Skip to main content
CVE-2025-15440 HIGH This Week

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-25999 HIGH PATCH This Week

Klaw versions before 2.10.2 contain an improper access control flaw in the /resetMemoryCache endpoint that allows authenticated attackers to wipe cached metadata, configurations, and cluster data across any tenant without proper authorization. This vulnerability affects Apache Kafka deployments using Klaw for topic governance and could disrupt Kafka cluster management and visibility. A patch is available in version 2.10.2 and later.

Apache Klaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-1669 HIGH PATCH This Week

Arbitrary local file disclosure in Keras 3.0.0 through 3.13.1 allows a remote attacker to read sensitive files from a victim's system by tricking them into loading a malicious .keras model that abuses HDF5 external dataset references in the model-loading path. Exploitation requires the victim to open the attacker-supplied model (UI:P), but no authentication is needed; EPSS is very low (0.01%, 2nd percentile) and there is no public exploit identified at time of analysis. A vendor patch is available.

Information Disclosure Keras
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-20641 HIGH This Week

Installed application enumeration in Apple operating systems (macOS, iOS, iPadOS, tvOS, visionOS, watchOS) allows local applications to discover what other apps a user has installed through insufficient privacy controls. An attacker can exploit this through a malicious app to profile a user's installed software without explicit permission. This vulnerability affects multiple Apple platforms and requires user interaction to execute a malicious application.

Apple Information Disclosure
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-20606 HIGH This Week

Applications on Apple macOS and iOS platforms can circumvent user privacy preferences through a code execution vulnerability affecting multiple OS versions including Tahoe 26.3, Sonoma 14.8.4, Sequoia 15.7.4, and iOS 18.7.5. A local attacker with user interaction can exploit this to access sensitive user data or modify system settings protected by privacy controls. The vulnerability requires patching through official OS updates, as no workaround is currently available.

Apple Information Disclosure
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-20628 HIGH This Week

Sandbox escape vulnerability in Apple's macOS, iOS, tvOS, and related platforms (CVE-2026-20628) permits malicious applications to break out of their sandbox restrictions through a permissions bypass. A local attacker with user interaction can achieve high-impact confidentiality and integrity violations by exploiting this weakness. Patches are available across multiple OS versions including macOS Tahoe 26.3, iOS 18.7.5, tvOS 26.3, and others.

Apple Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-20617 HIGH This Week

Unprivileged local users can exploit a race condition in Apple's operating systems (macOS, iOS, iPadOS, tvOS, and visionOS) to escalate privileges to root through improper state handling during concurrent operations. This vulnerability affects multiple OS versions and requires local access with low privileges to trigger, making it exploitable by malicious applications or local attackers. No patch is currently available for this vulnerability.

Apple Race Condition Information Disclosure
NVD
CVSS 3.1
7.0
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy