Skip to main content
CVE-2026-27022 MEDIUM PATCH This Month

Query injection in @langchain/langgraph-checkpoint-redis allows authenticated users to manipulate RediSearch filter logic by injecting special syntax characters into user-provided keys and values, potentially bypassing access controls. An attacker with valid credentials could craft malicious filter parameters to alter query behavior and access unintended data. The vulnerability affects LangGraph checkpoint implementations using Redis storage and is fixed in version 1.0.2.

Redis AI / ML Langchain
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69011 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKube Cool Tag Cloud cool-tag-cloud allows Stored XSS.This issue affects Cool Tag Cloud: from n/a through <= 2.29. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69388 MEDIUM This Month

Missing Authorization vulnerability in cliengo Cliengo - Chatbot cliengo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cliengo - Chatbot: from n/a through <= 3.0.4. [CVSS 6.5 MEDIUM]

Golang AI / ML
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69385 MEDIUM This Month

AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22350 MEDIUM This Month

Insufficient authorization controls in PDF for Elementor Forms + Drag And Drop Template Builder version 6.3.1 and earlier allow authenticated users to modify or create PDF forms without proper permission validation. An attacker with user-level access could bypass access control restrictions to manipulate form configurations or data integrity. No patch is currently available for this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68837 MEDIUM This Month

Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68534 MEDIUM This Month

Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 6.3.0. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68514 MEDIUM This Month

Cozmoslabs Paid Member Subscriptions paid-member-subscriptions is affected by authorization bypass through user-controlled key (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68042 MEDIUM This Month

Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelpayouts: from n/a through <= 1.2.1. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68005 MEDIUM This Month

Missing Authorization vulnerability in themewant Easy Hotel Booking easy-hotel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Hotel Booking: from n/a through <= 1.8.7. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68000 MEDIUM This Month

Missing Authorization vulnerability in PickPlugins Testimonial Slider testimonial allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonial Slider: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-67975 MEDIUM This Month

Missing Authorization vulnerability in aDirectory aDirectory adirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects aDirectory: from n/a through <= 3.0.3. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26328 MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.14 allow authenticated users to bypass group authorization policies by leveraging direct message trust credentials in group contexts, enabling unauthorized access to restricted group conversations. An attacker with valid credentials could exploit improper policy enforcement in iMessage groupPolicy=allowlist configurations to gain unauthorized visibility into protected group communications. A patch is available in version 2026.2.14 and later.

Authentication Bypass AI / ML Openclaw
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-50452 MEDIUM This Month

POSIMYTH Nexter Blocks the-plus-addons-for-block-editor is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-50555 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor allows Stored XSS.This issue affects Elementor Website Builder: from n/a through <= 3.29.0. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-59819 MEDIUM This Month

This vulnerability allows authenticated attackers to read an arbitrary file by changing a filepath parameter into an internal system path. [CVSS 6.5 MEDIUM]

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26994 MEDIUM PATCH This Month

uTLS versions 1.6.7 and below fail to validate TLS 1.3 downgrade protection mechanisms, allowing network attackers to force ClientHello modifications that cause servers to respond with lower TLS versions while bypassing detection checks. An active attacker can exploit this to downgrade encrypted connections to TLS 1.2 or earlier, potentially exposing traffic to known cryptographic weaknesses. Affected users of uTLS, Red Hat, and other TLS implementations should update to patched versions immediately.

Red Hat TLS Utls Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2486 MEDIUM This Month

Stored XSS in Master Addons For Elementor plugin (WordPress versions up to 2.1.1) allows authenticated contributors and above to inject malicious scripts into pages through the 'ma_el_bh_table_btn_text' parameter due to insufficient input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2384 MEDIUM This Month

The Quiz Maker plugin for WordPress versions up to 6.7.1.7 allows authenticated contributors and higher-privileged users to inject persistent JavaScript through the `vc_quizmaker` shortcode due to inadequate input validation, enabling malicious script execution in pages viewed by other users. The vulnerability requires WPBakery Page Builder to be active and has no available patch. An attacker with contributor access can deface content or steal sensitive information from site visitors.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2435 MEDIUM This Month

Tanium addressed a SQL injection vulnerability in Asset. [CVSS 6.3 MEDIUM]

SQLi Asset
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-27113 MEDIUM This Month

Liquid Prompt is an adaptive prompt for Bash and Zsh. [CVSS 6.3 MEDIUM]

Command Injection
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-26370 MEDIUM This Month

The Survey Maker WordPress plugin through version 5.1.7.7 is vulnerable to reflected cross-site scripting (XSS) that requires user interaction to exploit. An attacker can craft a malicious link to inject arbitrary JavaScript into a victim's browser session, potentially allowing credential theft or malicious actions within WordPress. No patch is currently available, leaving affected installations at risk.

WordPress XSS
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2025-62326 MEDIUM This Month

HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit. [CVSS 6.1 MEDIUM]

XSS Digital Experience
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-67438 MEDIUM PATCH This Month

vulnerability in Sync-in Server versions up to 1.9.3 is affected by cross-site scripting (xss) (CVSS 6.1).

XSS Sync In Server
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-26963 MEDIUM PATCH This Month

Cilium versions 1.18.0-1.18.5 with Native Routing, WireGuard, and Node Encryption enabled incorrectly allow cross-node Pod traffic that should be blocked, enabling unauthorized network access between isolated workloads. An attacker with network access to pods on different nodes can bypass network segmentation policies to access restricted services. The vulnerability affects deployments using these specific Cilium configurations and is resolved in version 1.18.6.

Wireguard Cilium Red Hat Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-52387 MEDIUM This Month

Liton Arefin Master Addons for Elementor master-addons is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-68855 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in themeglow JobBoard Job listing job-board-light allows Retrieve Embedded Sensitive Data.This issue affects JobBoard Job listing: from n/a through <= 1.2.8. [CVSS 5.9 MEDIUM]

Information Disclosure
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-67970 MEDIUM This Month

Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0. [CVSS 5.3 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-60183 MEDIUM This Month

silence Silencesoft RSS Reader external-rss-reader is affected by cross-site scripting (xss) (CVSS 5.9).

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-27133 MEDIUM This Month

Strimzi versions 0.47.0 through 0.50.0 improperly trust all certificates in a CA chain rather than only the intended signing authority, allowing Kafka Connect and MirrorMaker 2 operands to accept connections from brokers with certificates signed by intermediate CAs. An attacker could leverage this improper certificate validation to establish unauthorized connections to Kafka clusters using alternate CA-signed certificates from the trusted chain. This vulnerability requires high privileges to configure the CA chain and has no available patch at this time.

Apache Kubernetes Strimzi Red Hat
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-26049 MEDIUM This Month

The web management interface of the device renders the passwords in a plaintext input field. [CVSS 5.7 MEDIUM]

Authentication Bypass
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-2490 MEDIUM This Month

RustDesk Client for Windows file transfer functionality allows local attackers with low-privileged code execution to read arbitrary files through symlink injection, potentially disclosing sensitive information with SYSTEM-level access. An attacker can exploit the Transfer File feature by uploading a specially crafted symbolic link to bypass access controls and access protected files on the target system. No patch is currently available for this vulnerability.

Windows Information Disclosure
NVD GitHub
CVSS 3.0
5.5
EPSS
0.0%
CVE-2026-27003 MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.15 expose Telegram bot tokens in error messages and logs without redaction, allowing attackers who gain access to these logs to impersonate the bot and hijack its API access. This credential disclosure affects users of the AI assistant across systems where logs, crash reports, or support bundles are generated. Users must upgrade to version 2026.2.15 and rotate exposed Telegram bot tokens immediately.

Denial Of Service AI / ML Openclaw
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26100 MEDIUM This Month

Opds-Talon versions up to 2.2.0.4 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

Privilege Escalation Opds Talon
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26099 MEDIUM This Month

Owl OPDS 2.2.0.4 contains an uncontrolled search path vulnerability that allows local authenticated attackers to manipulate configuration file search paths through a crafted request, potentially leading to unauthorized modification of application behavior or settings. With no available patch, this medium-severity issue (CVSS 5.5) poses a risk to systems running the affected version where local user access is possible.

Privilege Escalation Opds Talon
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26098 MEDIUM This Month

Opds Talon 2.2.0.4 contains an uncontrolled search path vulnerability that allows local authenticated attackers to manipulate configuration file search paths through crafted requests, potentially leading to unauthorized modification of application behavior. With no available patch and an EPSS score of 0%, this vulnerability currently poses minimal exploitation risk but could allow privilege escalation or security bypass for users with local access to the system.

Privilege Escalation Opds Talon
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26097 MEDIUM This Month

Opds Talon 2.2.0.4 contains an uncontrolled search path vulnerability that allows local attackers with user privileges to manipulate configuration file search paths through crafted requests, potentially enabling unauthorized modification of application behavior. An attacker could exploit this to alter critical configuration settings without elevated permissions. No patch is currently available for this vulnerability.

Privilege Escalation Opds Talon
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26096 MEDIUM This Month

Opds-Talon versions up to 2.2.0.4 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

Privilege Escalation Opds Talon
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26095 MEDIUM This Month

Opds-Talon versions up to 2.2.0.4 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

Privilege Escalation Opds Talon
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27026 MEDIUM PATCH This Month

Pypdf versions up to 6.7.1 is affected by allocation of resources without limits or throttling (CVSS 5.5).

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27025 MEDIUM PATCH This Month

Resource exhaustion in pypdf versions prior to 6.7.1 occurs when processing maliciously crafted PDF files with manipulated /ToUnicode font entries, causing excessive memory consumption and processing delays during text extraction operations. A local attacker with file access can exploit this to degrade system performance, though no code execution or data compromise is possible. The vulnerability affects Python environments using pypdf and is remedied by upgrading to version 6.7.1 or later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27024 MEDIUM PATCH This Month

Pypdf versions up to 6.7.1 is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.5).

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27004 MEDIUM PATCH This Month

OpenClaw AI assistant versions prior to 2026.2.15 allow local authenticated users to access session transcripts across peer accounts in multi-user shared-agent deployments due to insufficient session targeting restrictions. Additionally, Telegram webhook mode may fail to properly validate per-account secrets, potentially allowing unauthorized webhook access. The vulnerability primarily impacts multi-user environments with untrusted peers, while single-user or trusted deployments face limited practical risk.

Information Disclosure AI / ML Openclaw
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27122 MEDIUM PATCH This Month

HTML injection in Svelte's server-side rendering occurs when the `<svelte:element>` tag parameter fails to sanitize user-supplied tag names, allowing attackers to inject malicious HTML into rendered output. This affects Svelte versions prior to 5.51.5 and requires user interaction to exploit, with client-side rendering remaining unaffected. An authenticated attacker can achieve limited information disclosure or modify page content for affected users.

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27121 MEDIUM PATCH This Month

Server-side rendering in Svelte versions before 5.51.5 fails to sanitize event handler properties when spreading untrusted data as HTML attributes, enabling stored or reflected XSS attacks. An attacker can inject malicious event handlers into rendered pages if an application spreads user-controlled or external data as element attributes, causing arbitrary JavaScript execution in victim browsers. No patch is currently available.

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27119 MEDIUM PATCH This Month

Improper HTML escaping in Svelte versions 5.39.3 through 5.51.4 allows HTML injection attacks through unescaped option element content during server-side rendering, enabling attackers to inject malicious HTML into SSR output. Client-side rendering is unaffected, and the vulnerability is limited to applications using vulnerable Svelte versions on the server. This medium-severity flaw requires upgrading to version 5.51.5 or later, as no patch is currently available for affected versions.

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27016 MEDIUM PATCH This Month

Stored cross-site scripting in LibreNMS versions 24.10.0 through 26.1.1 allows authenticated users to inject malicious scripts through the unsanitized unit parameter in Custom OID configurations, which are then executed when other users view the affected pages. An attacker with login credentials could exploit this to steal session tokens, perform actions on behalf of other administrators, or compromise the monitoring infrastructure. The vulnerability has been patched in version 26.2.0.

MySQL SNMP XSS Librenms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-34438 MEDIUM This Month

Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19. [CVSS 5.3 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69325 MEDIUM This Month

primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).

WordPress Path Traversal PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-2605 MEDIUM This Month

Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS. [CVSS 5.3 MEDIUM]

Information Disclosure Tanos
NVD
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy