Skip to main content
CVE-2026-1285 HIGH PATCH This Week

Django's HTML truncation functions (chars(), words(), and related template filters) are vulnerable to denial-of-service attacks when processing specially crafted inputs with excessive unmatched HTML end tags. Affected versions include Django 6.0 before 6.0.2, 5.2 before 5.2.11, 4.2 before 4.2.28, and potentially unsupported series 5.0.x, 4.1.x, and 3.2.x. Remote attackers can exploit this to cause service disruptions without requiring authentication or user interaction.

Django Red Hat Suse
NVD HeroDevs
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-70758 HIGH This Week

chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. [CVSS 7.5 HIGH]

PHP Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14550 HIGH PATCH This Week

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. [CVSS 7.5 HIGH]

Golang Django Red Hat Suse
NVD HeroDevs
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-62603 HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Deserialization Fast Dds Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25235 HIGH This Week

Pearweb versions up to 1.33.0 contains a vulnerability that allows attackers to guess verification tokens and potentially verify election account requests witho (CVSS 7.5).

PHP Pearweb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24762 HIGH PATCH This Week

Rustfs versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).

Information Disclosure Rustfs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25239 HIGH This Week

SQL injection in PEAR's apidoc queue insertion allows unauthenticated remote attackers to manipulate database queries by controlling filename values, enabling unauthorized data modification. PEAR versions before 1.33.0 are affected, and no patch is currently available for affected deployments.

PHP SQLi Pearweb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25614 HIGH This Week

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. [CVSS 7.5 HIGH]

Deserialization Blesta
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21862 HIGH PATCH This Week

RustFS is a distributed object storage system built in Rust. [CVSS 7.5 HIGH]

Authentication Bypass Rustfs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-64438 HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Denial Of Service Fast Dds
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-67853 HIGH PATCH This Week

A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. [CVSS 7.5 HIGH]

Moodle
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-62602 HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Buffer Overflow Integer Overflow Fast Dds Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-62601 HIGH PATCH This Week

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Buffer Overflow Integer Overflow Fast Dds
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-59439 HIGH This Week

An issue was discovered in Samsung Mobile Processor, Wearable Processor and Modem Exynos 980, 990, 850, 1080, 9110, W920, W930, W1000 and Modem 5123. Incorrect handling of NAS Registration messages leads to a Denial of Service because of Improper Handling of Exceptional Conditions. [CVSS 7.5 HIGH]

Samsung Denial Of Service Exynos 9110 Firmware Exynos W930 Firmware Exynos 990 Firmware +6
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25223 HIGH PATCH This Week

Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. A patch is available in version 5.7.2 and later.

Node.js Fastify Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-8590 HIGH This Week

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing.This issue affects SKSPro: through 07012026. [CVSS 7.5 HIGH]

Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-12774 HIGH This Week

A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. [CVSS 7.5 HIGH]

Information Disclosure Sannav
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24052 HIGH PATCH This Week

Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attackers to register lookalike domains (e.g., modelcontextprotocol.io.example.com) that bypass validation checks. This enables unauthorized automated requests to attacker-controlled servers without user interaction, potentially resulting in sensitive data exfiltration from the user's environment. The vulnerability affects Claude Code's agentic coding functionality and requires upgrading to version 1.0.111 or later to remediate.

Python AI / ML Claude Code
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-67850 HIGH PATCH This Week

A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. [CVSS 7.3 HIGH]

Moodle XSS
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-67849 HIGH PATCH This Week

A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. [CVSS 7.3 HIGH]

Moodle XSS AI / ML
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-58382 HIGH This Week

Fabric Operating System contains a vulnerability that allows attackers to an authenticated, remote attacker with administrative credentials to execute ar (CVSS 7.2).

RCE Fabric Operating System
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-0617 HIGH This Week

Stored XSS in LatePoint WordPress plugin versions up to 5.2.5 allows unauthenticated attackers to inject malicious scripts into customer profile fields that execute when administrators review activity history. The vulnerability stems from inadequate input sanitization and output escaping, potentially enabling credential theft or administrative account compromise. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-25615 HIGH This Week

Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. [CVSS 7.2 HIGH]

Deserialization Blesta
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-58383 HIGH This Week

Fabric Operating System versions up to 9.2.1 is affected by execution with unnecessary privileges (CVSS 7.2).

DNS Fabric Operating System
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-1065 HIGH This Week

Unauthenticated attackers can upload malicious SVG files through the Form Maker by 10Web WordPress plugin (versions up to 1.15.35) due to insufficient file type validation, enabling stored cross-site scripting attacks against administrators and site visitors. The plugin's default allowlist includes SVG files and relies on weak substring-based extension checking, allowing JavaScript execution when the uploaded files are viewed. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-1058 HIGH This Week

Stored XSS in WordPress Form Maker plugin (versions up to 1.15.35) allows unauthenticated attackers to inject malicious scripts through hidden form field values that execute when administrators view the submissions list. The vulnerability stems from improper output escaping after HTML entity decoding of user-supplied input. Website administrators using this plugin are at risk of account compromise and unauthorized actions performed within their WordPress dashboard.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-23794 MEDIUM PATCH This Month

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. [CVSS 6.8 MEDIUM]

Apache XSS Syncope
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-70559 MEDIUM PATCH This Month

pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. [CVSS 6.5 MEDIUM]

Python Privilege Escalation Deserialization RCE Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24988 MEDIUM This Month

The Events Calendar Shortcode & Block plugin through version 3.1.1 contains a stored cross-site scripting vulnerability that allows authenticated users with limited privileges to inject malicious scripts into event pages, affecting all site visitors. An attacker can exploit this by crafting malicious input that persists in the database and executes in users' browsers when they view affected event content. No patch is currently available for this medium-severity vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24958 MEDIUM This Month

Crocoblock JetElements For Elementor jet-elements is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24952 MEDIUM This Month

Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-65017 MEDIUM PATCH This Month

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. [CVSS 6.5 MEDIUM]

Information Disclosure Decidim
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-12773 MEDIUM This Month

A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. [CVSS 6.5 MEDIUM]

Information Disclosure Sannav
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24957 MEDIUM This Month

Unauthorized information disclosure in WordPress Strong Testimonials plugin version 3.2.20 and earlier stems from improper access control validation, allowing authenticated users to access sensitive data they should not have permission to view. An attacker with low-privilege WordPress account credentials can exploit this vulnerability to read confidential information without requiring user interaction. Currently, no patch is available for this vulnerability.

Authentication Bypass WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24053 MEDIUM PATCH This Month

Claude Code versions prior to 2.0.74 allow authenticated users to write files outside designated directories by exploiting inadequate Bash command validation in ZSH clobber syntax parsing. An attacker with the ability to inject malicious content into a Claude Code context window on a ZSH-based system can bypass file restrictions and achieve unauthorized file writes without triggering user permission prompts. This vulnerability requires user interaction and ZSH environment configuration, making it suitable for supply chain or prompt injection attacks against Claude Code users.

Path Traversal AI / ML Claude Code
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24514 MEDIUM PATCH This Month

Ingress-nginx's validating admission controller is vulnerable to denial of service through memory exhaustion when processing oversized requests, enabling authenticated attackers to crash the controller pod or exhaust node memory. The vulnerability requires valid credentials but no user interaction, affecting deployments relying on this validation feature. No patch is currently available.

Nginx Denial Of Service Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-70311 MEDIUM This Month

JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. [CVSS 6.5 MEDIUM]

SQLi Jeewms
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25036 MEDIUM This Month

The Passster WordPress plugin through version 4.2.25 contains an authorization bypass that allows authenticated users to access content protection mechanisms without proper permission validation. An attacker with low-privilege WordPress credentials can circumvent access controls to view protected content that should be restricted. No patch is currently available for this vulnerability.

Authentication Bypass WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24984 MEDIUM This Month

Brecht Visual Link Preview versions 2.2.9 and earlier contain an authorization bypass vulnerability that allows authenticated users to access sensitive information they should not have permission to view. An attacker with valid credentials can exploit misconfigured access controls to read confidential data, though they cannot modify or delete information. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24434 MEDIUM This Month

Tenda AC7 firmware through V03.03.03.01_cn lacks CSRF protections on administrative web functions, enabling attackers to trick authenticated administrators into executing unauthorized configuration changes. An unauthenticated attacker can craft malicious requests that, when visited by an admin, modify router settings without their knowledge or consent. No patch is currently available.

CSRF Ac7 Firmware
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1755 MEDIUM This Month

Stored cross-site scripting in WordPress Menu Icons by ThemeIsle plugin (versions up to 0.13.20) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the attachment image alt meta field due to improper input sanitization. The injected scripts execute in the browsers of visitors accessing the affected pages, enabling session hijacking, credential theft, or malware distribution.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1210 MEDIUM This Month

Authenticated contributors and above can inject malicious scripts into WordPress pages through the Happy Addons for Elementor plugin (versions up to 3.20.7) via improper sanitization of the '_elementor_data' meta field, resulting in stored XSS that executes for all users viewing affected pages. An attacker with contributor-level permissions can leverage this to steal credentials, perform actions on behalf of administrators, or deface website content. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1592 MEDIUM This Month

Stored cross-site scripting in Foxit PDF Editor Cloud's Create New Layer feature allows authenticated attackers to execute arbitrary JavaScript by injecting malicious code that persists when layers are accessed by other users. The vulnerability affects pdfonline.foxit.com versions prior to 2026-02-03 and requires user interaction to trigger. No patch is currently available.

XSS Pdf Editor Cloud
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1591 MEDIUM This Month

Foxit PDF Editor Cloud contains a stored XSS vulnerability in its file upload functionality where malicious usernames are not properly sanitized before being displayed in the upload file list, enabling authenticated attackers to execute arbitrary JavaScript in other users' browsers. The vulnerability affects pdfonline.foxit.com versions prior to 2026-02-03 and currently has no available patch. An attacker with valid credentials could craft a malicious username to compromise account security or steal sensitive document data from other users viewing the file list.

XSS Pdf Editor Cloud
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-58342 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 6.2).

Samsung Linux Exynos 1480 Firmware Exynos 980 Firmware Exynos 1080 Firmware +8
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-58341 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 6.2).

Samsung Linux Exynos 980 Firmware Exynos W930 Firmware Exynos 850 Firmware +8
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-58344 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 6.2).

Samsung Linux Exynos 1280 Firmware Exynos 980 Firmware Exynos 1580 Firmware +8
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-58340 MEDIUM This Month

Exynos 980 Firmware versions up to - is affected by allocation of resources without limits or throttling (CVSS 6.2).

Samsung Linux Exynos 980 Firmware Exynos 1080 Firmware Exynos 850 Firmware +8
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-1812 LOW POC Monitor

Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate file path arguments in the backup import function, potentially accessing or modifying arbitrary files on the affected system. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. The attack requires valid credentials but can be executed remotely over the network.

Java Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1810 LOW POC Monitor

Path traversal in Bolo Solo up to version 2.6.4 allows authenticated attackers to manipulate ZIP file extraction operations in the BackupService component, potentially reading or writing arbitrary files on the affected system. Public exploit code is available for this vulnerability, and the vendor has not yet provided a patch despite early notification.

Java Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
Prev Page 4 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy