Unauthenticated command injection in thesystem 1.0. EPSS 3.4%. PoC available.
Privilege escalation in Print Shop Pro WebDesk v.18.34 via AccessID parameter. PoC available.
Privilege escalation in Key Systems Global Facilities Management Software via PIN component. PoC available.
SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 allows unauthenticated attackers to read arbitrary database data. Patch available.
ReDoS in fast-xml-parser before fix via crafted XML. PoC and patch available.
SQL injection in Fiverr Clone Script 1.2.2. PoC available.
Host Header Poisoning in Monica 4.1.2 CRM. PoC available.
SQL injection in LibreNMS 25.12.0 and below. PoC and patch available.
Unauthenticated OS command injection in PROLiNK PRC2402M router via ip parameter. EPSS 0.39%.
Second improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
Improper authentication in Acronis Cyber Protect 16. CVSS 10.0.
Missing authorization in Acronis Cyber Protect 16 allows sensitive data access. CVSS 10.0.
Authorization bypass in Kargo Kubernetes promotion tool from 1.7.0 before 1.7.8/1.8.11/1.9.3. Batch resource creation bypasses authorization checks. Patch available.
Auth bypass in GFI Archiver via MArc.Store missing authorization. EPSS 0.59%.
Auth bypass in GFI Archiver via MArc.Core missing authorization. EPSS 0.59%.
Code injection in WPForms Google Sheet Connector (gsheetconnector-wpforms) WordPress plugin allows arbitrary code execution.
Unrestricted file upload in Bravis Addons (bravis-addons) WordPress theme allows uploading web shells for remote code execution.
Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.
RCE in Smanga 3.2.7 via command injection in /php/path/rescan.php. EPSS 0.29%.
Command injection in Owl OPDS 2.2.0.4. EPSS 0.29%.
Command injection in Owl OPDS 2.2.0.4 — duplicate of CVE-2026-26093.
Code inclusion from untrusted source in Slyde presentation tool 0.0.4 and below. Automatically imports plugin files. Patch available.
Blank admin credentials allowed in device web management. Admin can set empty password, making device fully accessible.
Configuration injection in OpenClaw Docker sandbox before 2026.2.15 allows escaping sandbox restrictions. Patch available.
leafcolor Applay - Shortcodes applay-shortcodes is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization of untrusted data in Lorem Ipsum Books & Media (lorem-ipsum-books-media-store) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Extreme Store (extremestore) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Themesflat Elementor (themesflat-elementor) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in SevenHills (sevenhills) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in KindlyCare (kindlycare) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Capella (capella) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Prestige (prestige) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in PhotoMe (photome) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Ippsum (ippsum) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Travelicious (travelicious) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Nestin (nestin) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in PatioTime (patiotime) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Missing authentication in Acronis Cyber Protect Cloud Agent (Linux, Windows, macOS).
Auth bypass in Smanga 3.2.7 allows unauthenticated password reset for any user including admin.
Blind SQL injection in Download Manager Addons for Elementor (download-manager-addons-for-elementor) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Emerce Core (emerce-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Uroan Core (uroan-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Wolmart Core (wolmart-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Woodly Core (woodly-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Saasplate Core (saasplate-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Nestbyte Core (nestbyte-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Medinik Core (medinik-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Electio Core (electio-core) WordPress theme/plugin core allows data extraction from the database.
Blind SQL injection in Crete Core (crete-core) WordPress theme/plugin core allows data extraction from the database.