Skip to main content
CVE-2025-68545 HIGH This Week

PHP Remote File Inclusion in Nika WordPress theme by thembay.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-2048 HIGH PATCH This Week

GIMP is vulnerable to out-of-bounds memory write during XWD file parsing due to insufficient input validation, enabling arbitrary code execution when a user opens a malicious image file. This high-severity vulnerability (CVSS 7.8) affects local attackers who can craft specially crafted XWD files to corrupt memory and execute code with the privileges of the GIMP process. No patch is currently available.

RCE Gimp Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0777 HIGH This Week

Xmind fails to display adequate security warnings when users open file attachments, enabling remote code execution with the privileges of the current user. An attacker can exploit this by tricking users into opening malicious files or visiting crafted pages, with the unsafe action proceeding without proper user notification. No patch is currently available.

RCE
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2026-2047 HIGH PATCH This Week

Remote code execution in GIMP through heap buffer overflow during ICNS file parsing allows attackers to execute arbitrary code when a user opens a malicious image file. The vulnerability stems from insufficient validation of user-supplied data lengths before copying to heap memory, requiring only user interaction to trigger. A patch is available for affected installations.

RCE Buffer Overflow Heap Overflow Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-2034 HIGH This Week

Remote code execution in Sante DICOM Viewer Pro via buffer overflow when parsing malicious DCM files allows attackers to execute arbitrary code on affected systems. The vulnerability stems from insufficient validation of user-supplied data length before copying to a buffer, requiring user interaction such as opening a malicious file or visiting a compromised page. No patch is currently available for this high-severity flaw.

RCE Buffer Overflow Dicom Viewer Pro
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-27001 HIGH PATCH This Week

OpenClaw versions prior to 2026.2.15 fail to sanitize workspace directory paths before injecting them into LLM prompts, allowing local attackers with execution privileges to inject malicious instructions through control characters and Unicode markers in directory names. An attacker can exploit this prompt injection vulnerability to manipulate the AI assistant's behavior and execute unintended commands. A patch is available in version 2026.2.15 and later.

Command Injection AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-2492 HIGH This Week

Local privilege escalation in TensorFlow's HDF5 plugin-loading mechanism lets a low-privileged user run arbitrary code as a higher-privileged target user. The flaw stems from TensorFlow loading plugins from an unsecured, attacker-writable search-path location (CWE-427), so an attacker who can already execute low-privileged code plants a malicious plugin that is later loaded in the victim's context. There is no public exploit identified at time of analysis, EPSS risk is very low (0.02%), and it is not listed in CISA KEV, but the issue is credibly reported by Trend Micro ZDI (ZDI-26-116) and patched by upstream and Red Hat.

Privilege Escalation RCE
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26050 HIGH This Week

Arbitrary code execution with administrative privileges in RICOH Job Log Aggregation Tool versions before 1.3.7 due to insecure DLL search path handling. Local attackers with user interaction can execute malicious code by placing a crafted DLL in the installer's search path. No patch is currently available.

Privilege Escalation RCE
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-26959 HIGH This Week

Arbitrary code execution in ADB Explorer version 0.9.26020 and earlier on Windows allows local attackers to execute malicious binaries by manipulating the ManualAdbPath configuration setting without integrity validation. An attacker can exploit this through social engineering by distributing a crafted settings file that redirects the application to a malicious executable, gaining code execution with user privileges. The vulnerability requires user interaction to launch the application with a malicious configuration directory.

Windows RCE
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26102 HIGH This Week

Opds-Talon versions up to 2.2.0.4 is affected by incorrect permission assignment for critical resource (CVSS 7.8).

Privilege Escalation Opds Talon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26101 HIGH This Week

Opds-Talon versions up to 2.2.0.4 is affected by incorrect permission assignment for critical resource (CVSS 7.8).

Privilege Escalation Opds Talon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-69377 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-68862 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Murtaza Bhurgri Woo File Dropzone woo-file-dropzone allows Path Traversal.This issue affects Woo File Dropzone: from n/a through <= 1.1.7. [CVSS 7.7 HIGH]

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-52744 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Inpersttion For Theme err-our-team allows Code Injection.This issue affects Inpersttion For Theme: from n/a through <= 1.0. [CVSS 7.6 HIGH]

Code Injection RCE
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-53217 HIGH This Week

Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through <= 2.0.2. [CVSS 7.6 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-2635 HIGH PATCH This Week

Authentication bypass leading to administrator-level remote code execution affects MLflow installations that use the built-in basic authentication, which ships a basic_auth.ini file containing hard-coded default credentials. Remote unauthenticated attackers who know these well-known defaults can log in as the administrator and execute arbitrary code in that context. No public exploit has been identified at time of analysis and it is not in CISA KEV, but the EPSS score of 1.39% (80th percentile) reflects above-average exploitation interest for a Trend Micro ZDI-disclosed flaw with an available vendor patch.

Authentication Bypass RCE
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
1.4%
CVE-2026-22356 HIGH This Week

Jetpack CRM versions 6.7.0 and earlier contain a local file inclusion vulnerability in their PHP code that allows attackers to manipulate file inclusion statements and access arbitrary files on the server. An unauthenticated attacker can exploit this through a user interaction to read sensitive files or potentially execute arbitrary code with high impact. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69387 HIGH This Week

whatwouldjessedo Simple Retail Menus simple-retail-menus is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69373 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68841 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder: from n/a through <= 1.2.1. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69383 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68552 HIGH This Week

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69380 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22351 HIGH This Week

WP FullCalendar plugin version 1.6 and earlier for WordPress contains an authorization bypass vulnerability that allows unauthenticated attackers to modify calendar data and disrupt service availability. The weak access control implementation enables remote exploitation without requiring user interaction or special network conditions. Organizations running affected versions should upgrade immediately as no patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69401 HIGH This Week

mdalabar WooODT Lite byconsole-woo-order-delivery-time is affected by authentication bypass by spoofing (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24950 HIGH This Week

themeplugs Authorsy authorsy is affected by authorization bypass through user-controlled key (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24941 HIGH This Week

WP Job Portal versions 2.4.4 and earlier contain an authorization bypass flaw that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. An attacker can remotely exploit this vulnerability without user interaction to gain unauthorized visibility into restricted data. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69303 HIGH This Week

modeltheme ModelTheme Framework modeltheme-framework is affected by missing authorization (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69298 HIGH This Week

Missing Authorization vulnerability in GhostPool Gauge gauge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gauge: from n/a through <= 6.56.4. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68048 HIGH This Week

XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite is affected by missing authorization (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-67994 HIGH This Week

Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68051 HIGH This Week

Shiprocket Shiprocket shiprocket is affected by authorization bypass through user-controlled key (CVSS 7.4).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69394 HIGH This Week

Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cnvrse: from n/a through <= 026.02.10.20. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69393 HIGH This Week

Missing Authorization vulnerability in Jthemes Exzo exzo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Exzo: from n/a through <= 1.2.4. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69297 HIGH This Week

Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a through <= 2.19. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-67974 HIGH This Week

Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26048 HIGH This Week

Wi-Fi routers lacking management frame protection are susceptible to forged deauthentication and disassociation attacks, enabling unauthenticated remote attackers to disconnect legitimate users and disrupt network availability. This vulnerability allows attackers to broadcast spoofed wireless management frames without credentials, creating denial-of-service conditions affecting all connected devices. No patch is currently available for this high-severity issue.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22383 HIGH This Week

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by authorization bypass through user-controlled key (CVSS 5.4).

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24455 HIGH This Week

HTTP Basic Authentication over unencrypted connections in the device's embedded web interface allows attackers on the same network to passively intercept and capture user credentials. This cleartext transmission of authentication data exposes administrative access to network-based eavesdropping attacks. The lack of HTTPS/TLS support creates a significant credential compromise risk for affected devices with no available patch.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68834 HIGH This Week

Missing Authorization vulnerability in Saiful Islam Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.

WordPress Authentication Bypass Google
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-2045 HIGH PATCH This Week

Out-of-bounds write in GIMP 3.0.6's XWD (X Window Dump) image file parser allows remote attackers to execute arbitrary code in the context of the user running GIMP, provided the victim is lured into opening a malicious XWD file or visiting a page that delivers one. The CVSS 3.1 vector (AV:L/UI:R) shows this is not a remote-network attack but a user-interaction-driven file-parsing flaw, scored 7.3 (High). There is no public exploit identified at time of analysis, and EPSS is very low (0.08%, 23rd percentile), consistent with an attack that depends on social engineering rather than mass automation.

RCE Gimp Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-68022 HIGH This Week

soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce is affected by missing authorization (CVSS 6.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-2040 HIGH This Week

PDF-XChange Editor's TrackerUpdate process loads libraries from an unsecured location, enabling local attackers with low-privileged code execution to escalate privileges and run arbitrary code with elevated permissions. This high-severity vulnerability (CVSS 7.3) affects systems where an attacker has already gained initial code execution access. No patch is currently available.

Privilege Escalation
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2025-69378 HIGH This Week

XforWooCommerce Product Filter for WooCommerce prdctfltr contains a security vulnerability (CVSS 7.3).

WordPress Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-69299 HIGH This Week

Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allows Server Side Request Forgery.This issue affects Oxygen: from n/a through <= 6.0.8. [CVSS 7.2 HIGH]

SSRF
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-69381 HIGH This Week

vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).

WordPress PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27072 HIGH This Week

PixelYourSite plugin versions up to 11.2.0.1 contain a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into web pages without authentication. An attacker can exploit this to execute arbitrary JavaScript in the browsers of site visitors, potentially stealing session data or performing unauthorized actions on behalf of users. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24955 HIGH This Week

Reflected cross-site scripting in fox-themes Whizz Plugins version 1.9 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by victims, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction to trigger and can affect all visitors to a compromised site due to its cross-site impact. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24949 HIGH This Week

DOM-based cross-site scripting in ThemeGoods PhotoMe through version 5.7.1 enables attackers to inject malicious scripts that execute in users' browsers without authentication. An attacker can exploit this vulnerability to steal sensitive data, hijack user sessions, or perform unauthorized actions on behalf of affected users. No patch is currently available, and exploitation requires user interaction to trigger the payload.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24948 HIGH This Week

Reflected XSS in fox-themes Reflector plugin versions up to 1.2.2 enables attackers to inject malicious scripts into web pages viewed by victims, potentially allowing theft of session cookies, credentials, or sensitive data through user interaction. The vulnerability requires no authentication and can spread across security boundaries, affecting all users who click malicious links. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy