Skip to main content
CVE-2026-1927 MEDIUM This Month

The Greenshift animation and page builder plugin for WordPress (up to version 12.6) fails to properly validate user capabilities on the greenshift_app_pass_validation() function, allowing authenticated subscribers and above to extract sensitive plugin configuration including stored AI API keys and inject malicious scripts through the custom_css setting. This combination of information disclosure and stored cross-site scripting (XSS) requires only valid WordPress user credentials to exploit, with a partial patch available in version 12.6.

WordPress Authentication Bypass XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68643 MEDIUM This Month

Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. [CVSS 5.4 MEDIUM]

XSS Axigen Mail Server
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14079 MEDIUM This Month

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-47911 MEDIUM PATCH This Month

Html contains a vulnerability that allows attackers to denial of service (DoS) if an attacker provides specially crafted HTML content (CVSS 5.3).

Golang Denial Of Service Html Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1271 MEDIUM This Month

Authenticated users can modify arbitrary user profile and cover images in WordPress ProfileGrid plugin versions up to 5.9.7.2 due to missing authorization checks in the image upload AJAX handlers. Attackers with Subscriber-level access can exploit this to deface administrator accounts and other users' profiles. No patch is currently available for this integrity vulnerability.

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13491 MEDIUM This Month

IBM App Connect Enterprise Certified Container versions up to 12.19.0 is affected by untrusted search path (CVSS 5.1).

IBM Information Disclosure
NVD VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-15328 MEDIUM This Month

Tanium addressed an improper link resolution before file access vulnerability in Enforce. [CVSS 5.0 MEDIUM]

Path Traversal Enforce
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-1246 MEDIUM This Month

Arbitrary file read in ShortPixel Image Optimizer plugin for WordPress through path traversal in the loadLogFile AJAX action allows authenticated users with Editor-level privileges or higher to access sensitive server files including database credentials. The vulnerability exists in versions up to 6.4.2 due to insufficient path validation on the loadFile parameter, and no patch is currently available.

WordPress Path Traversal
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2025-15332 MEDIUM This Month

Tanium addressed an information disclosure vulnerability in Threat Response. [CVSS 4.9 MEDIUM]

Information Disclosure Threat Response
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-15329 MEDIUM This Month

Tanium addressed an information disclosure vulnerability in Threat Response. [CVSS 4.9 MEDIUM]

Information Disclosure Threat Response
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-23797 MEDIUM This Month

Quick.Cart version 6.7 stores user passwords in plaintext, allowing authenticated administrators to retrieve plaintext credentials through the user editing interface. This vulnerability poses a significant risk in multi-administrator environments where high-privileged users may abuse account access. No patch is currently available, and other versions may be similarly affected though unconfirmed.

Information Disclosure Quick.Cart
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-25198 MEDIUM PATCH This Month

Open redirect in web2py 2.27.1 and earlier allows unauthenticated remote attackers to redirect users to arbitrary websites via specially crafted URLs, potentially facilitating phishing attacks. The vulnerability requires user interaction to exploit and affects the application's integrity with network-accessible attack vectors. No patch is currently available.

Open Redirect
NVD GitHub
CVSS 3.0
4.7
EPSS
0.0%
CVE-2026-1964 MEDIUM PATCH This Month

Improper access controls in Wekan's REST API endpoint (models/boards.js) prior to version 8.21 allow authenticated users to modify resources they should not have permission to access. The vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated attacker with network access. Administrators should upgrade to version 8.21 or later to remediate this issue.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-15331 MEDIUM This Month

Tanium addressed an uncontrolled resource consumption vulnerability in Connect. [CVSS 4.3 MEDIUM]

Denial Of Service Connect
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-15342 MEDIUM This Month

Tanium addressed an improper access controls vulnerability in Reputation. [CVSS 4.3 MEDIUM]

Authentication Bypass Reputation
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15333 MEDIUM This Month

Tanium addressed an information disclosure vulnerability in Threat Response. [CVSS 4.3 MEDIUM]

Information Disclosure Threat Response
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15327 MEDIUM This Month

Tanium addressed an improper access controls vulnerability in Deploy. [CVSS 4.3 MEDIUM]

Authentication Bypass Deploy
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15326 MEDIUM This Month

Tanium addressed an improper access controls vulnerability in Patch. [CVSS 4.3 MEDIUM]

Authentication Bypass Patch
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13416 MEDIUM This Month

The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1897 MEDIUM PATCH This Month

WeKan versions up to 8.20 contain an authorization bypass in the position history tracking functionality that allows authenticated remote attackers to access sensitive information without proper permissions. The vulnerability exists in the server/methods/positionHistory.js file and can be exploited by any user with login credentials. Upgrading to version 8.21 or later resolves this issue.

Authentication Bypass Wekan
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15335 MEDIUM This Month

Tanium addressed an information disclosure vulnerability in Threat Response. [CVSS 4.3 MEDIUM]

Information Disclosure Threat Response
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15334 MEDIUM This Month

Tanium addressed an information disclosure vulnerability in Threat Response. [CVSS 4.3 MEDIUM]

Information Disclosure Threat Response
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15323 LOW Monitor

Tanium addressed an improper certificate validation vulnerability in Tanium Appliance. [CVSS 3.7 LOW]

Authentication Bypass Tanos
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-25815 LOW Monitor

Fortinet FortiOS versions up to 7.6.6 contains a vulnerability that allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in t (CVSS 3.2).

Fortinet Fortigate LDAP
NVD
CVSS 3.1
3.2
EPSS
0.0%
CVE-2025-15289 LOW Monitor

Tanium addressed an improper access controls vulnerability in Interact. [CVSS 3.1 LOW]

Authentication Bypass Interact
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-15321 LOW Monitor

Tanium addressed an improper input validation vulnerability in Tanium Appliance. [CVSS 2.7 LOW]

Privilege Escalation Tanos
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-1517 LOW Monitor

SQL injection in iomad's Company Admin Block component through version 5.0 allows remote attackers with high privileges to manipulate backend queries and gain unauthorized access to sensitive data. The vulnerability requires administrator credentials to exploit but enables attackers to read, modify, or delete database contents within the application's security context. No patch is currently available.

SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-1523 Monitor

Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'.

Path Traversal Information Disclosure
NVD
EPSS
0.1%
CVE-2026-1301 This Week

In builds with PubSub and JSON enabled, a crafted JSON message can cause the decoder to write beyond a heap-allocated array before authentication, reliably crashing the process and corrupting memory.

Denial Of Service
NVD
EPSS
0.1%
CVE-2025-15080 Monitor

Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial of service (DoS) condition on the affected product by sending a specially crafted packet containing a specific command to the affected product.

Denial Of Service
NVD
EPSS
0.0%
CVE-2026-1966 Monitor

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

DNS LDAP
NVD
EPSS
0.0%
CVE-2026-1953 This Week

user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field is affected by cross-site scripting (xss).

PHP XSS
NVD GitHub
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy