Skip to main content
CVE-2026-1730 HIGH This Week

OS DataHub Maps (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

WordPress RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-65875 HIGH This Week

An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. [CVSS 8.8 HIGH]

PHP Fpdf
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24954 HIGH This Week

magepeopleteam WpEvently mage-eventpress is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24512 HIGH PATCH This Week

Ingress-nginx controllers are vulnerable to arbitrary code execution through malicious path specifications in Ingress rules, allowing authenticated attackers to inject nginx configuration and execute commands with controller privileges. The vulnerability also enables disclosure of cluster-wide Secrets accessible to the controller. No patch is currently available, and exploitation requires low complexity with only low privileges needed.

Nginx Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1862 HIGH PATCH This Week

Chrome versions up to 144.0.7559.132 is affected by access of resource using incompatible type (type confusion) (CVSS 8.8).

Chrome Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24887 HIGH POC PATCH This Week

Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command parsing defect that bypasses the execution confirmation prompt via malicious find command syntax. An attacker with the ability to inject untrusted content into a Claude Code context can trigger unintended command execution with high impact to confidentiality, integrity, and availability. No patch is currently available for affected deployments.

Command Injection AI / ML Claude Code
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1580 HIGH PATCH This Week

Arbitrary code execution in ingress-nginx controllers via malicious `nginx.ingress.kubernetes.io/auth-method` Ingress annotations allows authenticated attackers to execute commands within the controller context and access cluster-wide Secrets. This vulnerability affects Nginx and Kubernetes deployments where the ingress controller has default cluster-wide Secret access permissions. No patch is currently available.

Nginx Kubernetes Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25488 MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with high privileges to inject malicious scripts through unsanitized Tax Category fields, which execute when other admins view the affected pages. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25487 MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated administrators with high privileges to inject malicious scripts via unsanitized Tax Rates name fields, enabling arbitrary JavaScript execution in other administrators' browsers. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25486 MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce versions 5.0.0 through 5.5.1 permits authenticated attackers with administrative privileges to inject malicious scripts through the Shipping Methods Name field, which executes in other administrators' browsers when they access the Store Management interface. Public exploit code exists for this vulnerability. The flaw stems from insufficient input sanitization and is remediated in version 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-1861 HIGH PATCH This Week

Heap buffer overflow in Chrome's libvpx video codec allows remote attackers to achieve arbitrary code execution through a malicious webpage, requiring only user interaction to trigger exploitation. The vulnerability affects Chrome versions prior to 144.0.7559.132 and currently lacks a patch. With a CVSS score of 8.8, this high-severity flaw poses significant risk to users who visit compromised or attacker-controlled websites.

Buffer Overflow Chrome Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25522 MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high privileges to inject malicious scripts through unsanitized Shipping Zone name and description fields, which execute in administrators' browsers. Public exploit code exists for this vulnerability. Updates to versions 4.10.1 and 5.5.2 are available to remediate the issue.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25482 MEDIUM POC PATCH This Month

Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 contain a stored DOM-based XSS vulnerability in the Recent Orders dashboard widget where unescaped Order Status Names allow arbitrary script execution when administrators access the dashboard. An attacker with the ability to modify order statuses can inject malicious JavaScript that executes in the context of any admin user, potentially leading to account compromise or unauthorized actions. Public exploit code exists for this vulnerability; patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25490 MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high privileges to inject malicious scripts via the Address Line 1 field in Inventory Locations, which execute in administrators' browsers when the field is viewed in the admin panel. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25489 MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated attackers with high privileges to inject malicious scripts via unsanitized Tax Zone name and description fields, executing arbitrary JavaScript in administrators' browsers. Public exploit code exists for this vulnerability. Patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25485 MEDIUM POC PATCH This Month

Stored XSS in Craft Commerce shipping category fields allows authenticated attackers with high privileges to inject malicious scripts that execute in administrators' browsers, affecting versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1. The vulnerability stems from insufficient sanitization of the Name and Description fields in the Store Management section before display in the admin panel. Public exploit code exists, and patches are available in versions 4.10.1 and 5.5.2.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25484 MEDIUM POC PATCH This Month

Stored cross-site scripting in Craft Commerce versions 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1 allows authenticated users with product type management permissions to inject malicious scripts via unsanitized product type names that execute when administrators view user permissions settings. Public exploit code exists for this vulnerability. Upgrades to versions 4.10.1 or 5.5.2 resolve the issue.

XSS Craft Commerce
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-24674 MEDIUM POC This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 4.7 MEDIUM]

XSS Open Eclass Platform
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-25616 MEDIUM POC This Month

Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. [CVSS 4.7 MEDIUM]

XSS Blesta
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-22550 HIGH This Week

Authenticated command injection in WRC-X1500GS-B and WRC-X1500GSA-B routers enables logged-in users to execute arbitrary OS commands through specially crafted requests. An attacker with valid credentials can gain complete system control over the affected devices. No patch is currently available to remediate this vulnerability.

Command Injection Wrc X1500Gsa B Firmware Wrc X1500Gs B Firmware
NVD
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-6397 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS.This issue affects Website Software: through 03022026. [CVSS 8.6 HIGH]

XSS
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-62600 HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Information Disclosure Buffer Overflow Fast Dds Debian Linux
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-62599 HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Information Disclosure Buffer Overflow Fast Dds Debian Linux
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-25022 HIGH This Week

Blind SQL injection in KiviCare clinic management system versions 3.6.16 and earlier allows authenticated attackers to execute arbitrary SQL queries over the network with no user interaction required. An attacker with valid credentials can exploit this vulnerability to extract sensitive data from the underlying database, though code execution is not possible. No patch is currently available for this HIGH severity vulnerability affecting the Iqonic Design product.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-70560 HIGH This Week

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. [CVSS 8.4 HIGH]

Python Deserialization Boltz RCE
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-24774 MEDIUM POC This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 4.3 MEDIUM]

Information Disclosure Open Eclass Platform
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24673 MEDIUM POC This Month

Open Eclass Platform versions up to 4.2 is affected by unrestricted upload of file with dangerous type (CVSS 4.3).

File Upload Open Eclass Platform
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2020-37114 MEDIUM POC This Month

GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. [CVSS 4.3 MEDIUM]

AWS Information Disclosure Open Eclass Platform
NVD Exploit-DB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1375 HIGH This Week

Authenticated instructors in Tutor LMS plugin for WordPress versions up to 3.9.5 can modify or delete courses owned by other users due to missing authorization checks in bulk action functions. An attacker with instructor-level access can manipulate course IDs in bulk requests to compromise arbitrary courses without proper permission validation. No patch is currently available.

WordPress
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67848 HIGH PATCH This Week

Moodle contains a vulnerability that allows attackers to authenticate through the Learning Tools Interoperability (LTI) Provider (CVSS 8.1).

Moodle Authentication Bypass Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-62501 HIGH This Week

Archer Ax53 Firmware versions up to 1.0 contains a vulnerability that allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) a (CVSS 8.1).

TP-Link Authentication Bypass Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-61944 HIGH This Week

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

TP-Link Buffer Overflow Heap Overflow RCE Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-59482 HIGH This Week

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

TP-Link Buffer Overflow Heap Overflow RCE Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-58455 HIGH This Week

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

TP-Link Buffer Overflow Heap Overflow RCE Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-58077 HIGH This Week

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted set of network packets containing an excessive number of host entries This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

TP-Link Buffer Overflow Heap Overflow RCE Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-59487 HIGH This Week

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. [CVSS 8.0 HIGH]

TP-Link Buffer Overflow Heap Overflow RCE Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-62673 HIGH This Week

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tdpserver modules) allows adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a maliciously formed field.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

TP-Link Buffer Overflow Heap Overflow RCE Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-62405 HIGH This Week

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

TP-Link Buffer Overflow Heap Overflow RCE Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-62404 HIGH This Week

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

TP-Link Buffer Overflow Heap Overflow RCE Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-61983 HIGH This Week

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values.This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. [CVSS 8.0 HIGH]

TP-Link Buffer Overflow Heap Overflow RCE Archer Ax53 Firmware
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-24694 HIGH This Week

Arbitrary code execution in Roland Cloud Manager installer versions 3.1.19 and earlier results from insecure DLL loading, enabling local attackers to execute malicious code with application-level privileges. An attacker with local access and user interaction can exploit this vulnerability to compromise systems running the affected installer. No patch is currently available to remediate this vulnerability.

Privilege Escalation RCE
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-24149 HIGH This Week

Local code injection in NVIDIA Megatron-LM allows authenticated users to achieve arbitrary code execution and privilege escalation through malicious input to vulnerable scripts. An attacker with local access can craft specially designed data to trigger unsafe code evaluation, enabling complete system compromise including data theft and modification. No patch is currently available for this vulnerability affecting all supported platforms.

Privilege Escalation Code Injection Information Disclosure AI / ML
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-66374 HIGH This Week

Endpoint Privilege Manager versions up to 25.10.0 is affected by improper privilege management (CVSS 7.8).

Privilege Escalation Endpoint Privilege Manager
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0383 HIGH This Week

Brocade Fabric OS contains a command injection vulnerability that allows authenticated local users with shell access to read sensitive files and command history due to insecure storage practices. An attacker with local privileges can exploit this to access confidential information stored on the system. No patch is currently available.

Command Injection Fabric Operating System
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-9711 HIGH This Week

Fabric Operating System versions up to 9.2.1 contains a vulnerability that allows attackers to elevating the privileges of the local authenticated user to “root” using the exp (CVSS 7.8).

Information Disclosure Fabric Operating System
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-8461 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Seres Software syWEB allows Reflected XSS.This issue affects syWEB: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 7.6 HIGH]

XSS
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-8456 HIGH This Week

Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website is affected by cross-site scripting (xss) (CVSS 7.6).

XSS
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-7760 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers.This issue affects Association Web Package Flora: from v3.0 through 03022026. [CVSS 7.6 HIGH]

XSS
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-8589 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS.This issue affects SKSPro: through 07012026. [CVSS 7.6 HIGH]

XSS
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-25027 HIGH This Week

ThemeMove Unicamp through version 2.7.1 contains a local file inclusion vulnerability in PHP that allows authenticated attackers to read arbitrary files on the server through improper filename validation in include/require statements. An attacker with valid credentials can leverage this flaw to access sensitive files and potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
Prev Page 3 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy