Skip to main content
CVE-2019-25412 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting unsanitized input through the NTP_SERVER_LIST parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25411 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the GATEWAY_GREEN parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25407 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the backup schedule interface. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25410 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through the source and destination parameters. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25409 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the destination parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25408 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the netmask_addr parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25406 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the organization parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-26030 CRITICAL PATCH GHSA Act Now

Remote code execution in Microsoft Semantic Kernel Python SDK before 1.39.4. Code injection in the AI orchestration framework. Patch available.

Microsoft Linux Python RCE AI / ML +1
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-27476 CRITICAL Act Now

Command injection in RustFly 2.0.0 via hex-encoded UDP instructions on port 5005. The remote UI control mechanism accepts and executes commands without validation.

Command Injection
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-15559 CRITICAL Act Now

Unauthenticated OS command injection in NesterSoft WorkTime via report generation API. Allows executing arbitrary commands.

Command Injection Worktime
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-67304 CRITICAL Act Now

Hardcoded PostgreSQL credentials in Ruckus Network Director OVA < 4.5.0.54.

PostgreSQL Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-8350 CRITICAL Act Now

Execution After Redirect + missing auth in BiEticaret CMS.

Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-13851 CRITICAL Act Now

Privilege escalation via registration in Buyent Classified WordPress plugin.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-13563 CRITICAL Act Now

Privilege escalation in Lizza LMS Pro WordPress plugin <= 1.0.3.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-12882 CRITICAL Act Now

Privilege escalation in Clasifico Listing WordPress plugin <= 2.0.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1994 CRITICAL Act Now

Privilege escalation via account takeover in s2Member WordPress plugin <= 260127. Broken authentication allows taking over any user account.

WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-67305 CRITICAL Act Now

Hardcoded SSH keys in Ruckus Network Director OVA < 4.5.0.56 for postgres user. Same across all appliances.

PostgreSQL Privilege Escalation
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-23549 CRITICAL Act Now

PHP Object Injection in WpEvently (mage-eventpress) WordPress plugin.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-23542 CRITICAL Act Now

PHP Object Injection in Grand Restaurant WordPress theme.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-9953 CRITICAL Act Now

Authorization bypass via user-controlled SQL primary key in Databank Accreditation Software.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2684 MEDIUM POC This Month

Electronic Archives System versions up to 3.2.210802 is affected by improper access control (CVSS 7.3).

File Upload Authentication Bypass Electronic Archives System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2691 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/manage_register.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for unpatched deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2690 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's admin login endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to potentially extract sensitive data or compromise system integrity. No patch is currently available for affected PHP installations.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2689 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's booking management interface allows unauthenticated remote attackers to manipulate database queries via the ID parameter in /admin/manage_booking.php. Public exploit code exists for this vulnerability, enabling potential unauthorized data access and modification. No patch is currently available to address this high-severity flaw affecting PHP-based deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-27014 MEDIUM POC This Month

NanaZip versions 5.0.1252.0 through 6.0.1629.0 are vulnerable to denial of service through malformed ROMFS archives that trigger infinite loops via circular offset chains or stack overflow via deeply nested directory structures. Public exploit code exists for this vulnerability, allowing local attackers to crash the application and cause a denial of service. No patch is currently available.

Stack Overflow Nanazip
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26953 MEDIUM POC PATCH This Month

Stored HTML injection in Pi-hole Admin Interface versions 6.0+ allows authenticated attackers to inject arbitrary HTML into the active sessions table via the X-Forwarded-For header, which is unsafely rendered when administrators view the API settings page. Public exploit code exists for this vulnerability, affecting administrators who manage Pi-hole instances. An attacker with valid credentials can exploit this to perform client-side attacks against other administrators viewing the compromised session data.

Python Jquery Web Interface
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-9208 MEDIUM POC This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. [CVSS 5.4 MEDIUM]

XSS Web Site Management Server
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13672 MEDIUM POC This Month

Web Site Management Server versions up to 16.7.0 is affected by cross-site scripting (xss) (CVSS 5.4).

XSS Web Site Management Server
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-26059 MEDIUM POC This Month

Stored cross-site scripting in ChurchCRM versions before 6.8.2 allows authenticated users with group editing permissions to inject malicious JavaScript that executes when other users view affected groups. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires user interaction and can result in session hijacking or unauthorized actions performed on behalf of affected users.

XSS Churchcrm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-26339 CRITICAL Act Now

Remote code execution in Hyland's Alfresco Transform Service (and the related Alfresco Transform Core component) lets unauthenticated network attackers inject crafted arguments into the document-processing pipeline to run arbitrary commands on the transformation host. Any exposed Alfresco deployment relying on these transform components is affected, with no login required and full compromise of confidentiality, integrity and availability. No public exploit has been identified at time of analysis, and the EPSS probability is currently low (0.22%, 44th percentile).

RCE Alfresco Transform Core Alfresco Transform Service SSRF
NVD
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-25527 MEDIUM POC PATCH This Month

Changedetection.io versions before 0.53.2 allow unauthenticated attackers to read arbitrary files from the application directory through directory traversal in the static file serving endpoint. An attacker can exploit this by manipulating the group parameter to escape the intended static directory and access sensitive application files like source code. Public exploit code exists for this vulnerability, which has been patched in version 0.53.2.

Flask Changedetection
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-25766 MEDIUM POC PATCH This Month

Unauthenticated remote file read in Echo web framework versions 5.0.0-5.0.2 on Windows allows attackers to traverse outside the static root directory and access arbitrary files via backslash path sequences in requests. The vulnerability stems from improper path normalization where path.Clean() does not treat backslashes as separators, but the underlying os.Open() call on Windows does, enabling directory traversal. Public exploit code exists for this medium-severity vulnerability, though a patch is available in version 5.0.3.

Windows Golang Path Traversal Echo Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-55853 CRITICAL Act Now

SSRF in SoftVision webPDF before 10.0.2 via PDF converter function.

SSRF Webpdf
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-0974 HIGH This Week

The Orderable WordPress plugin through version 1.20.0 fails to properly verify user permissions on plugin installation functions, enabling authenticated subscribers to install malicious plugins and achieve remote code execution. An attacker with minimal WordPress account privileges can exploit this capability check bypass to gain full server compromise without administrator credentials. No patch is currently available for this vulnerability (CVSS 8.8).

WordPress RCE Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-26323 HIGH PATCH This Week

Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.

Node.js Github Command Injection AI / ML Openclaw
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-26337 HIGH This Week

Arbitrary file read and server-side request forgery in Hyland Alfresco Transformation Service (and the underlying Alfresco Transform Core, including 5.3.0-alpha1) allow unauthenticated remote attackers to read arbitrary files and coerce the server into making outbound requests via absolute path traversal. Hyland has published a coordinated security advisory (CVE-2026-26337/26338/26339). No public exploit has been identified at time of analysis and the EPSS probability is low (0.12%), but the network-facing, unauthenticated nature makes this a meaningful exposure for internet-reachable transform components.

SSRF Path Traversal Alfresco Transform Core Alfresco Transform Service
NVD
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-26358 HIGH This Week

Dell Unisphere for PowerMax 10.2 lacks proper authorization checks, allowing authenticated remote attackers to bypass access controls and gain unauthorized administrative capabilities. This missing authorization vulnerability (CWE-862) affects users who have any valid account credentials on affected systems. No patch is currently available, making this a critical risk for organizations operating vulnerable PowerMax installations.

Authentication Bypass Dell Unisphere For Powermax
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-23544 HIGH This Week

Unsafe deserialization in Codetipi Valenti through version 5.6.3.5 enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with valid credentials can exploit this vulnerability to execute malicious commands with the privileges of the affected application. No patch is currently available.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12821 HIGH This Week

The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. [CVSS 8.8 HIGH]

WordPress RCE CSRF PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12845 HIGH This Week

The Tablesome Table - Contact Form DB - WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-26359 HIGH This Week

Dell Unisphere for PowerMax 10.2 contains a path traversal vulnerability that allows authenticated remote attackers to overwrite arbitrary files on the system. This HIGH severity flaw (CVSS 8.8) requires only low privileges and network access to exploit, potentially enabling complete system compromise. No patch is currently available for this vulnerability.

Information Disclosure Dell Unisphere For Powermax
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-4521 HIGH This Week

The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-13603 HIGH This Week

WP AUDIO GALLERY (WordPress plugin) versions up to 2.0. is affected by missing authorization (CVSS 8.8).

WordPress PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-0912 HIGH This Week

Privilege escalation in WordPress Toret Manager plugin through version 1.2.7 allows authenticated subscribers to modify arbitrary site options due to missing capability checks in the trman_save_option functions. An attacker can exploit this to change the default registration role to administrator and enable user registration, granting themselves admin access to the vulnerable site. No patch is currently available.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15560 HIGH This Week

An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server "widget" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. [CVSS 8.8 HIGH]

MSSQL SQLi Worktime
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-12107 HIGH This Week

Identity Server versions up to 5.11.0 contains a vulnerability that allows attackers to a malicious actor with admin privilege to inject and execute arbitrary template (CVSS 8.4).

RCE Identity Server
NVD
CVSS 3.1
8.4
EPSS
0.4%
CVE-2026-21535 HIGH PATCH This Week

Microsoft Teams contains an access control vulnerability that enables unauthenticated remote attackers to extract sensitive information without user interaction. The flaw affects Teams deployments and carries a high severity rating, though no patch is currently available. Exploitation requires only network access with no additional prerequisites, making this a significant risk for organizations using the platform.

Microsoft Teams
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-27475 HIGH This Week

Arbitrary code execution in SPIP before 4.4.9 through insecure deserialization of untrusted serialized objects in the table_valeur filter and DATA iterator. An attacker with prior access or leveraging a separate vulnerability to inject malicious serialized data can trigger arbitrary object instantiation and achieve remote code execution. No patch is currently available, and the vulnerability persists despite SPIP's standard security protections.

Deserialization Spip
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-26016 HIGH PATCH This Week

Missing authorization validation in Pterodactyl Wings prior to version 1.12.1 allows authenticated nodes to access and manipulate servers across different nodes without proper ownership verification. An attacker with a valid node secret token can retrieve sensitive installation scripts, alter server installation states, and modify transfer statuses for servers they should not have access to. The vulnerability requires network access and valid node credentials but carries high impact due to potential exposure of secrets and cross-node server manipulation.

Information Disclosure Panel
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-26360 HIGH This Week

Dell Unisphere for PowerMax versions 10.2 suffer from a path traversal vulnerability (CWE-73) that allows authenticated remote attackers to delete arbitrary files on affected systems. An attacker with low-level privileges can exploit this flaw without user interaction to achieve denial of service or system compromise. No patch is currently available for this high-severity issue (CVSS 8.1).

Information Disclosure Dell Unisphere For Powermax
NVD
CVSS 3.1
8.1
EPSS
0.1%
Prev Page 2 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy