Skip to main content
CVE-2026-0797 HIGH PATCH This Week

Remote code execution in GIMP 3.2.0-rc1 lets attackers run arbitrary code by tricking a user into opening a malicious ICO image file or visiting a page that delivers one. The flaw is a heap-based buffer overflow in the ICO file parser caused by missing length validation before a copy operation, and it executes code in the context of the GIMP process. No public exploit has been identified at time of analysis, and EPSS estimates exploitation probability at just 0.06% (19th percentile), consistent with a user-interaction-gated client-side bug rather than mass-exploited infrastructure.

RCE Buffer Overflow Heap Overflow Gimp
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-67998 HIGH This Week

Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7. [CVSS 8.8 HIGH]

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22354 HIGH This Week

Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22346 HIGH This Week

The Slider Responsive Slideshow WordPress plugin through version 1.5.4 contains an unsafe deserialization flaw that enables authenticated attackers to inject arbitrary objects and achieve remote code execution. An attacker with user-level access can exploit this vulnerability to compromise the affected website with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22345 HIGH This Week

Object injection in WP Life Image Gallery plugin versions 1.6.0 and earlier exploits unsafe deserialization to allow authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability requires valid user credentials but no user interaction, making it exploitable by low-privileged accounts. No patch is currently available for this HIGH severity vulnerability affecting popular WordPress gallery functionality.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69328 HIGH This Week

magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69294 HIGH This Week

Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68853 HIGH This Week

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1. [CVSS 8.8 HIGH]

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68531 HIGH This Week

modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68526 HIGH This Week

A WP Life Modal Popup Box modal-popup-box is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-26975 HIGH This Week

Remote code execution in Music Assistant Server 2.6.3 and below enables unauthenticated network-adjacent attackers to execute arbitrary code through path traversal in the playlist update API, which fails to enforce file extension restrictions and allows writing malicious Python files to site-packages. The vulnerability is particularly critical because affected containers typically run as root, amplifying the impact of successful exploitation. No patch is currently available, leaving installations at risk until an upgrade to version 2.7.0 or later is performed.

Python RCE Path Traversal Music Assistant Server
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-26992 MEDIUM POC PATCH This Month

Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized port group names, which execute when other users view the affected port group. Public exploit code exists for this vulnerability. The issue is resolved in version 26.2.0.

MySQL SNMP XSS Librenms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-26991 MEDIUM POC PATCH This Month

Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized device group names, which execute when other users view the group management interface. Public exploit code exists for this vulnerability, affecting LibreNMS deployments across multiple supported platforms. The vulnerability has been patched in version 26.2.0.

MySQL Redis SNMP XSS Librenms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2472 HIGH PATCH This Week

Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.

Google XSS
NVD GitHub
CVSS 4.0
8.6
EPSS
0.2%
CVE-2025-69379 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-69376 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-69063 HIGH This Week

Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.0. [CVSS 8.6 HIGH]

Authentication Bypass
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-26993 MEDIUM POC PATCH This Month

Stored XSS in Flare file sharing platform versions 1.7.0 and below allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG or HTML files that execute when viewed in raw mode, potentially enabling session hijacking or data theft. The vulnerability stems from insufficient file content validation and sanitization during upload. Public exploit code exists; upgrade to version 1.7.1 or later to remediate.

XSS Flare
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-24959 HIGH This Week

Blind SQL injection in JoomSky JS Help Desk through version 3.0.1 enables authenticated attackers to execute arbitrary SQL queries with network access and no user interaction required. The vulnerability affects database confidentiality and system availability, though integrity is not compromised. No patch is currently available for this high-severity flaw.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-67987 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.3.1. [CVSS 8.5 HIGH]

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2019-25447 MEDIUM POC This Month

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. [CVSS 4.3 MEDIUM]

XSS CSRF Orientdb
NVD Exploit-DB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-26989 MEDIUM POC PATCH This Month

Stored XSS in LibreNMS Alert Rules allows authenticated administrators to inject malicious scripts that execute when other users view the Alert Rules page, affecting versions 25.12.0 and below. Public exploit code exists for this vulnerability, though exploitation requires high-level administrative privileges and user interaction. The vulnerability has been patched in version 26.2.0.

MySQL SNMP XSS Librenms
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24790 HIGH This Week

Unauthenticated remote attackers can manipulate the underlying PLC controller on affected devices due to missing authentication controls, enabling modification of device operations and potential service disruption. The vulnerability requires no user interaction and can be exploited over the network, with no official patch currently available to mitigate the risk.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-2818 HIGH This Week

Spring Data Geode's snapshot import feature on Windows systems is vulnerable to path traversal attacks that enable attackers to write arbitrary files outside the intended extraction directory. Remote attackers can exploit this vulnerability without authentication to potentially overwrite critical system or application files. No patch is currently available.

Path Traversal Microsoft Java
NVD HeroDevs VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-67977 HIGH This Week

VillaTheme HAPPY happy-helpdesk-support-ticket-system is affected by missing authorization (CVSS 8.2).

Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-20761 HIGH This Week

EnOcean SmartServer IoT versions 4.60.009 and earlier are vulnerable to unauthenticated remote command injection through maliciously crafted LON IP-852 management messages, enabling attackers to execute arbitrary OS commands with high privileges on affected devices. This network-accessible vulnerability requires no user interaction and affects IoT deployments with no available patch currently available.

IoT Command Injection
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-22381 HIGH This Week

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22380 HIGH This Week

Local file inclusion in AncoraThemes Unlimhost through version 1.2.3 allows unauthenticated attackers to read arbitrary files from the server via improper handling of include/require statements. The vulnerability carries high confidentiality and integrity impact, enabling attackers to potentially access sensitive configuration files or execute code through log poisoning techniques. No patch is currently available for this issue.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22379 HIGH This Week

AncoraThemes Netmix versions 1.0.10 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated remote attackers to read sensitive files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access arbitrary files on the server. No patch is currently available for this high-severity issue (CVSS 8.1).

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22378 HIGH This Week

Blabber through version 1.7.0 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the server. An attacker can exploit improper filename validation in include/require statements to access sensitive system files without authentication. No patch is currently available for this high-severity vulnerability affecting PHP environments.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22377 HIGH This Week

Local file inclusion in AncoraThemes Saveo through version 1.1.2 enables unauthenticated attackers to read arbitrary files on affected servers through improper input validation on file inclusion functions. The vulnerability carries high severity with complete confidentiality and integrity impacts, though no patch is currently available.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22376 HIGH This Week

AncoraThemes Parkivia through version 1.1.9 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability exploits improper filename control mechanisms to access sensitive system files without authentication. No patch is currently available, and exploitation requires moderate attack complexity but results in high confidentiality, integrity, and availability impact.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22375 HIGH This Week

AncoraThemes Impacto Patronus through version 1.2.3 contains a local file inclusion vulnerability in its PHP include/require handling that allows attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability to access sensitive configuration files, credentials, and other protected data without authentication. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22374 HIGH This Week

AncoraThemes Zio Alberto through version 1.2.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22373 HIGH This Week

PHP Local File Inclusion in AncoraThemes Fooddy through version 1.3.10 enables attackers to read arbitrary files on the server through improper input validation in file inclusion mechanisms. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive files and potentially execute arbitrary code, achieving high impact on confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22372 HIGH This Week

AncoraThemes Isida through version 1.4.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The flaw stems from improper validation of include/require statements, enabling attackers to access sensitive files and potentially execute arbitrary code. No patch is currently available, and exploitation requires moderate complexity conditions.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22371 HIGH This Week

AncoraThemes Gustavo plugin version 1.2.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. With no available patch, affected sites running vulnerable versions face significant risk of information disclosure.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22370 HIGH This Week

Axiomthemes Marveland versions up to 1.3.0 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this weakness over the network without user interaction to disclose sensitive information or potentially execute arbitrary code. No patch is currently available.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22369 HIGH This Week

Local file inclusion in AncoraThemes Ironfit through version 1.5 enables unauthenticated attackers to read arbitrary files from the server through improper handling of file inclusion parameters. The vulnerability grants high-impact access to sensitive data and potential system compromise without authentication or user interaction required. No patch is currently available for affected installations.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22368 HIGH This Week

Local file inclusion in Axiomthemes Redy versions up to 1.0.2 allows unauthenticated attackers to read arbitrary files from the affected server by manipulating include/require statements. An attacker can exploit this vulnerability over the network to disclose sensitive information such as configuration files or source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22367 HIGH This Week

AncoraThemes Coworking plugin through version 1.6.1 contains a local file inclusion vulnerability in its PHP file handling that could allow attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit improper input validation on filename parameters to access sensitive system files and potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22366 HIGH This Week

Axiomthemes Jude through version 1.3.0 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability requires specific conditions to be met (high complexity) but results in complete compromise of confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22365 HIGH This Week

PHP Remote File Inclusion in Soleng WordPress theme.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22364 HIGH This Week

Improper file inclusion validation in axiomthemes SevenTrees PHP plugin versions 1.0.2 and earlier enables unauthenticated attackers to include and execute arbitrary local files through remote requests. This remote file inclusion vulnerability allows attackers to execute malicious PHP code with full system privileges. Currently no patch is available and the vulnerability has low exploit probability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22363 HIGH This Week

Axiom Themes Rhodos through version 1.3.3 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The improper validation of include/require statements enables attackers to access sensitive application data and configuration files without authentication. Currently no patch is available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22362 HIGH This Week

Axiomthemes Photolia through version 1.0.3 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this weakness over the network to access sensitive information without user interaction. No patch is currently available, making this a high-severity risk for active installations of this theme.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22361 HIGH This Week

PHP Local File Inclusion in axiomthemes A-Mart versions up to 1.0.2 enables unauthenticated remote attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker can leverage this vulnerability to disclose sensitive configuration files, source code, or other confidential data accessible to the web server process. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22344 HIGH This Week

Mikado-Themes FiveStar plugin through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and other protected resources. No patch is currently available, though exploitation requires specific conditions to be met.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69410 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69409 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
Prev Page 3 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy