Skip to main content
CVE-2026-1888 MEDIUM This Month

Authenticated WordPress users with Contributor access or higher can inject persistent malicious scripts into pages through the Docus - YouTube Video Playlist plugin (versions up to 1.0.6) via improper handling of shortcode attributes. These injected scripts execute in the browsers of any visitor to the affected pages, potentially compromising user sessions and data. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1808 MEDIUM This Month

Stored cross-site scripting in the Orange Confort+ accessibility toolbar WordPress plugin through version 0.7 allows authenticated contributors and higher-privileged users to inject malicious scripts via the ocplus_button shortcode's style parameter due to inadequate input sanitization. When other users visit pages containing the injected content, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1252 MEDIUM This Month

Stored XSS in the Events Listing Widget plugin for WordPress (versions ≤1.3.4) allows authenticated users with Author privileges or higher to inject malicious scripts through the Event URL parameter due to inadequate input validation. An attacker exploiting this vulnerability can execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this medium-severity vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-24923 MEDIUM This Month

Harmonyos versions up to 6.0.0 is affected by permissions, privileges, and access controls (CVSS 6.3).

Privilege Escalation Harmonyos
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-24915 MEDIUM This Month

Out-of-bounds read issue in the media subsystem. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. [CVSS 6.2 MEDIUM]

Buffer Overflow Information Disclosure Harmonyos
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-24920 MEDIUM This Month

Permission control vulnerability in the AMS module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.2 MEDIUM]

Privilege Escalation Emui Harmonyos
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-24924 MEDIUM This Month

Harmonyos versions up to 6.0.0 is affected by permissions, privileges, and access controls (CVSS 6.1).

Privilege Escalation Harmonyos
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-24919 MEDIUM This Month

Out-of-bounds write vulnerability in the DFX module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.0 MEDIUM]

Buffer Overflow Emui Harmonyos
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-24916 MEDIUM This Month

Identity authentication bypass vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 5.9 MEDIUM]

Authentication Bypass Harmonyos
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24929 MEDIUM This Month

Out-of-bounds read vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.9 MEDIUM]

Industrial Harmonyos
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24931 MEDIUM This Month

Harmonyos versions up to 5.1.0 is affected by permissions, privileges, and access controls (CVSS 5.9).

Privilege Escalation Harmonyos
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24928 MEDIUM This Month

Out-of-bounds write vulnerability in the file system module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 5.8 MEDIUM]

Buffer Overflow Harmonyos Emui
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-24927 MEDIUM This Month

Out-of-bounds access vulnerability in the frequency modulation module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.5 MEDIUM]

Use After Free Emui Harmonyos
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-25640 MEDIUM PATCH This Month

Pydantic AI versions 1.34.0 through 1.50.x contain a path traversal vulnerability in the web UI that allows unauthenticated attackers to inject arbitrary JavaScript by manipulating the CDN version parameter in a malicious URL. When a victim visits the crafted link, attacker-controlled code executes in their browser, enabling theft of chat history and other sensitive client-side data. No patch is currently available.

Python Path Traversal Pydantic Ai
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-24050 MEDIUM PATCH This Month

Stored cross-site scripting in Zulip Server versions 5.0 through 11.4 allows authenticated attackers to execute arbitrary JavaScript through malicious group or channel names when administrators interact with user profile management features. An attacker with the ability to create or modify groups/channels can inject payloads that execute in the context of an administrator's session, potentially compromising account security or sensitive data. A patch is available in version 11.5.

XSS Zulip Server
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25574 MEDIUM PATCH This Month

Cross-collection IDOR in Payload CMS before v3.74.0 allows authenticated users to read and delete preferences from other authentication collections when numeric user IDs overlap in PostgreSQL or SQLite deployments. This vulnerability affects multi-auth environments where default auto-increment IDs create collisions across separate user collections. An attacker with valid credentials in one authentication domain can access and manipulate sensitive preference data belonging to users in different authentication domains.

PostgreSQL SQLi Payload
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-10753 MEDIUM This Month

The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-25597 MEDIUM PATCH This Month

Prestashop versions up to 8.2.4 contains a vulnerability that allows attackers to determine whether a customer account exists in the system by measuring response (CVSS 5.3).

Information Disclosure Prestashop
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-25123 MEDIUM This Month

Homarr versions prior to 1.52.0 contain an unauthenticated SSRF vulnerability in the widget.app.ping endpoint that accepts arbitrary URLs and performs server-side requests, allowing remote attackers to scan ports and probe internal networks without authentication. The vulnerability enables attackers to infer open versus closed ports through HTTP status codes and response timing, establishing a reliable reconnaissance primitive. No patch is currently available for affected deployments.

SSRF Homarr
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1978 MEDIUM This Month

NanoCMS versions up to 0.4 contain an information disclosure vulnerability in the User Information Handler component that exposes sensitive data from the /data/pagesdata.txt file through unauthenticated remote requests. Public exploit code exists for this vulnerability, which allows attackers to retrieve partial confidential information without authentication. Users should update to a patched version or implement strict access controls on the affected file until an official patch is available.

Information Disclosure Nanocms
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23623 MEDIUM This Month

Collabora Online is a collaborative online office suite based on LibreOffice technology. [CVSS 5.3 MEDIUM]

Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1769 MEDIUM This Month

Stored cross-site scripting in Xerox CentreWare Web through version 7.0.6 enables attackers to inject malicious scripts that persist on the application and execute in users' browsers. An attacker with local access and user interaction can compromise confidentiality and potentially modify data within the CentreWare environment. No patch is currently available; upgrading to version 7.2.2.25 or later is recommended as a mitigation.

Windows XSS Centreware Web
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24921 MEDIUM This Month

Address read vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. [CVSS 4.8 MEDIUM]

Buffer Overflow Information Disclosure Harmonyos
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25642 MEDIUM PATCH This Month

HedgeDoc prior to version 1.10.6 allows attackers to bypass content security policies on files served from the /uploads/ endpoint, enabling them to host malicious interactive content such as fake login forms via SVG files. This network-based attack requires user interaction but can lead to credential theft or social engineering attacks. A patch is available in version 1.10.6.

File Upload XSS Hedgedoc
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24776 MEDIUM This Month

OpenProject versions prior to 17.0.2 fail to validate meeting section ownership during drag-and-drop operations, allowing authenticated users to inject agenda items into unrelated meetings. While attackers cannot access unauthorized meeting content, they can add arbitrary agenda items to other meetings to cause confusion or disrupt meeting organization. A patch is available in version 17.0.2.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1228 MEDIUM This Month

plugin versions up to 1.3.3 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1785 MEDIUM This Month

The Code Snippets WordPress plugin through version 3.9.4 lacks nonce validation on cloud snippet operations, allowing unauthenticated attackers to conduct cross-site request forgery attacks against logged-in administrators. By tricking an admin into visiting a malicious page, attackers can force unauthorized downloads or updates of cloud snippets. No patch is currently available for this vulnerability.

WordPress CSRF
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0598 MEDIUM This Month

Insufficient authorization checks in Ansible Lightspeed API conversation endpoints allow authenticated users to access and modify conversations belonging to other users. An attacker with valid credentials can exploit this to read sensitive conversation data and manipulate AI-generated outputs from other users' sessions. No patch is currently available.

Information Disclosure
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-24914 MEDIUM This Month

Type confusion vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.0 MEDIUM]

Use After Free Harmonyos
NVD
CVSS 3.1
4.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy