Skip to main content
CVE-2026-2385 MEDIUM This Month

Unauthenticated attackers can manipulate email routing and redirection in The Plus Addons for Elementor plugin for WordPress versions up to 6.4.7 by tampering with the 'email_data' parameter in an AJAX handler that lacks proper cryptographic verification. This allows attackers to trigger unauthorized email relay and redirect users to attacker-controlled sites without authentication. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2913 LOW POC PATCH Monitor

A vulnerability was determined in libvips up to 8.19.0. The affected element is the function vips_source_read_to_memory of the file libvips/iofuncs/source.c. [CVSS 2.5 LOW]

Buffer Overflow Libvips
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-1369 MEDIUM This Month

Conditional CAPTCHA WordPre versions up to 4.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

WordPress Open Redirect
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2930 LOW Monitor

Stack buffer overflow in Tenda A18 15.13.07.13 firmware allows authenticated remote attackers to execute arbitrary code through malformed boundary parameters in the /cgi-bin/UploadCfg HTTP endpoint. The vulnerability affects the webCgiGetUploadFile function within the Httpd service and has public exploit code available. Affected users should apply patches when available, as the vulnerability requires valid credentials but no user interaction.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2954 LOW Monitor

SQL/code injection in Dromara UJCMS 10.0.2 allows authenticated remote attackers to manipulate database driver parameters (driverClassName/url) through the ImportDataController's import-channel endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. Successful exploitation could result in unauthorized data access, modification, or system availability impacts.

Code Injection Ujcms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2943 LOW Monitor

Cross-site scripting in SapneshNaik Student Management System allows remote attackers to inject malicious scripts through the Error parameter in index.php, with public exploit code available. The vulnerability requires user interaction to trigger and has a low CVSS score of 4.3, but no patch is currently available from the unresponsive vendor.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2903 LOW Monitor

A flaw has been found in skvadrik re2c versions up to 4.4. is affected by improper resource shutdown or release (CVSS 3.3).

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy