Skip to main content
CVE-2026-2039 CRITICAL Act Now

Auth bypass in GFI Archiver via MArc.Store missing authorization. EPSS 0.59%.

Authentication Bypass Archiver
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-2038 CRITICAL Act Now

Auth bypass in GFI Archiver via MArc.Core missing authorization. EPSS 0.59%.

Authentication Bypass Archiver
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-67979 CRITICAL Act Now

Code injection in WPForms Google Sheet Connector (gsheetconnector-wpforms) WordPress plugin allows arbitrary code execution.

Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-69403 CRITICAL Act Now

Unrestricted file upload in Bravis Addons (bravis-addons) WordPress theme allows uploading web shells for remote code execution.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-68549 CRITICAL Act Now

Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.

WordPress PHP RCE
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-70831 CRITICAL Act Now

RCE in Smanga 3.2.7 via command injection in /php/path/rescan.php. EPSS 0.29%.

PHP RCE Smanga
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-26093 CRITICAL Act Now

Command injection in Owl OPDS 2.2.0.4. EPSS 0.29%.

Command Injection Opds Talon
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-2333 CRITICAL Act Now

Command injection in Owl OPDS 2.2.0.4 — duplicate of CVE-2026-26093.

Command Injection Opds Talon
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-26974 CRITICAL PATCH Act Now

Code inclusion from untrusted source in Slyde presentation tool 0.0.4 and below. Automatically imports plugin files. Patch available.

Node.js Slyde
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25715 CRITICAL Act Now

Blank admin credentials allowed in device web management. Admin can set empty password, making device fully accessible.

Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27002 CRITICAL PATCH Act Now

Configuration injection in OpenClaw Docker sandbox before 2026.2.15 allows escaping sandbox restrictions. Patch available.

.NET Docker DNS AI / ML Openclaw
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22384 CRITICAL Act Now

leafcolor Applay - Shortcodes applay-shortcodes is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69405 CRITICAL Act Now

Deserialization of untrusted data in Lorem Ipsum Books & Media (lorem-ipsum-books-media-store) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69404 CRITICAL Act Now

Deserialization of untrusted data in Extreme Store (extremestore) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69382 CRITICAL Act Now

Deserialization of untrusted data in Themesflat Elementor (themesflat-elementor) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69372 CRITICAL Act Now

Deserialization of untrusted data in SevenHills (sevenhills) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69371 CRITICAL Act Now

Deserialization of untrusted data in KindlyCare (kindlycare) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69370 CRITICAL Act Now

Deserialization of untrusted data in Capella (capella) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69329 CRITICAL Act Now

Deserialization of untrusted data in Prestige (prestige) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69301 CRITICAL Act Now

Deserialization of untrusted data in PhotoMe (photome) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-68541 CRITICAL Act Now

Deserialization of untrusted data in Ippsum (ippsum) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-67997 CRITICAL Act Now

Deserialization of untrusted data in Travelicious (travelicious) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-67996 CRITICAL Act Now

Deserialization of untrusted data in Nestin (nestin) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-67995 CRITICAL Act Now

Deserialization of untrusted data in PatioTime (patiotime) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-10970 CRITICAL Act Now

SQL injection in Kolay Software Talentics.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-30410 CRITICAL Act Now

Missing authentication in Acronis Cyber Protect Cloud Agent (Linux, Windows, macOS).

Linux Windows macOS
NVD
CVSS 3.0
9.8
EPSS
0.0%
CVE-2026-27009 MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.15 contain a stored XSS vulnerability in the Control UI where unsanitized assistant identity values (name/avatar) are injected into inline script tags, allowing authenticated attackers with high privileges to break out of the script context and execute arbitrary JavaScript. Public exploit code exists for this vulnerability. The issue has been remediated in version 2026.2.15 through removal of inline scripts and implementation of a restrictive Content Security Policy.

XSS AI / ML Openclaw
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-2848 MEDIUM POC This Month

SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 allows unauthenticated remote attackers to manipulate the Username parameter during registration, potentially enabling data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2821 MEDIUM POC This Month

A weakness has been identified in Fujian Smart Integrated Management Platform System versions up to 7.5. contains a security vulnerability (CVSS 7.3).

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2820 MEDIUM POC This Month

SQL injection in Fujitsu Smart Integrated Management Platform System version 7.5 and earlier allows unauthenticated remote attackers to execute arbitrary SQL queries via the DeviceIDS parameter in the XAccessPermissionPlus.ashx endpoint. Public exploit code exists for this vulnerability, enabling potential database compromise and unauthorized data access. No patch is currently available.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-70833 CRITICAL Act Now

Auth bypass in Smanga 3.2.7 allows unauthenticated password reset for any user including admin.

PHP Authentication Bypass Smanga
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-26745 MEDIUM POC This Month

OpenSourcePOS 3.4.1 allows authenticated attackers to execute arbitrary SQL commands through unsanitized concatenation of the currency_symbol configuration parameter into dynamic database queries. An attacker with administrative privileges can exploit this second-order SQL injection to access or manipulate sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available.

SQLi Open Source Point Of Sale
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24956 CRITICAL Act Now

Blind SQL injection in Download Manager Addons for Elementor (download-manager-addons-for-elementor) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69366 CRITICAL Act Now

Blind SQL injection in Emerce Core (emerce-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69365 CRITICAL Act Now

Blind SQL injection in Uroan Core (uroan-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69337 CRITICAL Act Now

Blind SQL injection in Wolmart Core (wolmart-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69310 CRITICAL Act Now

Blind SQL injection in Woodly Core (woodly-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69309 CRITICAL Act Now

Blind SQL injection in Saasplate Core (saasplate-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69308 CRITICAL Act Now

Blind SQL injection in Nestbyte Core (nestbyte-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69307 CRITICAL Act Now

Blind SQL injection in Medinik Core (medinik-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69306 CRITICAL Act Now

Blind SQL injection in Electio Core (electio-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69305 CRITICAL Act Now

Blind SQL injection in Crete Core (crete-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69304 CRITICAL Act Now

Blind SQL injection in Allmart (allmart-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69295 CRITICAL Act Now

Blind SQL injection in Coven Core (coven-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-2042 HIGH This Week

Remote code execution in Nagios Xi's monitoringwizard module allows authenticated attackers to execute arbitrary commands through insufficient input validation in system calls. An attacker with valid credentials can exploit this command injection vulnerability to gain code execution with service account privileges on affected installations. No patch is currently available for this high-severity vulnerability.

RCE Command Injection Nagios Xi
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2026-2041 HIGH This Week

Nagios Xi for iOS is vulnerable to command injection in the zabbixagent_configwizard_func method due to insufficient input validation, allowing authenticated attackers to execute arbitrary code with service account privileges. The vulnerability requires valid credentials but no user interaction to exploit, and no patch is currently available. Exploitation could grant attackers full system access on affected Nagios installations.

RCE Command Injection Nagios Xi
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2026-2043 HIGH This Week

Remote code execution in Nagios Xi through command injection in the esensors_websensor_configwizard_func method allows authenticated attackers to execute arbitrary commands with service account privileges. The vulnerability stems from insufficient input validation on user-supplied parameters passed to system calls. With a CVSS score of 8.8 and no patch currently available, this poses a significant risk to authenticated users of affected Nagios installations.

RCE Command Injection Nagios Xi
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2026-2037 HIGH This Week

Unsafe deserialization in GFI Archiver's MArc.Core.Remoting service (port 8017) enables authenticated remote attackers to achieve unauthenticated remote code execution with SYSTEM privileges, despite the authentication requirement being bypassable. The vulnerability stems from insufficient validation of untrusted data during the deserialization process, allowing arbitrary code execution on affected systems. No patch is currently available.

RCE Deserialization Archiver
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2026-2036 HIGH This Week

Remote code execution in GFI Archiver's MArc.Store.Remoting.exe component stems from unsafe deserialization of untrusted data, allowing authenticated attackers to execute arbitrary code with SYSTEM privileges despite the authentication requirement being bypassable. The vulnerability affects the deserialization and archiver products due to insufficient validation of user-supplied input, enabling full system compromise. No patch is currently available.

RCE Deserialization Archiver
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2026-2044 HIGH PATCH This Week

Remote code execution in GIMP 3.0.6 allows attackers to run arbitrary code by tricking a user into opening a malicious PGM (Portable Gray Map) image file or visiting a page that delivers one. The PGM parser accesses memory before it is properly initialized (CWE-908), letting a crafted file corrupt program state and hijack execution in the context of the current user. Discovered and reported via Trend Micro's Zero Day Initiative (ZDI-26-118 / ZDI-CAN-28158); no public exploit identified at time of analysis and EPSS exploitation probability is low (0.06%, 20th percentile).

RCE Gimp
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
Prev Page 2 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy