Skip to main content
CVE-2025-69408 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69407 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69406 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through <= 1.1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69402 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69400 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yokoo yokoo allows PHP Local File Inclusion.This issue affects Yokoo: from n/a through <= 1.1.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69399 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Cobble cobble allows PHP Local File Inclusion.This issue affects Cobble: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69398 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69397 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tint tint allows PHP Local File Inclusion.This issue affects Tint: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69396 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69395 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69375 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]

WordPress PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69374 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog - Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog - Elementor Blog And Magazine Addons: from n/a through <= 2.0.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69322 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68543 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68539 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68536 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67992 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean PatioTime patiotime allows PHP Local File Inclusion.This issue affects PatioTime: from n/a through < 2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67988 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67982 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67981 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67980 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-60087 HIGH This Week

Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon is affected by php remote file inclusion (CVSS 8.1).

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68545 HIGH This Week

PHP Remote File Inclusion in Nika WordPress theme by thembay.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-2048 HIGH PATCH This Week

GIMP is vulnerable to out-of-bounds memory write during XWD file parsing due to insufficient input validation, enabling arbitrary code execution when a user opens a malicious image file. This high-severity vulnerability (CVSS 7.8) affects local attackers who can craft specially crafted XWD files to corrupt memory and execute code with the privileges of the GIMP process. No patch is currently available.

RCE Gimp Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0777 HIGH This Week

Xmind fails to display adequate security warnings when users open file attachments, enabling remote code execution with the privileges of the current user. An attacker can exploit this by tricking users into opening malicious files or visiting crafted pages, with the unsafe action proceeding without proper user notification. No patch is currently available.

RCE
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2026-2047 HIGH PATCH This Week

Remote code execution in GIMP through heap buffer overflow during ICNS file parsing allows attackers to execute arbitrary code when a user opens a malicious image file. The vulnerability stems from insufficient validation of user-supplied data lengths before copying to heap memory, requiring only user interaction to trigger. A patch is available for affected installations.

RCE Buffer Overflow Heap Overflow Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-2034 HIGH This Week

Remote code execution in Sante DICOM Viewer Pro via buffer overflow when parsing malicious DCM files allows attackers to execute arbitrary code on affected systems. The vulnerability stems from insufficient validation of user-supplied data length before copying to a buffer, requiring user interaction such as opening a malicious file or visiting a compromised page. No patch is currently available for this high-severity flaw.

RCE Buffer Overflow Dicom Viewer Pro
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-27001 HIGH PATCH This Week

OpenClaw versions prior to 2026.2.15 fail to sanitize workspace directory paths before injecting them into LLM prompts, allowing local attackers with execution privileges to inject malicious instructions through control characters and Unicode markers in directory names. An attacker can exploit this prompt injection vulnerability to manipulate the AI assistant's behavior and execute unintended commands. A patch is available in version 2026.2.15 and later.

Command Injection AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-2492 HIGH This Week

Local privilege escalation in TensorFlow's HDF5 plugin-loading mechanism lets a low-privileged user run arbitrary code as a higher-privileged target user. The flaw stems from TensorFlow loading plugins from an unsecured, attacker-writable search-path location (CWE-427), so an attacker who can already execute low-privileged code plants a malicious plugin that is later loaded in the victim's context. There is no public exploit identified at time of analysis, EPSS risk is very low (0.02%), and it is not listed in CISA KEV, but the issue is credibly reported by Trend Micro ZDI (ZDI-26-116) and patched by upstream and Red Hat.

Privilege Escalation RCE
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26050 HIGH This Week

Arbitrary code execution with administrative privileges in RICOH Job Log Aggregation Tool versions before 1.3.7 due to insecure DLL search path handling. Local attackers with user interaction can execute malicious code by placing a crafted DLL in the installer's search path. No patch is currently available.

Privilege Escalation RCE
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-26959 HIGH This Week

Arbitrary code execution in ADB Explorer version 0.9.26020 and earlier on Windows allows local attackers to execute malicious binaries by manipulating the ManualAdbPath configuration setting without integrity validation. An attacker can exploit this through social engineering by distributing a crafted settings file that redirects the application to a malicious executable, gaining code execution with user privileges. The vulnerability requires user interaction to launch the application with a malicious configuration directory.

Windows RCE
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26102 HIGH This Week

Opds-Talon versions up to 2.2.0.4 is affected by incorrect permission assignment for critical resource (CVSS 7.8).

Privilege Escalation Opds Talon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26101 HIGH This Week

Opds-Talon versions up to 2.2.0.4 is affected by incorrect permission assignment for critical resource (CVSS 7.8).

Privilege Escalation Opds Talon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-69377 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-68862 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Murtaza Bhurgri Woo File Dropzone woo-file-dropzone allows Path Traversal.This issue affects Woo File Dropzone: from n/a through <= 1.1.7. [CVSS 7.7 HIGH]

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-52744 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Inpersttion For Theme err-our-team allows Code Injection.This issue affects Inpersttion For Theme: from n/a through <= 1.0. [CVSS 7.6 HIGH]

Code Injection RCE
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-53217 HIGH This Week

Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through <= 2.0.2. [CVSS 7.6 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-2635 HIGH PATCH This Week

Authentication bypass leading to administrator-level remote code execution affects MLflow installations that use the built-in basic authentication, which ships a basic_auth.ini file containing hard-coded default credentials. Remote unauthenticated attackers who know these well-known defaults can log in as the administrator and execute arbitrary code in that context. No public exploit has been identified at time of analysis and it is not in CISA KEV, but the EPSS score of 1.39% (80th percentile) reflects above-average exploitation interest for a Trend Micro ZDI-disclosed flaw with an available vendor patch.

Authentication Bypass RCE
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
1.4%
CVE-2026-22356 HIGH This Week

Jetpack CRM versions 6.7.0 and earlier contain a local file inclusion vulnerability in their PHP code that allows attackers to manipulate file inclusion statements and access arbitrary files on the server. An unauthenticated attacker can exploit this through a user interaction to read sensitive files or potentially execute arbitrary code with high impact. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69387 HIGH This Week

whatwouldjessedo Simple Retail Menus simple-retail-menus is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69373 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68841 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder: from n/a through <= 1.2.1. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69383 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68552 HIGH This Week

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69380 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22351 HIGH This Week

WP FullCalendar plugin version 1.6 and earlier for WordPress contains an authorization bypass vulnerability that allows unauthenticated attackers to modify calendar data and disrupt service availability. The weak access control implementation enables remote exploitation without requiring user interaction or special network conditions. Organizations running affected versions should upgrade immediately as no patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69401 HIGH This Week

mdalabar WooODT Lite byconsole-woo-order-delivery-time is affected by authentication bypass by spoofing (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24950 HIGH This Week

themeplugs Authorsy authorsy is affected by authorization bypass through user-controlled key (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24941 HIGH This Week

WP Job Portal versions 2.4.4 and earlier contain an authorization bypass flaw that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. An attacker can remotely exploit this vulnerability without user interaction to gain unauthorized visibility into restricted data. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69303 HIGH This Week

modeltheme ModelTheme Framework modeltheme-framework is affected by missing authorization (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
Prev Page 4 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy