Skip to main content
CVE-2026-26223 MEDIUM This Month

Improper iframe sanitization in SPIP before 4.4.8 enables stored cross-site scripting attacks within the private administrative area, allowing attackers to execute arbitrary JavaScript in the context of backend users. An unauthenticated attacker can inject malicious iframe tags that bypass the application's security filters and execute in victims' browsers when they access the affected area. No patch is currently available and the built-in SPIP security screen does not mitigate this vulnerability.

XSS Spip
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-71241 MEDIUM This Month

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. [CVSS 6.1 MEDIUM]

XSS Spip
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-71244 MEDIUM This Month

Spip versions up to 4.4.5 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Open Redirect Spip
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-26189 MEDIUM PATCH This Month

Trivy Action versions 0.31.0 through 0.33.1 allow remote code execution on GitHub Actions runners due to insufficient input sanitization when constructing shell environment variable exports. An attacker with repository access can inject shell metacharacters through action inputs to achieve arbitrary command execution in the runner context. The vulnerability requires high privileges to exploit and is addressed in version 0.34.0.

Docker Github Command Injection Trivy Action
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-27360 MEDIUM This Month

Stored XSS in 10Web Photo Gallery through version 1.8.37 enables authenticated users with high privileges to inject malicious scripts that execute in victims' browsers when they view affected pages. The vulnerability requires user interaction to trigger but can compromise confidentiality, integrity, and availability across different security contexts. No patch is currently available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25362 MEDIUM This Month

Stored XSS in FooGallery through version 3.1.11 allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers when viewing gallery content. An attacker with administrative or elevated access could leverage this vulnerability to steal session tokens, modify gallery data, or redirect users to malicious sites. A patch is not currently available for affected installations.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25343 MEDIUM This Month

DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24392 MEDIUM This Month

Stored XSS in HurryTimer through version 2.14.2 enables authenticated attackers with high privileges to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger but can affect multiple users due to its persistent nature. No patch is currently available.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25004 MEDIUM This Month

CreativeMindsSolutions CM Business Directory cm-business-directory is affected by cross-site scripting (xss) (CVSS 4.8).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25385 MEDIUM This Month

KaizenCoders URL Shortify versions up to 1.12.3 contain a server-side request forgery vulnerability that allows high-privileged attackers to make arbitrary HTTP requests from the affected server without user interaction. An authenticated attacker could exploit this flaw to access internal resources, interact with backend services, or perform reconnaissance on the internal network. No patch is currently available for this vulnerability.

SSRF
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26952 MEDIUM PATCH This Month

Pi-hole Admin Interface versions 6.4 and below allow authenticated administrators to inject stored HTML code through improperly sanitized DNS record inputs, enabling persistent attacks visible to any user viewing the DNS records table. The vulnerability exists in the populateDataTable() function which fails to escape special characters in user-supplied data before inserting it into HTML attributes. An attacker with admin privileges can inject malicious code that executes each time the DNS records page is accessed.

DNS Web Interface
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25739 MEDIUM PATCH This Month

Cross-site scripting in Indico prior to version 3.3.10 allows authenticated users to inject malicious scripts through material file uploads, potentially compromising other users' sessions or stealing sensitive data. The vulnerability affects Indico deployments using Flask-Multipass authentication and requires both user interaction and authenticated access to exploit. A patch is available, and administrators should upgrade to version 3.3.10 and update webserver configurations to enforce strict Content Security Policy for file downloads.

Nginx Github Flask XSS Indico
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27387 MEDIUM This Month

Improper access control in designinvento DirectoryPress up to version 3.6.26 allows authenticated users to modify data and cause service disruptions through misconfigured security levels. An attacker with valid credentials can exploit this vulnerability to manipulate application integrity and availability without requiring user interaction. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25473 MEDIUM This Month

AA-Team WZone through version 14.0.31 contains a missing authorization vulnerability that allows authenticated users to bypass access control restrictions. An attacker with valid credentials could exploit this misconfiguration to modify data or cause service unavailability. No patch is currently available for this issue.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25391 MEDIUM This Month

WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.

Authentication Bypass WordPress AI / ML
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25388 MEDIUM This Month

Inadequate access control in scripteo Ads Pro plugin version 5.0 and earlier enables authenticated attackers to modify data and cause service disruptions through misconfigured security levels. An attacker with valid credentials can exploit this vulnerability to bypass authorization checks and alter plugin functionality without administrative privileges. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25311 MEDIUM This Month

Improper access control in 10up Autoshare for Twitter through version 2.3.1 enables authenticated users to modify or disable sharing functionality without proper authorization checks. An attacker with limited privileges could exploit this vulnerability to disrupt social media publishing workflows or cause service unavailability for legitimate users. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23804 MEDIUM This Month

BBR Plugins Better Business Reviews better-business-reviews is affected by missing authorization (CVSS 5.4).

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2284 MEDIUM This Month

Complete data destruction in WordPress via the News Element Elementor Blog Magazine plugin (versions up to 1.0.8) due to insufficient authorization checks on an AJAX function, allowing authenticated users with Subscriber-level privileges to truncate core database tables and delete the uploads directory. The vulnerability requires user authentication but no additional interaction, making it exploitable by any low-privileged WordPress user with no patch currently available.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23619 MEDIUM This Month

GFI MailEssentials AI versions before 22.4 contain a stored XSS vulnerability in the Local Domains settings page that allows authenticated users to inject malicious scripts into the txtDescription parameter, which are then executed when administrators view the management interface. An attacker with valid credentials can exploit this to perform actions as a logged-in administrator or steal sensitive information from the management console. No patch is currently available for this vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23618 MEDIUM This Month

Stored cross-site scripting in GFI MailEssentials AI before version 22.4 allows authenticated users to inject malicious JavaScript through the Spam Keyword Checking interface, which executes when administrators access the management console. An attacker with valid credentials can exploit this to steal session tokens, modify security policies, or perform actions on behalf of logged-in administrators. No patch is currently available for this vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23617 MEDIUM This Month

GFI MailEssentials AI prior to version 22.4 is vulnerable to stored cross-site scripting in the Spam Keyword Checking interface, where authenticated users can inject malicious scripts that execute when administrators access the management console. An attacker with valid credentials can leverage this to perform actions on behalf of logged-in users or steal session information, affecting organizations using vulnerable versions of the product.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23616 MEDIUM This Month

Stored cross-site scripting in GFI MailEssentials AI before version 22.4 allows authenticated users to inject malicious scripts into the Anti-Spoofing configuration page, which execute when administrators view the management interface. An attacker with valid credentials can exploit the TxtSmtpDesc parameter to compromise other authenticated users through arbitrary JavaScript execution. No patch is currently available for this medium-severity vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23615 MEDIUM This Month

Stored XSS in GFI MailEssentials AI versions before 22.4 allows authenticated users to inject malicious scripts into the Sender Policy Framework Email Exceptions interface that execute when administrators view the management console. An attacker with valid credentials can inject HTML/JavaScript through the email description parameter, compromising other logged-in users' sessions.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23614 MEDIUM This Month

GFI MailEssentials AI before version 22.4 contains a stored cross-site scripting vulnerability in the Sender Policy Framework configuration interface that allows authenticated users to inject malicious scripts into IP description fields. An attacker with valid credentials can execute arbitrary JavaScript in the context of administrators accessing the management interface, potentially compromising administrative sessions. No patch is currently available for this vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23613 MEDIUM This Month

GFI MailEssentials AI prior to version 22.4 allows authenticated users to inject malicious scripts into the URI DNS Blocklist configuration page, which are stored and executed when administrators access the management interface. An attacker with valid credentials can exploit the unsanitized ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter to perform actions in the context of logged-in users, such as stealing session tokens or modifying security settings. No patch is currently available for this stored cross-site scripting vulnerability.

DNS XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23612 MEDIUM This Month

Stored cross-site scripting in GFI MailEssentials AI versions before 22.4 allows authenticated users to inject malicious scripts into the IP DNS Blocklist configuration page that execute when administrators access the management interface. An attacker with valid credentials can inject HTML/JavaScript through the IP configuration parameter to compromise other authenticated users' sessions. No patch is currently available for this vulnerability.

DNS XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23611 MEDIUM This Month

GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page that allows authenticated users to inject malicious scripts into the IP description field, which are executed when administrators view the management interface. An attacker with valid credentials can exploit this to hijack administrator sessions or perform unauthorized actions with their privileges. Currently, no patch is available and the vulnerability requires user interaction to trigger.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23610 MEDIUM This Month

GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint that allows authenticated users to inject malicious scripts through the POP3 server login field. An attacker with valid credentials can execute arbitrary JavaScript in the context of administrators viewing the management interface, potentially compromising administrative sessions. No patch is currently available for this vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23609 MEDIUM This Month

GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page that allows authenticated users to inject malicious scripts into the management interface. An attacker with valid credentials can execute arbitrary JavaScript in the context of other logged-in administrators by manipulating the description parameter. No patch is currently available for this vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23608 MEDIUM This Month

GFI MailEssentials AI prior to version 22.4 contains a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint that allows authenticated users to inject malicious JavaScript through the rule name field. When an administrator views the affected rules in the management interface, the stored script executes in their browser session, potentially enabling session hijacking or unauthorized administrative actions. No patch is currently available for this vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23607 MEDIUM This Month

GFI MailEssentials AI prior to version 22.4 contains a stored XSS vulnerability in the Anti-Spam Whitelist management interface that allows authenticated users to inject malicious scripts through the description field. An attacker with valid credentials can craft payloads that execute in the browser context of other administrators accessing the management console, potentially compromising administrative sessions. No patch is currently available for this vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23606 MEDIUM This Month

GFI MailEssentials AI prior to version 22.4 contains a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation feature that allows authenticated users to inject malicious scripts into rule names, which are later executed in the browsers of administrators viewing the management interface. An attacker with valid credentials can exploit this to perform actions as a logged-in administrator, including potential unauthorized configuration changes or credential theft. No patch is currently available for this vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23605 MEDIUM This Month

GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation feature that allows authenticated users to inject malicious scripts into rule names, which execute when administrators access the management interface. An attacker with valid credentials can exploit this to perform actions on behalf of logged-in administrators or steal sensitive information from the management dashboard. No patch is currently available for this medium-severity vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23604 MEDIUM This Month

Stored cross-site scripting in GFI MailEssentials AI versions before 22.4 allows authenticated users to inject malicious JavaScript into the Keyword Filtering rule creation interface, which executes when administrators view the management console. An attacker with valid credentials can compromise other users' sessions and perform unauthorized actions within the MailEssentials application. No patch is currently available for this vulnerability.

XSS Mailessentials
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-26345 MEDIUM This Month

Stored XSS in SPIP before 4.4.8 allows authenticated users with content-editing privileges to inject malicious scripts through inadequate sanitization in the echapper_html_suspect() function, which then execute in the browsers of other users including administrators. Attackers can exploit this vulnerability to perform unauthorized actions and modify application state within the security context of victim users. No patch is currently available.

XSS Spip
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-71240 MEDIUM This Month

SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser. [CVSS 5.4 MEDIUM]

XSS Spip
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2735 MEDIUM This Month

Stored XSS in OpenCms v18.0 allows authenticated attackers to inject malicious scripts through the 'text' parameter in blog article creation requests, which execute in other users' browsers when they view the affected content. The vulnerability requires user interaction and results in limited impact to confidentiality and integrity, but currently has no available patch.

XSS Opencms
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27050 MEDIUM This Month

ThimPress RealPress versions up to 1.1.0 are vulnerable to cross-site request forgery attacks that could allow attackers to perform unauthorized actions on behalf of authenticated users. An attacker can exploit this vulnerability by tricking users into visiting a malicious webpage, resulting in integrity and availability impacts. No patch is currently available for this vulnerability.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25422 MEDIUM This Month

Themes4WP Popularis Extra popularis-extra is affected by cross-site request forgery (csrf) (CVSS 5.4).

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25337 MEDIUM This Month

Coachify versions 1.1.5 and earlier contain a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unintended actions on behalf of authenticated users through crafted requests. An attacker can leverage this to modify user data or trigger unwanted functionality with user interaction. No patch is currently available for this vulnerability.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25322 MEDIUM This Month

PublishPress PublishPress Revisions revisionary is affected by cross-site request forgery (csrf) (CVSS 5.4).

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2681 MEDIUM This Month

The blst cryptographic library is vulnerable to an out-of-bounds stack write in the blst_sha256_bcopy routine when processing zero-length salt parameters in key generation functions, allowing remote attackers to trigger memory corruption and process crashes. Applications that expose blst_keygen_v5() or similar functions to untrusted input are susceptible to denial-of-service attacks. No patch is currently available for this vulnerability.

Memory Corruption Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14294 MEDIUM This Month

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13864 MEDIUM This Month

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request,...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12500 MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (i...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13079 MEDIUM This Month

mobile friendly marketing popups. versions up to 4.4.2. contains a security vulnerability (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13930 MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-25006 MEDIUM This Month

XStore versions 9.6.4 and earlier fail to properly sanitize HTML script tags, enabling attackers to inject malicious code that executes in users' browsers. This stored or reflected cross-site scripting vulnerability requires no authentication or user interaction, allowing attackers to steal session tokens, deface content, or redirect users to malicious sites. No patch is currently available, leaving affected installations vulnerable.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-22422 MEDIUM This Month

Everest Forms through version 3.4.1 fails to properly sanitize HTML script tags, enabling unauthenticated attackers to inject malicious code and compromise site integrity. The vulnerability allows attackers to perform code injection attacks without authentication or user interaction, potentially leading to data theft or malware distribution. No patch is currently available for this vulnerability.

Code Injection
NVD
CVSS 3.1
5.3
EPSS
0.1%
Prev Page 3 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy