Skip to main content
CVE-2026-25411 MEDIUM This Month

themastercut Revision Manager TMC revision-manager-tmc is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25319 MEDIUM This Month

wpzita Zita Elementor Site Library zita-site-library is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12172 MEDIUM This Month

Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1455 MEDIUM This Month

Whatsiplus Scheduled Notification for Woocommerce (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14167 MEDIUM This Month

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13438 MEDIUM This Month

The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13413 MEDIUM This Month

Country Blocker for AdSense (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-26326 MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.14 expose sensitive configuration secrets through the skills.status endpoint to clients with operator.read privileges, allowing authenticated attackers to retrieve raw credential values including Discord tokens. The vulnerability affects AI/ML deployments where read-scoped access is intended to be non-sensitive; affected users should upgrade to version 2026.2.14 or later and rotate any exposed Discord tokens.

Information Disclosure AI / ML Openclaw
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2733 LOW Monitor

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. [CVSS 3.8 LOW]

Docker
NVD
CVSS 3.1
3.8
EPSS
0.1%
CVE-2026-25423 LOW Monitor

creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite is affected by missing authorization (CVSS 3.8).

Authentication Bypass
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-2711 LOW Monitor

Server-side request forgery (SSRF) in worldquant-miner up to version 1.0.9 allows remote attackers to manipulate the make_request parameter in the URL handler component, enabling them to forge requests to internal systems or arbitrary destinations. Public exploit code exists for this vulnerability, though exploitation requires high complexity conditions. The vendor has not yet released a patch despite early notification.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-14270 LOW Monitor

OneClick Chat to Order (WordPress plugin) versions up to 1.0.9. is affected by missing authorization (CVSS 2.7).

WordPress PHP
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-2709 LOW Monitor

A flaw has been found in busy versions up to 2.5.5. is affected by url redirection to untrusted site (open redirect) (CVSS 3.5).

Open Redirect
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2702 LOW Monitor

A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did ...

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-40697 This Week

Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter.

PHP XSS
NVD
EPSS
0.4%
CVE-2026-2731 Monitor

Path traversal and content injection in JobRunnerBackground.aspx in DynamicWeb 8 (all) and 9 (<9.19.7 and <9.20.3) allows unauthenticated attackers to execute code via simple web requests

Path Traversal
NVD
EPSS
0.2%
CVE-2026-2274 This Week

A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet versions up to 2025-11 is affected by server-side request forgery (ssrf).

Google SSRF
NVD
EPSS
0.1%
CVE-2026-26205 PATCH This Week

opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path in...

Authentication Bypass
NVD GitHub
EPSS
0.1%
CVE-2025-15586 This Week

OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the victim account's password.

Authentication Bypass
NVD GitHub
EPSS
0.1%
CVE-2026-26063 PATCH Monitor

CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access to trusted networks or IP ranges; enforce strict input validation at the application layer; and/or monitor transaction logs for anomalies or suspicious activity. These mitigations reduce exposure but do not fully elim...

Code Injection
NVD GitHub
EPSS
0.1%
CVE-2026-26958 PATCH Monitor

filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point.

Golang MySQL Github
NVD GitHub
EPSS
0.1%
CVE-2026-2409 This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.This issue affects Cloud Suite: before 25.2 HF1.

SQLi
NVD
EPSS
0.0%
CVE-2025-15585 This Week

Fileflows versions before 25.05.2 are affected by an authenticated SQL injection vulnerability in the library-file search function. Successful exploitation requires the system to use MySQL as the underlying database and could result in privilege escalation or data exfiltration.

MySQL SQLi Privilege Escalation
NVD
EPSS
0.0%
CVE-2025-41023 This Week

An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms.

Authentication Bypass
NVD
EPSS
0.0%
CVE-2026-2738 Monitor

Buffer overflow in ovpn‑dco‑win version 2.8.0 allows local attackers to cause a system crash by sending too large packets to the remote peer when the AEAD tag appears at the end of the encrypted packet

Buffer Overflow Denial Of Service
NVD
EPSS
0.0%
CVE-2025-71250 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
CVE-2025-71249 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
CVE-2025-71248 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
CVE-2025-71247 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
CVE-2025-71246 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
CVE-2025-71245 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
Prev Page 8 of 8

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy