Skip to main content
CVE-2026-26362 HIGH This Week

Dell Unisphere for PowerMax 10.2 contains a relative path traversal flaw that allows authenticated remote attackers to modify critical system files without user interaction. The vulnerability affects systems with low-privileged user accounts and carries high integrity and availability impact, though no patch is currently available. With an EPSS score of 0.1%, exploitation likelihood remains low despite the HIGH severity rating.

Path Traversal Unisphere For Powermax
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25940 HIGH PATCH This Week

jsPDF versions prior to 4.2.0 allow attackers to inject arbitrary PDF objects including malicious JavaScript through unsanitized input to the Acroform module, which executes when users interact with form elements. An attacker who can control input passed to vulnerable API members can achieve code execution on the victim's system. The vulnerability is fixed in jsPDF 4.2.0 and can be mitigated by sanitizing all user input before passing it to affected Acroform properties and methods.

Jspdf Code Injection
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22267 HIGH This Week

Dell PowerProtect Data Manager versions prior to 19.22 contain an incorrect privilege assignment flaw that allows remote attackers with low-level credentials to escalate their privileges on affected systems. The vulnerability requires network access and valid authentication but no user interaction, making it exploitable by insiders or attackers who have obtained legitimate credentials. No patch is currently available.

Information Disclosure Dell Powerprotect Data Manager
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-15561 HIGH This Week

An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\SYSTEM. A malicious executable must be named  WTWatch.exe and dropped in the C:\ProgramData\wta\ClientExe directory, which is writable by "Everyone". [CVSS 7.8 HIGH]

Privilege Escalation Worktime
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-4960 HIGH This Week

The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. [CVSS 7.8 HIGH]

macOS AWS Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24764 LOW POC PATCH Monitor

OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. [CVSS 3.7 LOW]

Code Injection Openclaw
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-24122 LOW POC PATCH Monitor

Cosign provides code signing and transparency for containers and binaries. [CVSS 3.7 LOW]

Authentication Bypass Cosign
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-25418 HIGH This Week

SQL injection in Bit Form through version 2.21.10 enables authenticated attackers with high privileges to execute arbitrary database queries, potentially exposing sensitive data. The vulnerability requires administrative credentials but has no available patch, leaving affected installations at risk until an update is released.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-25378 HIGH This Week

Blind SQL injection in Nelio AB Testing plugin version 8.2.4 and earlier enables authenticated attackers with high privileges to execute arbitrary SQL queries against the database. An attacker with administrative access could exploit this vulnerability to extract sensitive data or manipulate database contents, though availability impact is limited. No patch is currently available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-23805 HIGH This Week

SQL injection in Yoren Chang Media Search Enhanced through version 0.9.1 enables unauthenticated remote attackers to execute arbitrary SQL queries and extract sensitive data from the underlying database. With high privileges required for exploitation, an authenticated attacker with administrative access can manipulate SQL commands to compromise data confidentiality while causing minor service disruption. No patch is currently available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-26322 HIGH PATCH This Week

OpenClaw versions prior to 2026.2.14 fail to validate the gatewayUrl parameter in the Gateway tool, allowing authenticated users or operators to redirect WebSocket connections to arbitrary targets and potentially access internal resources. This vulnerability requires authentication and the ability to invoke specific tool calls, limiting exposure to trusted users and automated systems rather than anonymous attackers. An attacker with these privileges could establish unauthorized outbound connections from the OpenClaw host, compromising confidentiality and potentially enabling further network-based attacks.

SSRF AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-27343 HIGH This Week

PHP Local File Inclusion in Airtifact versions up to 1.2.91 permits authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. With low privileges required and no user interaction necessary, an attacker can leverage this vulnerability to access sensitive configuration files or application source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27052 HIGH This Week

villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).

WordPress PHP LFI Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25326 HIGH This Week

cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2232 HIGH This Week

Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-12707 HIGH This Week

The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26321 HIGH PATCH This Week

OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. This high-severity path traversal vulnerability (CWE-22) is resolved in version 2026.2.14 and later, which implements proper access controls and routes media loading through hardened helpers.

Path Traversal AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26316 HIGH PATCH This Week

OpenClaw is a personal AI assistant. [CVSS 7.5 HIGH]

Authentication Bypass AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26314 HIGH PATCH This Week

Geth versions prior to 1.16.9 can be remotely crashed by sending a specially crafted message over the network, allowing unauthenticated attackers to cause denial of service against Ethereum nodes. This vulnerability in Go Ethereum's message handling requires no user interaction and affects the availability of affected nodes. Patched versions 1.16.9 and 1.17.0 are available to remediate this issue.

Golang Denial Of Service Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26336 HIGH This Week

Unauthenticated attackers can bypass access controls in Alfresco Content Services to retrieve sensitive files from protected directories such as WEB-INF through the /share/page/resource/ endpoint. This vulnerability exposes critical configuration data and credentials without requiring authentication or user interaction. No patch is currently available for this remotely exploitable issue affecting Alfresco deployments.

Authentication Bypass Information Disclosure Alfresco Content Services
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-11754 HIGH This Week

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. [CVSS 7.5 HIGH]

WordPress PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-8054 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText™ XM Fax allows Path Traversal. The vulnerability could allow an attacker to arbitrarily disclose content of files on the local filesystem. [CVSS 7.5 HIGH]

Path Traversal Xm Fax
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26319 HIGH PATCH This Week

OpenClaw's Telnyx voice-call webhook handler fails to validate webhook signatures when the public key is not configured, allowing unauthenticated attackers to forge arbitrary Telnyx events. This affects only deployments with the Voice Call plugin installed, enabled, and publicly accessible, enabling attackers to inject malicious voice-call events into the system. A patch is available.

Authentication Bypass AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26313 HIGH PATCH This Week

Go Ethereum versions up to 1.17.0 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Golang Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26315 HIGH PATCH This Week

Go Ethereum (Geth) versions prior to 1.16.9 contain a cryptographic implementation flaw in ECIES that allows remote attackers to extract portions of the p2p node key without authentication. This exposure could compromise the confidentiality of node communications and potentially enable impersonation or network-level attacks against affected Ethereum nodes. Administrators should upgrade to version 1.16.9 or later and rotate their node keys by deleting the nodekey file.

Golang Go Ethereum Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25998 HIGH This Week

strongMan's credential encryption uses a static initialization vector with AES-CTR mode, causing all database fields to be encrypted with identical key streams. An attacker with database access can leverage publicly stored certificates to derive the key stream and decrypt stored private keys and EAP secrets. No patch is currently available for this high-severity vulnerability affecting strongSwan management deployments.

Information Disclosure Strongman
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23541 HIGH This Week

Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26275 HIGH PATCH This Week

httpsig-hyper versions prior to 0.0.23 fail to properly validate HTTP message digest headers due to improper use of Rust's matches! macro, allowing attackers to forge or modify message bodies without detection. This vulnerability affects applications using the library for HTTP signature verification, enabling attackers to bypass integrity checks on signed requests. A patch is available in version 0.0.23 and later.

Information Disclosure Httpsig Hyper
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26324 HIGH PATCH This Week

OpenClaw prior to version 2026.2.14 fails to properly validate IPv6-formatted addresses in its SSRF protection, allowing attackers to bypass restrictions and access loopback and private network resources that should be blocked. An unauthenticated remote attacker can exploit this by crafting requests using IPv4-mapped IPv6 literals to reach restricted endpoints. The vulnerability has been patched in version 2026.2.14.

SSRF AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-9062 HIGH This Week

MeCODE Informatics and Engineering Services Ltd. Envanty is affected by authorization bypass through user-controlled key (CVSS 7.3).

Authentication Bypass
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-13590 HIGH PATCH This Week

Authenticated remote code execution affects multiple WSO2 products (API Manager 4.2.0-4.6.0, API Control Plane 4.5.0-4.6.0, Universal Gateway 4.5.0, and Traffic Manager 4.5.0-4.6.0) through an unrestricted file upload exposed via a system REST API. An administrator-level attacker can place an arbitrary file at a user-controlled path and trigger code execution on the host. No public exploit identified at time of analysis, EPSS is low at 0.28%, and a vendor patch is available per WSO2 advisory WSO2-2025-4849.

RCE Api Manager Universal Gateway Traffic Manager Api Control Plane +1
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-12975 HIGH This Week

The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. [CVSS 7.2 HIGH]

WordPress RCE PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-14452 HIGH This Week

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-25316 HIGH This Week

CartFlows through version 2.1.19 contains an unsafe deserialization vulnerability that enables object injection attacks against WordPress installations using the plugin. An authenticated attacker with high privileges can exploit this flaw to achieve arbitrary code execution with full system access. No patch is currently available for this vulnerability.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-22333 HIGH This Week

YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).

WordPress Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-15041 HIGH This Week

The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. [CVSS 7.2 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-26325 HIGH PATCH This Week

OpenClaw versions before 2026.2.14 allow attackers with execution privileges to bypass command allowlist controls on node host deployments by exploiting a mismatch between validated and executed commands, potentially enabling execution of unapproved system commands. The vulnerability only affects configurations using node host execution paths with allowlist-based security policies and approval prompting. A patch is available in version 2026.2.14 which enforces consistency validation.

Authentication Bypass AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-23547 HIGH This Week

cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by missing authorization (CVSS 7.1).

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-26317 HIGH PATCH This Week

OpenClaw versions prior to 2026.2.14 lack proper Cross-Origin Request Forgery (CSRF) protections on localhost mutation endpoints, allowing malicious websites to trigger unauthorized actions against a victim's local AI assistant instance such as opening tabs, modifying storage, or controlling browser functions. The vulnerability affects the browser control plane through cross-origin requests initiated from the victim's browser context, despite the service's loopback binding. Version 2026.2.14 and later mitigate this by validating Origin/Referer headers and rejecting mutating requests from cross-site origins.

CSRF AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-26338 MEDIUM This Month

SSRF in Hyland Alfresco Transformation Service via document processing.

SSRF Alfresco Transform Core Alfresco Transform Service
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-25120 LOW POC PATCH Monitor

Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. [CVSS 2.7 LOW]

Authentication Bypass Gogs
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-24126 MEDIUM PATCH This Month

Weblate versions up to 5.16.0 contains a vulnerability that allows attackers to an argument injection to `ssh-add` (CVSS 6.6).

SSH Weblate Suse
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-13587 MEDIUM This Month

The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-0722 MEDIUM This Month

The Shield Security plugin for WordPress versions up to 21.0.8 contains a CSRF vulnerability that allows attackers to bypass nonce verification through a manipulated parameter, enabling SQL injection attacks to extract database contents. An unauthenticated attacker can exploit this by tricking a site administrator into clicking a malicious link, potentially compromising sensitive information stored in the WordPress database. No patch is currently available for affected installations.

WordPress SQLi CSRF
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-26057 MEDIUM PATCH This Month

Skill Scanner versions 1.0.1 and earlier expose an unauthenticated API endpoint due to improper interface binding, allowing remote attackers to trigger memory exhaustion or upload arbitrary files to the affected system. An attacker can exploit this without authentication by sending crafted API requests to the exposed server. A patch is available to address this network-accessible vulnerability.

Denial Of Service AI / ML Skill Scanner
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-1461 MEDIUM This Month

Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).

WordPress React
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-11725 MEDIUM This Month

Aruba HiSpeed Cache (WordPress plugin) versions up to 3.0.2. is affected by missing authorization (CVSS 6.5).

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26361 MEDIUM This Month

Dell Unisphere for PowerMax 10.2 contains a file path control vulnerability that allows authenticated remote attackers to disclose sensitive information. The vulnerability requires low-privileged credentials and network access but no user interaction, making it accessible to internal threats or compromised accounts. Currently no patch is available to remediate this issue.

Information Disclosure Unisphere For Powermax
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23545 MEDIUM This Month

Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache is affected by missing authorization (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27440 MEDIUM This Month

Stored cross-site scripting in myCred versions up to 2.9.7.6 allows authenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. An attacker with login credentials can leverage the vulnerability to steal session tokens, deface content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 3 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy