Auth bypass in GFI Archiver via MArc.Store missing authorization. EPSS 0.59%.
Auth bypass in GFI Archiver via MArc.Core missing authorization. EPSS 0.59%.
Code injection in WPForms Google Sheet Connector (gsheetconnector-wpforms) WordPress plugin allows arbitrary code execution.
Unrestricted file upload in Bravis Addons (bravis-addons) WordPress theme allows uploading web shells for remote code execution.
Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.
RCE in Smanga 3.2.7 via command injection in /php/path/rescan.php. EPSS 0.29%.
Command injection in Owl OPDS 2.2.0.4. EPSS 0.29%.
Command injection in Owl OPDS 2.2.0.4 — duplicate of CVE-2026-26093.
Code inclusion from untrusted source in Slyde presentation tool 0.0.4 and below. Automatically imports plugin files. Patch available.
Blank admin credentials allowed in device web management. Admin can set empty password, making device fully accessible.
Configuration injection in OpenClaw Docker sandbox before 2026.2.15 allows escaping sandbox restrictions. Patch available.
leafcolor Applay - Shortcodes applay-shortcodes is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization of untrusted data in Lorem Ipsum Books & Media (lorem-ipsum-books-media-store) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Extreme Store (extremestore) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Themesflat Elementor (themesflat-elementor) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in SevenHills (sevenhills) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in KindlyCare (kindlycare) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Capella (capella) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Prestige (prestige) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in PhotoMe (photome) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Ippsum (ippsum) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Travelicious (travelicious) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Nestin (nestin) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in PatioTime (patiotime) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Missing authentication in Acronis Cyber Protect Cloud Agent (Linux, Windows, macOS).
OpenClaw versions prior to 2026.2.15 contain a stored XSS vulnerability in the Control UI where unsanitized assistant identity values (name/avatar) are injected into inline script tags, allowing authenticated attackers with high privileges to break out of the script context and execute arbitrary JavaScript. Public exploit code exists for this vulnerability. The issue has been remediated in version 2026.2.15 through removal of inline scripts and implementation of a restrictive Content Security Policy.
SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 allows unauthenticated remote attackers to manipulate the Username parameter during registration, potentially enabling data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
A weakness has been identified in Fujian Smart Integrated Management Platform System versions up to 7.5. contains a security vulnerability (CVSS 7.3).
SQL injection in Fujitsu Smart Integrated Management Platform System version 7.5 and earlier allows unauthenticated remote attackers to execute arbitrary SQL queries via the DeviceIDS parameter in the XAccessPermissionPlus.ashx endpoint. Public exploit code exists for this vulnerability, enabling potential database compromise and unauthorized data access. No patch is currently available.
Auth bypass in Smanga 3.2.7 allows unauthenticated password reset for any user including admin.
OpenSourcePOS 3.4.1 allows authenticated attackers to execute arbitrary SQL commands through unsanitized concatenation of the currency_symbol configuration parameter into dynamic database queries. An attacker with administrative privileges can exploit this second-order SQL injection to access or manipulate sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available.
Blind SQL injection in Download Manager Addons for Elementor (download-manager-addons-for-elementor) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Emerce Core (emerce-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Uroan Core (uroan-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Wolmart Core (wolmart-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Woodly Core (woodly-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Saasplate Core (saasplate-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Nestbyte Core (nestbyte-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Medinik Core (medinik-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Electio Core (electio-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Crete Core (crete-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Allmart (allmart-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Coven Core (coven-core) WordPress theme/plugin core allows data extraction from the database.
Remote code execution in Nagios Xi's monitoringwizard module allows authenticated attackers to execute arbitrary commands through insufficient input validation in system calls. An attacker with valid credentials can exploit this command injection vulnerability to gain code execution with service account privileges on affected installations. No patch is currently available for this high-severity vulnerability.
Nagios Xi for iOS is vulnerable to command injection in the zabbixagent_configwizard_func method due to insufficient input validation, allowing authenticated attackers to execute arbitrary code with service account privileges. The vulnerability requires valid credentials but no user interaction to exploit, and no patch is currently available. Exploitation could grant attackers full system access on affected Nagios installations.
Remote code execution in Nagios Xi through command injection in the esensors_websensor_configwizard_func method allows authenticated attackers to execute arbitrary commands with service account privileges. The vulnerability stems from insufficient input validation on user-supplied parameters passed to system calls. With a CVSS score of 8.8 and no patch currently available, this poses a significant risk to authenticated users of affected Nagios installations.
Unsafe deserialization in GFI Archiver's MArc.Core.Remoting service (port 8017) enables authenticated remote attackers to achieve unauthenticated remote code execution with SYSTEM privileges, despite the authentication requirement being bypassable. The vulnerability stems from insufficient validation of untrusted data during the deserialization process, allowing arbitrary code execution on affected systems. No patch is currently available.
Remote code execution in GFI Archiver's MArc.Store.Remoting.exe component stems from unsafe deserialization of untrusted data, allowing authenticated attackers to execute arbitrary code with SYSTEM privileges despite the authentication requirement being bypassable. The vulnerability affects the deserialization and archiver products due to insufficient validation of user-supplied input, enabling full system compromise. No patch is currently available.
Remote code execution in GIMP 3.0.6 allows attackers to run arbitrary code by tricking a user into opening a malicious PGM (Portable Gray Map) image file or visiting a page that delivers one. The PGM parser accesses memory before it is properly initialized (CWE-908), letting a crafted file corrupt program state and hijack execution in the context of the current user. Discovered and reported via Trend Micro's Zero Day Initiative (ZDI-26-118 / ZDI-CAN-28158); no public exploit identified at time of analysis and EPSS exploitation probability is low (0.06%, 20th percentile).