Skip to main content
CVE-2026-24945 MEDIUM This Month

Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 is affected by missing authorization (CVSS 5.3).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0909 MEDIUM This Month

WP ULike (WordPress plugin) versions up to 4.8.3.1. is affected by authorization bypass through user-controlled key (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25023 MEDIUM This Month

The ContestsWP plugin versions 2.0.7 and earlier expose sensitive embedded data through improper access controls, allowing unauthenticated attackers to retrieve information from the contest-code-checker component. This low-impact information disclosure affects WordPress sites running vulnerable versions of the Run Contests, Raffles, and Giveaways plugin. No patch is currently available to remediate this exposure.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24998 MEDIUM This Month

WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup contains a security vulnerability (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24992 MEDIUM This Month

WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics contains a security vulnerability (CVSS 5.3).

WordPress Industrial
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1801 MEDIUM PATCH This Month

HTTP request smuggling in libsoup allows remote attackers to exploit non-compliant chunk header parsing by injecting malformed requests with LF-only line endings instead of proper CRLF formatting. Without requiring authentication, an attacker can cause libsoup to interpret multiple HTTP requests from a single network message, potentially leading to information disclosure. No patch is currently available for this vulnerability.

Information Disclosure Request Smuggling Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13473 MEDIUM PATCH This Month

Django versions up to 6.0.2 contains a vulnerability that allows attackers to enumerate users via a timing attack (CVSS 5.3).

Golang Django Red Hat Suse
NVD HeroDevs
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24449 MEDIUM This Month

WRC-X1500GS-B and WRC-X1500GSA-B routers contain a weak credential derivation vulnerability where initial administrative passwords can be predicted from publicly available system information, potentially allowing unauthenticated attackers to gain administrative access. The vulnerability requires physical proximity to the device to obtain necessary system details, limiting its practical exploitability. No patch is currently available for affected devices.

Information Disclosure Wrc X1500Gsa B Firmware Wrc X1500Gs B Firmware
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-20704 MEDIUM This Month

Unauthenticated attackers can perform unauthorized actions on WRC-X1500GS-B and WRC-X1500GSA-B routers through cross-site request forgery attacks that exploit the lack of CSRF protections. An attacker can trick authenticated users into visiting a malicious webpage that silently executes unwanted commands on the affected device. No patch is currently available.

CSRF
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-24667 MEDIUM This Month

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. [CVSS 5.0 MEDIUM]

Authentication Bypass Open Eclass Platform
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-23795 MEDIUM PATCH This Month

Syncope versions up to 3.0.15 is affected by improper restriction of xml external entity reference (CVSS 4.9).

Apache XXE Syncope
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-22228 MEDIUM This Month

TP-Link Archer BE230 v1.2 before 1.2.4 Build 20251218 rel.70420 is susceptible to denial-of-service attacks when an authenticated high-privilege user restores a specially crafted configuration file with excessively long parameters. The malicious configuration causes the device to become unresponsive and requires a manual reboot to restore functionality. No patch is currently available for this vulnerability.

TP-Link Archer Be230 Firmware
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-52628 MEDIUM This Month

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, potentially increasing exposure to cr (CVSS 4.6).

CSRF Aion
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-52626 MEDIUM This Month

A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system.This issue affects AION: 2.0 [CVSS 4.5 MEDIUM]

Command Injection Aion
NVD
CVSS 3.1
4.5
EPSS
0.1%
CVE-2026-22220 MEDIUM This Month

TP-Link Archer BE230 firmware v1.2 before build 20251218 rel.70420 lacks proper input validation in HTTP request processing, allowing a network-adjacent attacker with high privileges to crash the web service. An attacker exploiting this vulnerability can render the device's web interface temporarily unavailable until manual recovery or reboot occurs. No patch is currently available.

TP-Link Denial Of Service Archer Be230 Firmware
NVD
CVSS 3.1
4.5
EPSS
0.0%
CVE-2025-63372 MEDIUM This Month

Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. [CVSS 4.3 MEDIUM]

Path Traversal Zip Rar Extractor Tool
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-24995 MEDIUM This Month

Iulia Cazan Latest Post Shortcode latest-post-shortcode is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25020 MEDIUM This Month

WP Sync for Notion plugin through version 1.7.0 contains improper access control that allows authenticated users to modify data without proper authorization checks. An attacker with WordPress user privileges could exploit this vulnerability to alter synchronized content between WordPress and Notion. The vulnerability requires user interaction and network access but poses a medium risk to WordPress installations using affected versions.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25016 MEDIUM This Month

Nelio Popups versions 1.3.5 and earlier contain an authorization bypass vulnerability that allows authenticated users to modify popup content without proper access controls. An attacker with valid credentials can exploit misconfigured access control levels to make unauthorized changes to popups. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25011 MEDIUM This Month

Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface is affected by missing authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24996 MEDIUM This Month

WPElemento Importer through version 0.6.4 contains a missing authorization flaw that allows authenticated users to modify data due to improper access control enforcement. An attacker with valid credentials can exploit this vulnerability to perform unauthorized modifications without requiring user interaction. No patch is currently available for this issue.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24985 MEDIUM This Month

approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on is affected by missing authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24951 MEDIUM This Month

Insufficient access control checks in myCred plugin version 2.9.7.3 and earlier allow authenticated users to modify data they should not have permission to change. An attacker with valid credentials could exploit misconfigured security levels to perform unauthorized modifications, though the vulnerability requires legitimate user access and has no currently available patch.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24940 MEDIUM This Month

Insufficient access control in Themefic Travelfic Toolkit version 1.3.3 and earlier allows authenticated users to modify data due to improperly configured authorization checks. An attacker with valid credentials can bypass intended permission restrictions to perform unauthorized actions. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-46651 MEDIUM This Month

Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. [CVSS 4.3 MEDIUM]

SSRF Tiny File Manager
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24965 MEDIUM This Month

Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24947 MEDIUM This Month

LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit is affected by missing authorization (CVSS 4.3).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24939 MEDIUM This Month

WP Chill Modula Image Gallery modula-best-grid-gallery is affected by missing authorization (CVSS 4.3).

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25014 MEDIUM This Month

Unauthenticated attackers can perform Cross-Site Request Forgery (CSRF) attacks against users of Enter Addons version 2.3.2 and earlier, potentially modifying victim data through unwanted actions. The vulnerability requires user interaction to succeed but carries no authentication barriers, allowing attackers to forge requests that alter application state. No patch is currently available to remediate this issue.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24966 MEDIUM This Month

Copyscape Copyscape Premium copyscape-premium is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24962 MEDIUM This Month

Sigmize through version 0.0.9 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unintended actions on behalf of authenticated users. The flaw requires user interaction but could enable unauthorized modifications or state changes within the application. No patch is currently available.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24942 MEDIUM This Month

magepeopleteam WpEvently mage-eventpress is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67857 MEDIUM PATCH This Month

A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. [CVSS 4.3 MEDIUM]

Moodle Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25015 MEDIUM This Month

UsersWP plugin versions 1.2.53 and earlier contain a CSRF vulnerability that enables attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. An attacker can craft malicious requests to modify user data or settings through a victim's browser session. No patch is currently available for this vulnerability.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-65924 MEDIUM This Month

ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. [CVSS 4.1 MEDIUM]

XSS Erpnext
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
CVE-2020-37087 POC This Week

Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters in Create Folder and Move/Edit functions.

XSS
NVD Exploit-DB
EPSS
0.2%
CVE-2025-52623 LOW Monitor

HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. [CVSS 3.7 LOW]

Authentication Bypass Aion
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-52631 LOW Monitor

HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. [CVSS 3.7 LOW]

Information Disclosure Aion
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-52629 LOW Monitor

HCL AION is susceptible to Missing Content-Security-Policy. An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute..This issue affects AION: 2.0. [CVSS 3.7 LOW]

XSS Aion
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-25224 LOW PATCH Monitor

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in...

Node.js Denial Of Service
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-24934 LOW Monitor

The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. [CVSS 3.7 LOW]

Authentication Bypass Data Master
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-67852 LOW PATCH Monitor

A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. [CVSS 3.5 LOW]

Moodle Information Disclosure Open Redirect
NVD
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-33081 LOW Monitor

IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user. [CVSS 3.3 LOW]

IBM
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-52633 LOW Monitor

HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. [CVSS 3.1 LOW]

Authentication Bypass Aion
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-61634 LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php.

PHP Path Traversal
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-24513 LOW PATCH Monitor

A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. [CVSS 3.1 LOW]

Nginx
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-61643 LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2025-58381 LOW Monitor

Fabric Operating System versions up to 9.2.1 contains a vulnerability that allows attackers to an authenticated attacker with admin privileges using the shell commands “sour (CVSS 2.3).

Information Disclosure Fabric Operating System
NVD
CVSS 3.1
2.3
EPSS
0.0%
CVE-2025-58380 LOW Monitor

Fabric Operating System versions up to 9.2.1 contains a vulnerability that allows attackers to an authenticated attacker with admin privileges using the shell command “grep” t (CVSS 2.3).

Information Disclosure Fabric Operating System
NVD
CVSS 3.1
2.3
EPSS
0.0%
CVE-2025-61641 LOW Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php.

PHP Path Traversal
NVD VulDB
CVSS 4.0
1.7
EPSS
0.0%
Prev Page 6 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy