Skip to main content
CVE-2026-25326 HIGH This Week

cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2232 HIGH This Week

Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-12707 HIGH This Week

The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26321 HIGH PATCH This Week

OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. This high-severity path traversal vulnerability (CWE-22) is resolved in version 2026.2.14 and later, which implements proper access controls and routes media loading through hardened helpers.

Path Traversal AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26316 HIGH PATCH This Week

OpenClaw is a personal AI assistant. [CVSS 7.5 HIGH]

Authentication Bypass AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26314 HIGH PATCH This Week

Geth versions prior to 1.16.9 can be remotely crashed by sending a specially crafted message over the network, allowing unauthenticated attackers to cause denial of service against Ethereum nodes. This vulnerability in Go Ethereum's message handling requires no user interaction and affects the availability of affected nodes. Patched versions 1.16.9 and 1.17.0 are available to remediate this issue.

Golang Denial Of Service Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26336 HIGH This Week

Unauthenticated attackers can bypass access controls in Alfresco Content Services to retrieve sensitive files from protected directories such as WEB-INF through the /share/page/resource/ endpoint. This vulnerability exposes critical configuration data and credentials without requiring authentication or user interaction. No patch is currently available for this remotely exploitable issue affecting Alfresco deployments.

Authentication Bypass Information Disclosure Alfresco Content Services
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-11754 HIGH This Week

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. [CVSS 7.5 HIGH]

WordPress PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-8054 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText™ XM Fax allows Path Traversal. The vulnerability could allow an attacker to arbitrarily disclose content of files on the local filesystem. [CVSS 7.5 HIGH]

Path Traversal Xm Fax
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26319 HIGH PATCH This Week

OpenClaw's Telnyx voice-call webhook handler fails to validate webhook signatures when the public key is not configured, allowing unauthenticated attackers to forge arbitrary Telnyx events. This affects only deployments with the Voice Call plugin installed, enabled, and publicly accessible, enabling attackers to inject malicious voice-call events into the system. A patch is available.

Authentication Bypass AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26313 HIGH PATCH This Week

Go Ethereum versions up to 1.17.0 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Golang Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26315 HIGH PATCH This Week

Go Ethereum (Geth) versions prior to 1.16.9 contain a cryptographic implementation flaw in ECIES that allows remote attackers to extract portions of the p2p node key without authentication. This exposure could compromise the confidentiality of node communications and potentially enable impersonation or network-level attacks against affected Ethereum nodes. Administrators should upgrade to version 1.16.9 or later and rotate their node keys by deleting the nodekey file.

Golang Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25998 HIGH This Week

strongMan's credential encryption uses a static initialization vector with AES-CTR mode, causing all database fields to be encrypted with identical key streams. An attacker with database access can leverage publicly stored certificates to derive the key stream and decrypt stored private keys and EAP secrets. No patch is currently available for this high-severity vulnerability affecting strongSwan management deployments.

Information Disclosure Strongman
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23541 HIGH This Week

Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26275 HIGH PATCH This Week

httpsig-hyper versions prior to 0.0.23 fail to properly validate HTTP message digest headers due to improper use of Rust's matches! macro, allowing attackers to forge or modify message bodies without detection. This vulnerability affects applications using the library for HTTP signature verification, enabling attackers to bypass integrity checks on signed requests. A patch is available in version 0.0.23 and later.

Information Disclosure Httpsig Hyper
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26324 HIGH PATCH This Week

OpenClaw prior to version 2026.2.14 fails to properly validate IPv6-formatted addresses in its SSRF protection, allowing attackers to bypass restrictions and access loopback and private network resources that should be blocked. An unauthenticated remote attacker can exploit this by crafting requests using IPv4-mapped IPv6 literals to reach restricted endpoints. The vulnerability has been patched in version 2026.2.14.

SSRF AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-9062 HIGH This Week

MeCODE Informatics and Engineering Services Ltd. Envanty is affected by authorization bypass through user-controlled key (CVSS 7.3).

Authentication Bypass
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-13590 HIGH PATCH This Week

Authenticated remote code execution affects multiple WSO2 products (API Manager 4.2.0-4.6.0, API Control Plane 4.5.0-4.6.0, Universal Gateway 4.5.0, and Traffic Manager 4.5.0-4.6.0) through an unrestricted file upload exposed via a system REST API. An administrator-level attacker can place an arbitrary file at a user-controlled path and trigger code execution on the host. No public exploit identified at time of analysis, EPSS is low at 0.28%, and a vendor patch is available per WSO2 advisory WSO2-2025-4849.

RCE Api Manager Universal Gateway Traffic Manager Api Control Plane +1
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-12975 HIGH This Week

The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. [CVSS 7.2 HIGH]

WordPress RCE PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-14452 HIGH This Week

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-25316 HIGH This Week

CartFlows through version 2.1.19 contains an unsafe deserialization vulnerability that enables object injection attacks against WordPress installations using the plugin. An authenticated attacker with high privileges can exploit this flaw to achieve arbitrary code execution with full system access. No patch is currently available for this vulnerability.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-22333 HIGH This Week

YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).

WordPress Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-15041 HIGH This Week

The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. [CVSS 7.2 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-26325 HIGH PATCH This Week

OpenClaw versions before 2026.2.14 allow attackers with execution privileges to bypass command allowlist controls on node host deployments by exploiting a mismatch between validated and executed commands, potentially enabling execution of unapproved system commands. The vulnerability only affects configurations using node host execution paths with allowlist-based security policies and approval prompting. A patch is available in version 2026.2.14 which enforces consistency validation.

Authentication Bypass AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-23547 HIGH This Week

cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by missing authorization (CVSS 7.1).

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-26317 HIGH PATCH This Week

OpenClaw versions prior to 2026.2.14 lack proper Cross-Origin Request Forgery (CSRF) protections on localhost mutation endpoints, allowing malicious websites to trigger unauthorized actions against a victim's local AI assistant instance such as opening tabs, modifying storage, or controlling browser functions. The vulnerability affects the browser control plane through cross-origin requests initiated from the victim's browser context, despite the service's loopback binding. Version 2026.2.14 and later mitigate this by validating Origin/Referer headers and rejecting mutating requests from cross-site origins.

CSRF AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy