request forgery (CSRF) attacks by manipulating how the application interprets request content types. A patch is available in version 1.12.0.

CSRF Qwik
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24935 MEDIUM This Month

Data Master ADM 4.1.0-4.3.3 and 5.0.0-5.1.1 are vulnerable to man-in-the-middle attacks due to improper SSL/TLS certificate validation in the NAT traversal module, allowing attackers to intercept tunnel establishment and redirect connections to the signaling server. An attacker exploiting this can proxy device service communications, disrupt availability, or position themselves for follow-on attacks, though further authentication is required to access actual device services. No patch is currently available.

Authentication Bypass Data Master
NVD
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-52627 MEDIUM This Month

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

Authentication Bypass Aion
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-58346 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 5.5).

Samsung Linux Exynos 980 Firmware Exynos 1280 Firmware Exynos 1380 Firmware +8
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-58345 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 5.5).

Samsung Linux Exynos 1080 Firmware Exynos W920 Firmware Exynos 1380 Firmware +8
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-58343 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 5.5).

Samsung Linux Exynos 1580 Firmware Exynos 1080 Firmware Exynos 1380 Firmware +8
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-24427 MEDIUM This Month

Tenda AC7 firmware v03.03.03.01_cn and earlier transmits administrative credentials in plaintext within web management responses and fails to set proper Cache-Control headers, allowing credentials to be cached by browsers. A local attacker with access to a client system or browser profile can retrieve these cached credentials to gain unauthorized administrative access to affected routers. No patch is currently available for this vulnerability.

Information Disclosure Ac7 Firmware
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-58348 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 5.5).

Samsung Linux Exynos 850 Firmware Exynos 980 Firmware Exynos 1380 Firmware +8
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-58347 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 5.5).

Samsung Linux Exynos 1380 Firmware Exynos 980 Firmware Exynos W1000 Firmware +8
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-58379 MEDIUM This Month

Fabric Operating System versions up to 9.2.1 is affected by execution with unnecessary privileges (CVSS 5.5).

Privilege Escalation Fabric Operating System
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-36094 MEDIUM This Month

Cloud Pak For Business Automation versions up to 24.0.0 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service or corrupt existing data due (CVSS 5.4).

IBM Denial Of Service Cloud Pak For Business Automation
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-25021 MEDIUM This Month

Mizan Themes Mizan Demo Importer mizan-demo-importer is affected by missing authorization (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24990 MEDIUM This Month

Improper access control in WP Docs plugin version 2.2.8 and earlier for WordPress allows authenticated users to modify or delete content they should not have permission to access. An attacker with user-level credentials can exploit misconfigured security settings to alter website data or cause service disruption.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24961 MEDIUM This Month

ThemeGoods Grand Blog versions prior to 3.1.5 contain a server-side request forgery vulnerability that allows unauthenticated remote attackers to make arbitrary HTTP requests from the affected server. The vulnerability enables attackers to access internal resources or interact with backend services on behalf of the server, potentially leading to information disclosure or lateral movement within the network. No patch is currently available for this issue.

SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14274 MEDIUM This Month

Unlimited Elements for Elementor (WordPress plugin) versions up to 2.0.1. is affected by cross-site scripting (xss) (CVSS 5.4).

WordPress XSS PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-65923 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. [CVSS 5.4 MEDIUM]

XSS Erpnext
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36033 MEDIUM This Month

Engineering Lifecycle Management versions up to 7.0.3 is affected by cross-site scripting (xss) (CVSS 5.4).

IBM XSS Engineering Lifecycle Management
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67855 MEDIUM PATCH This Month

A flaw was found in mooodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. [CVSS 5.4 MEDIUM]

XSS Information Disclosure Moodle
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25024 MEDIUM This Month

Blair Williams ThirstyAffiliates thirstyaffiliates is affected by cross-site request forgery (csrf) (CVSS 5.4).

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24986 MEDIUM This Month

wp.insider Simple Membership WP user Import simple-membership-wp-user-import is affected by cross-site request forgery (csrf) (CVSS 5.4).

WordPress CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67856 MEDIUM PATCH This Month

A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. [CVSS 5.4 MEDIUM]

Moodle Privilege Escalation
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69848 MEDIUM This Month

NetBox is an open-source infrastructure resource modeling and IP address management platform. [CVSS 5.4 MEDIUM]

XSS Netbox
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1312 MEDIUM PATCH This Month

SQL injection in Django's QuerySet.order_by() method allows authenticated attackers to execute arbitrary SQL commands through specially crafted column aliases containing periods when used with FilteredRelation and dictionary expansion. This vulnerability affects Django versions 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28, with potentially older unsupported versions also impacted. Patches are available for all affected versions.

Django SQLi Python
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1287 MEDIUM PATCH GHSA This Month

SQL injection via FilteredRelation column aliases in Django 4.2, 5.2, and 6.0 allows authenticated attackers to execute arbitrary SQL queries through crafted dictionary arguments in QuerySet methods like annotate() and aggregate(). An attacker with database access can exploit control characters in alias names to bypass input validation and potentially extract sensitive data or modify database contents. Patches are available for all affected versions, and unsupported Django releases may also be vulnerable.

Django SQLi Python
NVD HeroDevs VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25028 MEDIUM This Month

Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor is affected by missing authorization (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1447 MEDIUM This Month

Unauthenticated attackers can forge requests to create or modify contact notes in WordPress Mail Mint plugin versions up to 1.19.2 by exploiting missing CSRF protections, requiring only that a site administrator clicks a malicious link. The lack of input validation on these operations enables stored XSS attacks that could compromise administrator accounts and site integrity. No patch is currently available.

WordPress XSS CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0950 MEDIUM This Month

Spectra Gutenberg Blocks plugin for WordPress fails to properly check password protection before displaying post excerpts, allowing unauthenticated attackers to read excerpts from password-protected posts through Post Grid, Post Masonry, Post Carousel, and Post Timeline blocks. The vulnerability affects all versions up to 2.19.17 and requires no authentication or user interaction to exploit. Currently, no patch is available.

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-25509 MEDIUM PATCH This Month

CI4MS prior to version 0.28.5.0 contains an email enumeration vulnerability in its password reset functionality that allows unauthenticated attackers to determine whether specific email addresses are registered in the system. An attacker can exploit this information disclosure by analyzing response patterns during the authentication process to build a list of valid user accounts. A patch is available in version 0.28.5.0 and later.

Information Disclosure Ci4ms
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1371 MEDIUM This Month

The Tutor LMS plugin for WordPress fails to enforce capability checks in its coupon details AJAX function, allowing authenticated subscribers to disclose sensitive coupon data including codes, discount amounts, and usage metrics through nonce validation bypass. This information exposure affects all versions up to 3.9.5 and requires only valid user authentication to exploit. No patch is currently available.

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy