Skip to main content
CVE-2026-2362 MEDIUM This Month

Stored DOM-based XSS in WordPress WP Accessibility plugin (versions up to 2.3.1) allows authenticated contributors and above to inject malicious scripts via image alt attributes when the Long Description UI feature is enabled and configured as a link. The injected scripts execute in the browsers of any user accessing affected pages. No patch is currently available and exploitation requires specific plugin settings to be enabled.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2383 MEDIUM This Month

Stored XSS in Simple Download Monitor plugin for WordPress through version 4.0.5 allows authenticated users with Contributor privileges or higher to inject malicious scripts via custom fields that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output encoding, enabling attackers to compromise page integrity and steal user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14142 MEDIUM This Month

The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14149 MEDIUM This Month

The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14040 MEDIUM This Month

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-11950 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KNOWHY Advanced Technology Trading Ltd. Co. [CVSS 6.3 MEDIUM]

XSS Eduasist
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-13327 MEDIUM PATCH This Month

A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package. [CVSS 6.3 MEDIUM]

Information Disclosure Uv Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-3289 LOW POC Monitor

Path traversal in Sanluan PublicCMS 6.202506.d's Template Cache Generation component allows authenticated remote attackers to manipulate the saveMetadata function and access arbitrary files on the system. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor who has not responded to disclosure attempts.

Java Path Traversal
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3269 LOW POC Monitor

Psi Probe versions up to 5.3.0 contain a denial of service vulnerability in the session expiration handler that allows authenticated remote attackers to crash the application through request manipulation. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The vulnerability affects Java-based deployments of Psi Probe used for Tomcat monitoring.

Java Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3270 LOW POC Monitor

Server-side request forgery in PSI Probe up to version 5.3.0 allows authenticated attackers to conduct arbitrary network requests through the Whois lookup function. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The flaw requires valid credentials but can be exploited remotely with minimal complexity.

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27756 MEDIUM This Month

Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cross-site scripting (xss) (CVSS 6.1).

XSS Sl902 Swtgw124as Firmware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1434 MEDIUM This Month

Omega Psir contains a reflected cross-site scripting (XSS) vulnerability in the lang parameter that allows attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. The vulnerability affects unauthenticated users who click on attacker-controlled links, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this MEDIUM severity flaw.

XSS Omega Psir
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3286 LOW POC Monitor

Server-side request forgery in Paicoding 1.0.0-1.0.3 allows authenticated attackers to manipulate the image upload parameter and trigger arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but poses risks to internal network reconnaissance and data exfiltration.

Java SSRF
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3302 LOW POC Monitor

Cross-site scripting (XSS) in SourceCodester Doctor Appointment System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Email parameter in the /register.php Sign Up Page. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The lack of an available patch leaves affected systems vulnerable to session hijacking and credential theft.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3292 LOW POC Monitor

SQL injection in jizhiCMS up to version 2.5.6 via the findAll function in the Model.php batch interface allows authenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The flaw requires valid user credentials but can be exploited over the network with minimal additional complexity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3287 LOW POC Monitor

SQL injection in Youlai Mall 2.0.0's product pagination endpoint allows authenticated remote attackers to manipulate the sortField parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch. Attackers with valid credentials can exploit this flaw to read or modify sensitive data within the database.

Java SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3281 LOW POC PATCH Monitor

Heap-based buffer overflow in libvips 8.19.0's vips_bandrank_build function can be triggered by manipulating the index argument, allowing local attackers with user privileges to corrupt heap memory and potentially achieve code execution. Public exploit code exists for this vulnerability, and a patch is available to address the issue.

Buffer Overflow Libvips
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3293 LOW POC PATCH Monitor

A weakness has been identified in snowflakedb snowflake-jdbc up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. [CVSS 3.3 LOW]

Java Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3284 LOW POC PATCH Monitor

A vulnerability was found in libvips 8.19.0. Impacted is the function vips_extract_area_build of the file libvips/conversion/extract.c. [CVSS 3.3 LOW]

Buffer Overflow Libvips
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-27752 MEDIUM This Month

Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cleartext transmission of sensitive information (CVSS 5.9).

Information Disclosure Sl902 Swtgw124as Firmware
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24350 MEDIUM This Month

Stored XSS in PluXml CMS file upload functionality allows authenticated attackers to embed malicious payloads in SVG files that execute when victims directly access the uploaded files. The vulnerability affects at least versions 5.8.21 and 5.9.0-rc7, with other versions untested. No patch is currently available from the vendor.

XSS Pluxml
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27792 MEDIUM PATCH This Month

Seerr versions 2.7.0 through 3.0.x contain an authorization bypass in push subscription API endpoints that allows authenticated users to read and modify other users' data due to missing permission checks. An attacker with valid credentials can exploit this to access sensitive information and alter configurations belonging to arbitrary accounts. The vulnerability is fixed in version 3.1.0.

Authentication Bypass Seerr
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1305 MEDIUM This Month

The Japanized for WooCommerce plugin through version 2.8.4 fails to properly validate webhook signatures, allowing unauthenticated attackers to bypass payment authentication and fraudulently update order statuses to "Processing" or "Completed" without actual payment. An attacker can exploit this by omitting the signature header in POST requests to the Paidy webhook endpoint, resulting in the permission check unconditionally returning true. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-1558 MEDIUM This Month

Unauthenticated attackers can modify arbitrary post metadata in WordPress sites running WP Recipe Maker plugin versions up to 10.3.2 due to an insecure direct object reference in the Instacart integration REST API endpoint. The vulnerability stems from improper authorization checks on the recipeId parameter, allowing attackers to overwrite recipe configuration data without authentication. No patch is currently available for this issue.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-28351 MEDIUM PATCH This Month

Crafted PDF files can trigger excessive memory consumption in pypdf versions before 6.7.4 when processing content streams with the RunLengthDecode filter, enabling denial-of-service attacks against applications using the library. An unauthenticated attacker can exploit this remotely by submitting a malicious PDF, causing the affected application to exhaust system memory. A patch is available in pypdf 6.7.4 and later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-28407 MEDIUM PATCH This Month

Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.

Information Disclosure Malcontent Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28421 MEDIUM POC PATCH This Month

Vim versions before 9.2.0077 contain heap buffer overflow and segmentation fault vulnerabilities in swap file recovery that can be triggered by opening a specially crafted swap file, affecting users who recover sessions from untrusted sources. An attacker could exploit this to cause application crashes or potentially achieve code execution through memory corruption. A patch is available in version 9.2.0077 and later.

Code Injection Vim Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28419 MEDIUM PATCH This Month

Vim versions prior to 9.2.0075 contain a heap buffer underflow in the tags file parser that triggers when processing malformed tag files with delimiters at line starts, potentially allowing local attackers with user interaction to read out-of-bounds memory and cause information disclosure or crashes. The vulnerability requires local file system access and user interaction to exploit, with a CVSS score of 5.3 indicating medium severity. A patch is available in Vim 9.2.0075 and later versions.

Heap Overflow Vim Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24351 MEDIUM This Month

PluXml CMS versions 5.8.21 and 5.9.0-rc7 contain a stored cross-site scripting vulnerability in the static pages editor that allows authenticated users with editing privileges to inject malicious JavaScript and HTML into pages. When other users visit the compromised pages, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available from the vendor.

XSS Pluxml
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-9572 MEDIUM PATCH This Month

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass. [CVSS 5.0 MEDIUM]

Information Disclosure Red Hat
NVD VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-22716 MEDIUM This Month

VMware Workstation 25H1 and earlier contains an out-of-bounds write vulnerability that allows unprivileged guest VM users to crash specific Workstation processes. The vulnerability requires user interaction and does not enable privilege escalation or data theft, making it suitable for denial-of-service attacks against the host virtualization platform. No patch is currently available for this medium-severity flaw.

VMware
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-28270 MEDIUM This Month

Kiteworks versions prior to 9.2.0 lack proper file validation in their configuration upload functionality, allowing authenticated administrators to upload arbitrary files to the system. An attacker with administrative privileges could exploit this to introduce malicious or unauthorized file types, potentially compromising system integrity. A patch is available in version 9.2.0 and later.

File Upload Kiteworks
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-0871 MEDIUM PATCH This Month

Build Of Keycloak contains a vulnerability that allows attackers to unauthorized changes to user profiles, even when the system is configured to res (CVSS 4.9).

Authentication Bypass Keycloak Build Of Keycloak Red Hat
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-2831 MEDIUM This Month

SQL injection in the MailArchiver WordPress plugin through version 4.5.0 allows authenticated administrators to extract sensitive database information by injecting malicious SQL commands via the 'logid' parameter due to improper input escaping. The vulnerability requires high-level privileges and administrator credentials to exploit, limiting its risk to insider threats or compromised administrative accounts. No patch is currently available for this medium-severity issue.

WordPress SQLi
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-24352 MEDIUM This Month

Session fixation vulnerability in PluXml CMS allows attackers to set session identifiers before authentication, enabling session hijacking after the victim logs in.

Information Disclosure Session Fixation
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-28417 MEDIUM PATCH This Month

Arbitrary command execution in Vim's netrw plugin prior to version 9.2.0073 allows attackers to execute shell commands with user privileges by crafting malicious URLs (such as scp:// handlers) that users are tricked into opening. The vulnerability requires user interaction but poses a local privilege escalation risk in multi-user environments. A patch is available in Vim 9.2.0073 and later.

Command Injection Vim Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-28420 MEDIUM POC PATCH This Month

Vim versions prior to 9.2.0076 contain a heap buffer overflow and out-of-bounds read vulnerability in the terminal emulator when handling Unicode combining characters from supplementary planes, allowing a local attacker with user interaction to cause memory corruption and denial of service. The vulnerability requires local access and user interaction to trigger, with no confidentiality impact but potential integrity and availability consequences. A patch is available in version 9.2.0076 and later.

Buffer Overflow Heap Overflow Vim Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-28418 MEDIUM PATCH This Month

Vim versions prior to 9.2.0074 contain a heap buffer overflow in the Emacs-style tags file parser that allows reading up to 7 bytes of out-of-bounds memory when processing malformed tags files. A local attacker can trigger this vulnerability through a crafted tags file to leak sensitive information from the application's memory. The vulnerability has been patched in version 9.2.0074 and later.

Buffer Overflow Heap Overflow Vim Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20797 MEDIUM This Month

Unauthenticated attackers can exploit a stack buffer overflow in XWEB Pro firmware (versions 1.12.1 and earlier) through an unprotected API endpoint to corrupt memory and crash the affected device. This vulnerability impacts Xweb 500b Pro, 300d Pro, and 500d Pro models, causing denial of service with no authentication required. No patch is currently available for this issue.

Buffer Overflow Memory Corruption Xweb 300d Pro Firmware Xweb 500d Pro Firmware Xweb 500b Pro Firmware
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-28415 MEDIUM PATCH This Month

Open redirect in Gradio's OAuth implementation allows unauthenticated attackers to redirect users to arbitrary external URLs through the unvalidated _target_url parameter on /logout and /login/callback endpoints in applications with OAuth enabled. This affects Gradio versions prior to 6.6.0 running on Hugging Face Spaces with gr.LoginButton, enabling phishing attacks or credential theft. The vulnerability has been patched in version 6.6.0 by sanitizing the parameter to only accept relative URLs.

Python AI / ML Gradio Hugging Face Red Hat
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15509 MEDIUM This Month

The SmartRemote module has insufficient restrictions on loading URLs, which may lead to some information leakage. [CVSS 4.3 MEDIUM]

Authentication Bypass Smartremote Module
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27758 MEDIUM This Month

Sl902-Swtgw124As Firmware versions up to 200.1.20 is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF Sl902 Swtgw124as Firmware
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27167 NONE POC PATCH Awaiting Data

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g.

Python Hugging Face AI / ML
NVD GitHub
EPSS
0.1%
CVE-2026-22877 LOW Monitor

An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack. [CVSS 3.7 LOW]

Path Traversal Information Disclosure Xweb 300d Pro Firmware Xweb 500d Pro Firmware Xweb 500b Pro Firmware
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-15567 LOW Monitor

Insufficient protection mechanisms in the Health Module may lead to partial information disclosure. [CVSS 3.3 LOW]

Information Disclosure Health Module
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-12150 LOW PATCH Monitor

A flaw was found in Keycloak’s WebAuthn registration component. [CVSS 3.1 LOW]

Authentication Bypass Build Of Keycloak Keycloak
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-22717 LOW Monitor

Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the machine where VMware Workstation is installed. [CVSS 2.7 LOW]

VMware Information Disclosure
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-28422 LOW PATCH Monitor

Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. [CVSS 2.2 LOW]

Buffer Overflow Vim
NVD GitHub VulDB
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-21619 LOW Monitor

Uncontrolled resource consumption in hex_core, hex, and rebar3 package managers results from unsafe deserialization of untrusted data in API request handling, enabling remote attackers to trigger excessive memory allocation and denial of service without authentication. Affected versions include hex_core before 0.12.1, hex before 2.3.2, and rebar3 before 3.27.0, with no patch currently available. An attacker can exploit this remotely over the network to exhaust system resources and crash affected Erlang/Elixir build environments.

Deserialization Denial Of Service Rebar3 Hex Hex Core
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15498 This Week

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges.

SQLi Authentication Bypass
NVD
EPSS
0.1%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy