466 CVEs tracked today. 73 Critical, 306 High, 81 Medium, 5 Low.
-
CVE-2026-30797
CRITICAL
CVSS 9.3
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Windows
Information Disclosure
Google
Apple
macOS
-
CVE-2026-30794
CRITICAL
CVSS 9.1
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Windows
Information Disclosure
Google
Apple
macOS
-
CVE-2026-30793
CRITICAL
CVSS 9.3
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Windows
Authentication Bypass
Privilege Escalation
Google
CSRF
-
CVE-2026-30792
CRITICAL
CVSS 9.1
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Windows
Information Disclosure
Google
Apple
macOS
-
CVE-2026-30790
CRITICAL
CVSS 9.3
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Windows
Information Disclosure
Apple
macOS
Microsoft
-
CVE-2026-30789
CRITICAL
CVSS 9.3
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Windows
Authentication Bypass
Google
Apple
macOS
-
CVE-2026-29188
CRITICAL
CVSS 9.1
Unauthorized file operations in File Browser before fix. PoC and patch available.
Authentication Bypass
Filebrowser
Suse
-
CVE-2026-29128
CRITICAL
CVSS 10.0
Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.
Privilege Escalation
Information Disclosure
Linux
IoT
BGP
-
CVE-2026-28536
CRITICAL
CVSS 9.6
Auth bypass in device authentication module.
Authentication Bypass
Harmonyos
-
CVE-2026-28474
CRITICAL
CVSS 9.3
Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to bypass DM and room allowlists by spoofing display names. Attackers can change their Nextcloud display name to match an allowlisted user ID, gaining unauthorized access to restricted conversations without authentication. EPSS score is low (0.05%, 16th percentile), indicating low observed exploitation probability. No active exploitation confirmed; vulnerability was responsibly disclosed by AISLE Research Team and patched in version 2026.2.6.
Authentication Bypass
Nextcloud
-
CVE-2026-28470
CRITICAL
CVSS 9.2
Exec allowlist bypass in OpenClaw before 2026.2.2 via argument injection. Patch available.
Authentication Bypass
-
CVE-2026-28466
CRITICAL
CVSS 9.9
Gateway authorization bypass in OpenClaw before 2026.2.14. Unsanitized approval fields in node.invoke. Patch available.
Authentication Bypass
RCE
Openclaw
-
CVE-2026-28446
CRITICAL
CVSS 9.4
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Authentication Bypass
AI / ML
Openclaw
-
CVE-2026-28443
CRITICAL
CVSS 9.8
SQL injection in OpenReplay session replay before 1.20.0.
SQLi
Openreplay
-
CVE-2026-28391
CRITICAL
CVSS 9.8
Windows cmd.exe metacharacter injection in OpenClaw before 2026.2.2. Bypass exec whitelist. Patch available.
Windows
Openclaw
-
CVE-2026-28353
CRITICAL
CVSS 10.0
Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities.
Information Disclosure
-
CVE-2026-28115
CRITICAL
CVSS 9.3
SQL injection in WP Attractive Donations System WordPress plugin.
SQLi
-
CVE-2026-28114
CRITICAL
CVSS 9.1
Deserialization of untrusted data in WooCommerce License Manager (fs-license-manager) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
WordPress
File Upload
-
CVE-2026-28105
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Good Energy (goodenergy) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-28074
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Pizza House (pizzahouse) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-28043
CRITICAL
CVSS 9.8
The ThemeREX Healer WordPress theme through version 1.0.0 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file include statements. An attacker can exploit this to access sensitive configuration files, database credentials, and other protected data without authentication. No patch is currently available and exploitation requires no user interaction.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2026-27984
CRITICAL
CVSS 9.0
Code injection in Widget Options WordPress plugin.
RCE
Code Injection
-
CVE-2026-27983
CRITICAL
CVSS 9.8
Privilege escalation in LMS Elementor Pro WordPress plugin.
Privilege Escalation
-
CVE-2026-27944
CRITICAL
CVSS 9.8
Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
TLS
Nginx
Nginx Ui
Suse
-
CVE-2026-27439
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Dentario (dentario) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-27438
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Kingler (kingler) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-27437
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Tennis Club (tennis-sportclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-27417
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Sweet Date (sweetdate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-27389
CRITICAL
CVSS 9.8
Auth bypass in WeDesignTech Ultimate Booking Addon for WordPress.
Authentication Bypass
-
CVE-2026-27384
CRITICAL
CVSS 9.0
Input quantity validation bypass in W3 Total Cache WordPress plugin.
Information Disclosure
-
CVE-2026-25921
CRITICAL
CVSS 9.3
Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.
Authentication Bypass
Gogs
Suse
-
CVE-2026-24960
CRITICAL
CVSS 9.9
Unrestricted file upload in Charety (charety) WordPress theme allows uploading web shells for remote code execution.
File Upload
-
CVE-2026-24457
CRITICAL
CVSS 9.1
Arbitrary file read in OpenMQ via configuration parsing. Can lead to full exploitation.
Path Traversal
-
CVE-2026-23802
CRITICAL
CVSS 9.1
Arbitrary file upload in AI Engine WordPress plugin.
File Upload
-
CVE-2026-23767
CRITICAL
CVSS 9.8
ESC/POS printer control language lacks authentication/authorization. Any device on the network can send print commands.
Authentication Bypass
Sb H50 Firmware
Tm H6000v Firmware
Tm L100 Firmware
Tm M10 Firmware
-
CVE-2026-22501
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Mounthood (mounthood) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-22497
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Jardi (jardi) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-22475
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Estate (estate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-22474
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Equestrian Centre (equestrian-centre) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-22454
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Solaris (solaris) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-22453
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Pets Club (petclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-22451
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Handyman (handyman-services) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2026-22417
CRITICAL
CVSS 9.8
ThemeGoods Grand Wedding through version 3.1.0 is vulnerable to remote object injection via unsafe deserialization of untrusted data, enabling attackers to execute arbitrary code without authentication. The vulnerability requires specific conditions to be met but carries high severity with complete compromise of confidentiality, integrity, and availability. No patch is currently available for affected installations.
Deserialization
-
CVE-2026-22390
CRITICAL
CVSS 9.9
Builderall Builderall Builder for WordPress builderall-cheetah-for-wp is affected by code injection (CVSS 9.9).
WordPress
RCE
Code Injection
-
CVE-2026-21628
CRITICAL
CVSS 9.8
Unauthenticated RCE via file upload in industrial/enterprise application.
RCE
File Upload
Astroid Framework
-
CVE-2026-21622
CRITICAL
CVSS 9.5
Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.
Information Disclosure
-
CVE-2026-21536
CRITICAL
CVSS 9.8
RCE in Microsoft Devices Pricing Program.
RCE
Microsoft
File Upload
Devices Pricing Program
-
CVE-2026-3381
CRITICAL
CVSS 9.8
Insecure embedded zlib in Compress::Raw::Zlib through 2.219 for Perl.
Information Disclosure
Red Hat
Suse
-
CVE-2026-3257
CRITICAL
CVSS 9.8
Insecure embedded library in UnQLite 0.06 Perl module.
Heap Overflow
Unqlite
-
CVE-2026-2835
CRITICAL
CVSS 9.1
HTTP request smuggling in Pingora HTTP/1.0 Transfer-Encoding handling.
Code Injection
Pingora
-
CVE-2026-2833
CRITICAL
CVSS 9.1
HTTP request smuggling in Cloudflare Pingora HTTP/1.1 upgrade handling.
Code Injection
Pingora
-
CVE-2026-2743
CRITICAL
CVSS 10.0
Remote code execution in SeppMail secure email gateway versions 15.0.2.1 and earlier allows unauthenticated attackers to write arbitrary files via path traversal in the Large File Transfer (LFT) feature of the User Web Interface, leading to full system compromise. The flaw carries a maximum CVSS 4.0 score of 10.0 reflecting network-reachable, no-privilege exploitation with scope-changing impact, and was disclosed by InfoGuard Labs alongside CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128. No public exploit identified at time of analysis and EPSS sits at 0.52% (67th percentile), so widespread automated abuse has not yet materialized despite the critical severity.
RCE
Path Traversal
-
CVE-2026-2599
CRITICAL
CVSS 9.8
PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.
PHP
WordPress
Information Disclosure
Deserialization
-
CVE-2026-2418
CRITICAL
CVSS 9.1
Auth bypass in Login with Salesforce WordPress plugin through 1.0.2.
WordPress
Information Disclosure
-
CVE-2026-1678
CRITICAL
CVSS 9.4
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
DNS
Zephyr
-
CVE-2026-0848
CRITICAL
CVSS 10.0
Remote code execution in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows unauthenticated attackers to execute arbitrary Java bytecode through the StanfordSegmenter module's unvalidated loading of external JAR files. The vulnerability is exploitable via model poisoning, MITM attacks during JAR downloads, or dependency poisoning, with execution occurring automatically at import time. Despite a critical CVSS 10.0 score, EPSS probability of 0.48% (65th percentile) suggests low observed exploitation activity. No CISA KEV listing indicates no confirmed widespread active exploitation, though the vulnerability is publicly documented on huntr.com with technical details available.
RCE
Java
-
CVE-2025-70948
CRITICAL
CVSS 9.3
Host header injection in @perfood/couch-auth v0.26.0 for password reset token theft.
Code Injection
-
CVE-2025-70614
HIGH
CVSS 8.1
OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier parameter. [CVSS 8.1 HIGH]
Authentication Bypass
-
CVE-2025-70233
CRITICAL
CVSS 9.8
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetEnableWizard. Part of a family of 15+ critical buffer overflows in this router.
Buffer Overflow
D-Link
Dir 513 Firmware
-
CVE-2025-70232
CRITICAL
CVSS 9.8
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetMACFilter. Part of a family of 15+ critical buffer overflows in this router.
Buffer Overflow
D-Link
Dir 513 Firmware
-
CVE-2025-70231
CRITICAL
CVSS 9.8
Path traversal in D-Link DIR-513 verification code processing. PoC available.
Path Traversal
D-Link
Dir 513 Firmware
-
CVE-2025-70230
CRITICAL
CVSS 9.8
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetDDNS. Part of a family of 15+ critical buffer overflows in this router.
Buffer Overflow
D-Link
Dir 513 Firmware
-
CVE-2025-70229
CRITICAL
CVSS 9.8
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSchedule. Part of a family of 15+ critical buffer overflows in this router.
Buffer Overflow
D-Link
Dir 513 Firmware
-
CVE-2025-69338
CRITICAL
CVSS 9.3
Blind SQL injection in Riode Core (riode-core) WordPress theme/plugin core allows data extraction from the database.
SQLi
-
CVE-2025-68555
CRITICAL
CVSS 9.9
Unrestricted file upload in Nutrie (nutrie) WordPress theme allows uploading web shells for remote code execution.
File Upload
-
CVE-2025-68554
CRITICAL
CVSS 9.9
Unrestricted file upload in Keenarch (keenarch) WordPress theme allows uploading web shells for remote code execution.
File Upload
-
CVE-2025-68553
CRITICAL
CVSS 9.9
Unrestricted file upload in Lendiz (lendiz) WordPress theme allows uploading web shells for remote code execution.
File Upload
-
CVE-2025-55208
CRITICAL
CVSS 9.0
Stored XSS in Chamilo LMS before 1.11.34 via file uploads in Social Networks. Leads to account takeover.
XSS
Chamilo Lms
-
CVE-2025-54001
CRITICAL
CVSS 9.8
Deserialization of untrusted data in Classter (classter) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization
-
CVE-2025-40931
CRITICAL
CVSS 9.1
Insecure session ID generation in Apache::Session::Generate::MD5 through 1.94 for Perl.
Apache
Information Disclosure
-
CVE-2025-40926
CRITICAL
CVSS 9.8
Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.
Information Disclosure
Suse
-
CVE-2025-29165
CRITICAL
CVSS 9.8
Privilege escalation in D-Link DIR-1253 MESH V1.6.1684 via etc/shadow.sample.
Privilege Escalation
D-Link
-
CVE-2025-13476
CRITICAL
CVSS 9.8
Static TLS fingerprint in Rakuten Viber Cloak mode enables tracking despite privacy mode.
Windows
TLS
Android
Viber
-
CVE-2024-57854
CRITICAL
CVSS 9.1
Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.
Information Disclosure
-
CVE-2026-30798
HIGH
CVSS 7.5
RustDesk Client through version 1.4.5 fails to properly verify data authenticity in its heartbeat synchronization loop, allowing remote attackers to manipulate the protocol and cause denial of service without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects Windows, macOS, Linux, Android, and iOS deployments.
Windows
Linux
macOS
Android
Rustdesk
-
CVE-2026-30796
HIGH
CVSS 8.7
RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network heartbeat synchronization API, enabling attackers to intercept and obtain authentication credentials without authentication. The vulnerability affects Windows, macOS, and Linux deployments where the address book sync functionality is enabled. No patch is currently available.
Windows
Information Disclosure
Apple
macOS
Microsoft
-
CVE-2026-30795
HIGH
CVSS 8.7
RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).
Windows
Information Disclosure
Google
Apple
macOS
-
CVE-2026-30791
HIGH
CVSS 7.5
RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive embedded data during config import, URI scheme handling, or CLI operations across Windows, macOS, Linux, iOS, Android, and web clients. An unauthenticated remote attacker can exploit this vulnerability without user interaction to extract sensitive configuration information. No patch is currently available for this high-severity vulnerability.
Windows
Information Disclosure
Google
Apple
macOS
-
CVE-2026-30785
HIGH
CVSS 8.2
RustDesk Client through version 1.4.5 on Windows, macOS, and Linux uses weak password hashing and improper object prototype handling in its password security and configuration encryption modules, allowing local authenticated attackers to extract embedded sensitive data including passwords and machine identifiers. The vulnerability affects critical cryptographic functions including symmetric_crypt() and decrypt_str_or_original(), enabling attackers with local access and valid credentials to compromise encrypted credentials and system identifiers. No patch is currently available.
Windows
Information Disclosure
Apple
macOS
Microsoft
-
CVE-2026-30784
HIGH
CVSS 8.8
Unauthenticated attackers can abuse missing authorization controls in RustDesk Server's rendezvous and relay modules (hbbs/hbbr) to gain unauthorized privileges through exposed critical functions like punch hole requests and peer registration. This vulnerability affects RustDesk Server versions through 1.7.5 and 1.1.15, enabling remote privilege escalation over the network with no authentication required. No patch is currently available.
Authentication Bypass
Suse
-
CVE-2026-30783
HIGH
CVSS 8.8
Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthenticated remote attackers to abuse API sync and configuration management functions. The vulnerability in the rendezvous mediator and HTTP sync modules enables attackers to gain elevated privileges without user interaction. No patch is currently available for affected users.
Windows
Information Disclosure
Google
Apple
macOS
-
CVE-2026-29611
HIGH
CVSS 7.5
Openclaw versions up to 2026.2.14 contains a vulnerability that allows attackers to read arbitrary files from the local filesystem (CVSS 7.5).
LFI
Openclaw
-
CVE-2026-29610
HIGH
CVSS 8.8
Arbitrary command execution in OpenClaw prior to version 2026.2.14 stems from improper PATH validation during node-host execution and project bootstrapping, allowing authenticated attackers or those with local filesystem access to substitute malicious binaries for legitimate commands. An attacker can exploit this to bypass allowlisted command restrictions and achieve code execution with the privileges of the OpenClaw process. A patch is available for versions 2026.2.14 and later.
Privilege Escalation
Openclaw
-
CVE-2026-29609
HIGH
CVSS 7.5
Openclaw versions up to 2026.2.14 is affected by allocation of resources without limits or throttling (CVSS 7.5).
Denial Of Service
Openclaw
-
CVE-2026-29127
HIGH
CVSS 7.8
Local privilege escalation in IDC SFX2100 Satellite Receiver firmware occurs due to overly permissive file system permissions (0777) on a privileged user's home directory, allowing any local user to read, write, and execute files within it. An attacker with local access can leverage highly privileged processes and binaries in this directory to escalate their privileges on the system. Public exploit code exists for this vulnerability, and no patch is currently available.
Privilege Escalation
Sfx2100 Firmware
-
CVE-2026-29126
HIGH
CVSS 7.8
Sfx2100 Firmware versions up to - is affected by incorrect permission assignment for critical resource (CVSS 7.8).
Privilege Escalation
Sfx2100 Firmware
-
CVE-2026-29124
HIGH
CVSS 7.8
Sfx2100 Satellite Receiver firmware contains multiple SUID root binaries in predictable locations that allow local privilege escalation from the monitor user to root. Public exploit code exists for this vulnerability, enabling any local user with monitor privileges to gain complete system control. A patch is not currently available, leaving affected devices vulnerable to privilege escalation attacks.
Privilege Escalation
Sfx2100 Firmware
-
CVE-2026-29123
HIGH
CVSS 7.8
Local privilege escalation in IDC SFX2100 firmware affects Linux systems through a SUID binary vulnerable to PATH hijacking, symlink abuse, and shared object hijacking. A local attacker can exploit this to gain root-level privileges, and public exploit code is available. No patch is currently available to address this HIGH severity vulnerability.
Privilege Escalation
Linux
Sfx2100 Firmware
-
CVE-2026-29121
HIGH
CVSS 7.8
The setuid bit on the /sbin/ip utility in IDC SFX2100 satellite receiver firmware allows local users to execute privileged operations as root, enabling unauthorized file reads and potential privilege escalation attacks. Public exploit code exists for this vulnerability, and affected users have no available patch. This vulnerability impacts any local user with access to the device.
Privilege Escalation
Sfx2100 Firmware
-
CVE-2026-29077
HIGH
CVSS 7.1
Frappe versions prior to 15.98.0 and 14.100.0 contain an improper access control vulnerability that allows authenticated users to grant document permissions they do not possess to other users. An attacker with valid credentials could escalate privileges by sharing documents with elevated permissions, potentially exposing sensitive information or enabling unauthorized modifications. No patch is currently available.
Authentication Bypass
Frappe
-
CVE-2026-29054
HIGH
CVSS 7.5
Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that allows unauthenticated remote attackers to remove critical X-Forwarded headers by using lowercase Connection tokens, potentially enabling header spoofing attacks. An attacker can exploit this to manipulate forwarded client information such as IP addresses and hostnames, compromising the integrity of upstream application data. A patch is available for affected versions.
Information Disclosure
Red Hat
Traefik
Suse
-
CVE-2026-29053
HIGH
CVSS 7.6
Arbitrary code execution in Ghost CMS versions 0.7.2 through 6.19.0 allows authenticated attackers with theme upload privileges to execute malicious code on the server by crafting specially designed theme files. The vulnerability affects Ghost installations running on Node.js and requires high privileges to exploit, though successful attacks compromise complete server integrity with confidentiality, integrity, and availability impact. No patch is currently available for affected versions.
Node.js
Ghost
-
CVE-2026-28790
HIGH
CVSS 7.5
OliveTin versions prior to 3000.11.0 suffer from broken access control allowing unauthenticated users to invoke the KillAction RPC endpoint and terminate running shell command executions, bypassing authentication restrictions. Public exploit code exists for this vulnerability, enabling remote denial of service attacks against legitimate administrative actions. The vulnerability affects OliveTin deployments regardless of authentication settings and has been remediated in version 3000.11.0 and later.
Denial Of Service
Olivetin
Suse
-
CVE-2026-28789
HIGH
CVSS 7.5
OliveTin versions prior to 3000.10.3 are vulnerable to unauthenticated denial-of-service attacks when OAuth2 authentication is enabled, allowing remote attackers to crash the application by sending concurrent requests to the login endpoint. The vulnerability stems from unsynchronized access to shared state during OAuth2 processing, triggering a Go runtime panic. Public exploit code exists for this high-severity flaw, which is patched in version 3000.10.3 and later.
Denial Of Service
Golang
Olivetin
Suse
-
CVE-2026-28548
HIGH
CVSS 7.1
Vulnerability of improper verification in the email application. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 7.1 HIGH]
Privilege Escalation
Emui
Harmonyos
-
CVE-2026-28542
HIGH
CVSS 7.3
Permission bypass vulnerability in the system service framework. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 7.3 HIGH]
Authentication Bypass
Emui
Harmonyos
-
CVE-2026-28485
HIGH
CVSS 8.4
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 8.4).
Authentication Bypass
RCE
Openclaw
-
CVE-2026-28482
HIGH
CVSS 7.1
OpenClaw versions before 2026.2.12 suffer from a path traversal vulnerability in transcript file handling that allows authenticated local users to read and modify arbitrary files on the system by injecting directory traversal sequences into sessionId or sessionFile parameters. An attacker with local access can exploit this to access sensitive files outside the intended agent sessions directory without additional privileges. No patch is currently available for this vulnerability.
Path Traversal
-
CVE-2026-28479
HIGH
CVSS 7.5
OpenClaw versions up to 2026.2.15 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Information Disclosure
Docker
Openclaw
-
CVE-2026-28478
HIGH
CVSS 7.5
OpenClaw versions up to 2026.2.13 is affected by allocation of resources without limits or throttling (CVSS 7.5).
Denial Of Service
Openclaw
-
CVE-2026-28477
HIGH
CVSS 7.1
OpenClaw versions before 2026.2.14 fail to properly validate OAuth state parameters in the Chutes login flow, allowing attackers to bypass CSRF protections and hijack user sessions. An attacker can trick a user into pasting malicious OAuth callback data to gain unauthorized access and maintain persistent tokens under a compromised account. No patch is currently available for this high-severity vulnerability.
CSRF
Openclaw
-
CVE-2026-28473
HIGH
CVSS 8.1
OpenClaw prior to version 2026.2.2 allows authenticated users with operator.write scope to bypass approval controls and resolve execution requests through a chat command that circumvents authorization checks. An attacker with this scope can approve or deny exec approval requests without having the required operator.approvals permission, effectively gaining unauthorized approval authority. A patch is available for affected installations.
Authentication Bypass
Openclaw
-
CVE-2026-28472
HIGH
CVSS 8.1
Openclaw versions up to 2026.2.2 is affected by missing authentication for critical function (CVSS 8.1).
Authentication Bypass
Openclaw
-
CVE-2026-28469
HIGH
CVSS 7.5
Openclaw versions up to 2026.2.14 is affected by authorization bypass through user-controlled key (CVSS 7.5).
Industrial
Openclaw
-
CVE-2026-28468
HIGH
CVSS 7.7
Openclaw versions up to 2026.2.14 is affected by missing authentication for critical function (CVSS 7.7).
Authentication Bypass
Openclaw
-
CVE-2026-28463
HIGH
CVSS 8.6
OpenClaw's exec-approvals feature validates command allowlists before shell expansion but fails to account for expansion during actual execution, enabling authorized users or attackers performing prompt injection to read arbitrary files through glob patterns and environment variables. This arbitrary file disclosure affects systems with host execution enabled in allowlist mode, potentially exposing sensitive data accessible to the gateway or node process. A patch is available to address this command injection vulnerability.
Command Injection
-
CVE-2026-28462
HIGH
CVSS 7.5
OpenClaw versions before 2026.2.13 suffer from a path traversal vulnerability in the browser control API that allows authenticated attackers to write arbitrary files outside designated temporary directories via the trace and download endpoints. An attacker with API access can exploit this to place malicious files in unintended locations on the system. A patch is available to address this high-severity flaw.
Path Traversal
Openclaw
-
CVE-2026-28459
HIGH
CVSS 7.1
Arbitrary file write in OpenClaw prior to version 2026.2.12 allows authenticated gateway clients to bypass path validation on the sessionFile parameter and write transcript data to any location on the host filesystem. An attacker with valid credentials can repeatedly append data to arbitrary files, potentially corrupting configurations or exhausting disk space to cause denial of service. A patch is available.
Denial Of Service
Openclaw
-
CVE-2026-28458
HIGH
CVSS 8.1
Openclaw versions up to 2026.2.1 is affected by missing authentication for critical function (CVSS 8.1).
Authentication Bypass
Information Disclosure
Openclaw
-
CVE-2026-28456
HIGH
CVSS 7.2
Improper path validation in OpenClaw Gateway versions before 2026.2.14 enables authenticated administrators to achieve arbitrary code execution by manipulating hook module paths passed to dynamic imports. An attacker with configuration modification privileges can load and execute malicious local modules within the Node.js process, gaining full system compromise capabilities.
Node.js
Openclaw
-
CVE-2026-28454
HIGH
CVSS 7.5
Openclaw versions up to 2026.2.2 is affected by insufficient verification of data authenticity (CVSS 7.5).
Authentication Bypass
Openclaw
-
CVE-2026-28453
HIGH
CVSS 7.5
OpenClaw before version 2026.2.14 fails to properly validate file paths when extracting TAR archives, enabling attackers to use path traversal sequences to write files outside the intended extraction directory. An unauthenticated remote attacker can exploit this to overwrite configuration files or inject malicious code into the system. A patch is available for affected versions.
Path Traversal
Openclaw
-
CVE-2026-28451
HIGH
CVSS 8.3
OpenClaw versions before 2026.2.14 contain unprotected server-side request forgery flaws in the Feishu extension that enable remote attackers to access internal services and exfiltrate data without authentication. Attackers can exploit the sendMediaFeishu function and markdown image processing through direct manipulation or prompt injection to force the application to fetch attacker-controlled URLs and re-upload responses as Feishu media. A patch is available to remediate this network-accessible vulnerability affecting AI/ML deployments.
SSRF
AI / ML
Openclaw
-
CVE-2026-28448
HIGH
CVSS 7.3
OpenClaw versions before 2026.2.1 fail to properly validate access controls in the Twitch plugin when role restrictions are not configured, allowing unauthenticated remote attackers to trigger agent dispatch through Twitch chat mentions. Public exploit code exists for this vulnerability, enabling attackers to invoke the agent pipeline and potentially cause unintended actions or resource exhaustion. Organizations running affected versions with the Twitch plugin enabled should apply the available patch immediately.
Authentication Bypass
Denial Of Service
AI / ML
Openclaw
-
CVE-2026-28447
HIGH
CVSS 8.1
OpenClaw 2026.1.29-beta.1 through 2026.2.0 is vulnerable to path traversal during plugin installation, enabling attackers to write arbitrary files outside the intended extensions directory by crafting malicious package names with traversal sequences. An unauthenticated attacker can exploit this when users execute the plugin install command, potentially achieving arbitrary file write capabilities on the affected system. A patch is available in version 2026.2.1.
Path Traversal
Openclaw
-
CVE-2026-28442
HIGH
CVSS 8.5
ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass UI restrictions and remove critical system files and directories. Public exploit code exists for this vulnerability, and the lack of input validation on path parameters enables attackers with API access to potentially render the system unbootable or cause denial of service. No patch is currently available.
Authentication Bypass
Zimaos
-
CVE-2026-28410
HIGH
CVSS 8.1
Premature token unlock in Graph Protocol Contracts versions before 3.0.0 allows authenticated users to bypass vesting restrictions and access locked tokens before their scheduled release date. An attacker with valid credentials can manipulate the vesting contract logic to drain funds that should remain locked, resulting in unauthorized token theft. A patch is available in version 3.0.0.
Authentication Bypass
Graph Protocol Contracts
-
CVE-2026-28405
HIGH
CVSS 8.0
MarkUs prior to version 2.9.1 fails to sanitize user-submitted file contents in the HTML rendering endpoint, allowing authenticated users with UI interaction to inject malicious scripts that execute in other users' browsers. An attacker can exploit this reflected cross-site scripting vulnerability to steal session tokens, modify grades, or perform actions on behalf of affected students and instructors. The vulnerability has been patched in version 2.9.1.
XSS
Markus
-
CVE-2026-28393
HIGH
CVSS 7.7
Arbitrary JavaScript execution in OpenClaw versions prior to 2026.2.14 results from improper path validation in the hook transform module loader, allowing attackers with configuration write access to load malicious modules with gateway process privileges. The vulnerability affects the hooks.mappings[].transform.module parameter, which fails to restrict absolute paths and directory traversal sequences. A patch is available.
Path Traversal
Openclaw
-
CVE-2026-28392
HIGH
CVSS 7.5
OpenClaw versions before 2026.2.14 allow unauthenticated attackers to execute privileged slash commands via direct message when the dmPolicy setting is configured to open, bypassing security controls like allowlists and access groups. This privilege escalation stems from improper authorization checks in the Slack slash-command handler that fails to validate direct message senders. A patch is available for affected users.
Privilege Escalation
Openclaw
-
CVE-2026-28342
HIGH
CVSS 7.5
OliveTin versions prior to 3000.10.2 are vulnerable to unauthenticated denial of service through the PasswordHash API endpoint, which lacks request throttling or authentication controls and allows attackers to trigger excessive memory allocation via concurrent hashing requests. An attacker can exhaust container memory by sending multiple parallel requests, causing service degradation or complete outage. Public exploit code exists for this vulnerability, and a patch is available in version 3000.10.2 and later.
Denial Of Service
Olivetin
Suse
-
CVE-2026-28287
HIGH
CVSS 8.8
Unauthenticated command injection in FreePBX recordings module (versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4) allows authenticated attackers to execute arbitrary system commands with full system privileges. The vulnerability stems from improper input validation in the recordings functionality, enabling complete compromise of affected FreePBX installations. No patch is currently available.
Command Injection
Freepbx
-
CVE-2026-28284
HIGH
CVSS 8.8
SQL injection in the FreePBX logfiles module allows authenticated attackers to manipulate database queries and potentially extract sensitive data or modify system records. Versions prior to 16.0.10 and 17.0.5 are vulnerable, and attackers with valid FreePBX credentials can exploit this weakness to achieve high-impact unauthorized access to confidential information and system integrity. No patch is currently available for affected deployments.
SQLi
Freepbx
-
CVE-2026-28210
HIGH
CVSS 8.8
Unauthenticated SQL injection in the FreePBX CDR module (versions before 16.0.49 and 17.0.7) allows authenticated users to execute arbitrary SQL commands and potentially compromise the entire database. An attacker with valid credentials can exploit this vulnerability to read sensitive call records, modify system data, or escalate privileges within the FreePBX system. No patch is currently available, leaving affected installations at high risk until upgrades are deployed.
SQLi
Freepbx
-
CVE-2026-28209
HIGH
CVSS 7.2
Unauthenticated command injection in FreePBX versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4 via the ElevenLabs Text-to-Speech integration allows authenticated users with high privileges to execute arbitrary system commands. The vulnerability exists in the recordings module and affects all installations using the vulnerable TTS engine. No patch is currently available, leaving affected systems at risk of full system compromise.
Command Injection
AI / ML
Freepbx
-
CVE-2026-28137
HIGH
CVSS 7.1
QuanticaLabs MediCenter - Health Medical Clinic medicenter is affected by cross-site scripting (xss) (CVSS 7.1).
XSS
-
CVE-2026-28135
HIGH
CVSS 8.2
WP Royal Royal Elementor Addons royal-elementor-addons is affected by inclusion of functionality from untrusted control sphere (CVSS 8.2).
Information Disclosure
-
CVE-2026-28134
HIGH
CVSS 8.5
Remote code execution in Crocoblock JetEngine versions 3.7.2 and earlier allows authenticated attackers to execute arbitrary code through improper handling of code generation. An attacker with valid credentials can leverage this code injection vulnerability to achieve remote code inclusion and gain full control over affected WordPress installations. No patch is currently available, leaving all users of vulnerable JetEngine versions at risk.
RCE
Code Injection
-
CVE-2026-28133
HIGH
CVSS 8.5
Arbitrary file upload in Filr WordPress plugin versions ≤1.2.12 allows authenticated attackers with low privileges to upload web shells, achieving remote code execution with changed scope (S:C). Despite high CVSS 8.5, exploitation requires authentication and moderately complex conditions (AC:H). EPSS probability remains very low at 0.03% (10th percentile), and no active exploitation or public proof-of-concept has been identified. Patchstack disclosure indicates this is a targeted vulnerability requiring specific WordPress role permissions rather than mass-exploitable issue.
File Upload
-
CVE-2026-28130
HIGH
CVSS 7.1
Reflected cross-site scripting in AndonDesign UDesign versions up to 4.14.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction to click a malicious link but can affect any organization using the affected UDesign versions. No patch is currently available to remediate this issue.
XSS
-
CVE-2026-28129
HIGH
CVSS 8.1
Local file inclusion in axiomthemes Little Birdies plugin version 1.3.16 and earlier enables unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other data without authentication. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-28128
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Verse PHP theme versions 1.7.0 and earlier allows unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion functions. The vulnerability requires specific conditions for exploitation but carries high impact potential including confidentiality and integrity compromise. No patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-28127
HIGH
CVSS 7.1
The e-plugins Lawyer Directory plugin through version 1.3.2 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for affected installations.
XSS
-
CVE-2026-28126
HIGH
CVSS 7.1
Reflected cross-site scripting in sizam RH Frontend Publishing Pro through version 4.3.2 enables attackers to inject malicious scripts that execute in users' browsers when they click a crafted link. The vulnerability requires user interaction but can compromise session integrity and steal sensitive data across affected sites. No patch is currently available.
XSS
-
CVE-2026-28125
HIGH
CVSS 8.1
Local file inclusion in AncoraThemes Midi through version 1.14 enables unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing attackers to traverse directories and access sensitive data. Currently no patch is available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-28124
HIGH
CVSS 8.1
AncoraThemes Notarius through version 1.9 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this high-severity flaw.
PHP
Information Disclosure
LFI
-
CVE-2026-28123
HIGH
CVSS 8.1
AncoraThemes Veil through version 1.9 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the affected server. The vulnerability stems from improper input validation on file include/require statements, enabling attackers to manipulate filename parameters to access sensitive system files. While no patch is currently available, the exploit requires specific conditions (high complexity) to successfully leverage.
PHP
Information Disclosure
LFI
-
CVE-2026-28122
HIGH
CVSS 7.1
The ListingPro plugin for CridioStudio through version 2.9.8 contains a reflected cross-site scripting vulnerability that allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. Successful exploitation requires user interaction but can compromise confidentiality, integrity, and availability across security domains. No patch is currently available for affected installations.
XSS
-
CVE-2026-28121
HIGH
CVSS 8.1
Local and remote file inclusion in AncoraThemes Anderson through version 1.4.2 enables attackers to read arbitrary files or execute malicious code on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing unauthenticated attackers to manipulate input parameters over the network. No patch is currently available for this high-severity issue affecting PHP-based installations.
PHP
Information Disclosure
LFI
-
CVE-2026-28120
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Dr.Patterson plugin versions up to 1.3.2 enables unauthenticated attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. The vulnerability allows information disclosure and potential code execution depending on server configuration and accessible files. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-28119
HIGH
CVSS 8.1
Axiomthemes Nirvana version 2.6 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper filename validation and could enable information disclosure or facilitate further compromise, though no patch is currently available. With a CVSS score of 8.1 and low exploitation likelihood (0.2% EPSS), organizations running affected versions should prioritize mitigation strategies until an official patch is released.
PHP
Information Disclosure
LFI
-
CVE-2026-28118
HIGH
CVSS 8.1
The Welldone WordPress theme through version 2.4 contains a local file inclusion vulnerability in its PHP include/require handling that enables unauthenticated remote attackers to read arbitrary files from the affected server. With a CVSS score of 8.1, this vulnerability allows full compromise of confidentiality and integrity without requiring user interaction. No patch is currently available, making immediate mitigation through other means necessary.
PHP
Information Disclosure
LFI
-
CVE-2026-28117
HIGH
CVSS 8.1
Remote attackers can include arbitrary local files in the smartSEO WordPress theme (≤2.9) via a PHP Local File Inclusion vulnerability, potentially exposing sensitive configuration data or enabling server-side code execution. Despite high CVSS (8.1), EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or CISA KEV listing. The vulnerability requires specific preconditions that increase attack complexity (AC:H), though exploitation succeeds without authentication or user interaction once conditions are met.
PHP
Information Disclosure
LFI
-
CVE-2026-28113
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in Ultimate Learning Pro WordPress plugin versions 3.9.1 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages via crafted URLs. Successful exploitation requires tricking a victim user into clicking a malicious link (UI:R in CVSS vector). EPSS probability is low at 0.04% (10th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a lower-priority remediation despite the 7.1 CVSS score.
XSS
-
CVE-2026-28112
HIGH
CVSS 7.1
Reflected cross-site scripting in AllInOne Banner Rotator WordPress plugin allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. Affects versions up to and including 3.8. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, though vulnerability discovered and reported by Patchstack security audit team.
XSS
-
CVE-2026-28110
HIGH
CVSS 7.1
Reflected cross-site scripting in the LambertGroup AllInOne Banner with Playlist WordPress plugin (versions ≤3.8) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. With EPSS exploitation probability at 0.04% (10th percentile), this represents a low likelihood of automated or widespread exploitation despite the network attack vector. No active exploitation or public POC has been identified at time of analysis. Impact requires user interaction (clicking malicious link), limiting autonomous exploitation scenarios.
XSS
-
CVE-2026-28109
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in LambertGroup AllInOne Content Slider WordPress plugin through version 3.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability allows content injection with low-level impacts across confidentiality, integrity, and availability due to scope change (S:C in CVSS vector). Reported by Patchstack security researchers, EPSS exploitation probability is very low (0.04%, 10th percentile), indicating minimal observed real-world targeting despite no authentication requirement.
XSS
-
CVE-2026-28108
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in LambertGroup AllInOne Banner with Thumbnails WordPress plugin through version 3.8 allows unauthenticated remote attackers to inject malicious scripts via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. Exploitation probability is low (EPSS 0.04%, 10th percentile), with no confirmed active exploitation or public POC at time of analysis. Changed scope (S:C) in CVSS vector indicates potential to impact resources beyond the vulnerable component.
XSS
-
CVE-2026-28107
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Muzicon WordPress theme versions ≤1.9.0 allows remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Despite a CVSS score of 8.1, real-world risk is moderated by high attack complexity (AC:H) and no confirmed active exploitation - EPSS probability is only 0.15% (36th percentile). The Patchstack report confirms the vulnerability but no public exploit code has been identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28103
HIGH
CVSS 7.1
Reflected cross-site scripting in LBG Zoominoutslider WordPress plugin versions through 5.4.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation is confirmed. A Patchstack database entry documents the vulnerability, but no vendor-released patch version is identified at time of analysis.
XSS
-
CVE-2026-28102
HIGH
CVSS 7.1
Reflected cross-site scripting in UberSlider Classic WordPress plugin through version 2.5 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. Exploitation requires user interaction (clicking malicious link). EPSS score of 0.04% (10th percentile) indicates minimal observed exploitation activity. No CISA KEV listing confirms this is not being actively exploited in widespread campaigns, though the low attack complexity and network vector make exploitation straightforward once a victim is socially engineered.
XSS
-
CVE-2026-28101
HIGH
CVSS 7.1
Reflected cross-site scripting in UberSlider MouseInteraction WordPress plugin versions ≤2.3 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack audit team. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public proof-of-concept identified at time of analysis.
XSS
-
CVE-2026-28100
HIGH
CVSS 7.1
Reflected cross-site scripting in UberSlider PerpetuumMobile WordPress plugin versions ≤2.3 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability requires user interaction but no authentication, with CVSS 7.1 (High) severity due to scope change enabling attacks across security boundaries. EPSS score of 0.04% (10th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis. Patchstack vulnerability database confirms the flaw affects default plugin configurations.
XSS
-
CVE-2026-28099
HIGH
CVSS 7.1
Reflected cross-site scripting in UberSlider Ultra WordPress plugin (versions ≤2.3) enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. EPSS exploitation probability is low (0.04%, 10th percentile), and no active exploitation or public proof-of-concept has been identified at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component itself.
XSS
-
CVE-2026-28098
HIGH
CVSS 8.1
Local File Inclusion (LFI) in ThemeREX Save Life WordPress theme versions 1.2.13 and earlier enables remote unauthenticated attackers to read arbitrary files from the server filesystem and potentially achieve code execution by including uploaded or log files. Despite the network attack vector (AV:N), high attack complexity (AC:H) suggests successful exploitation requires specific server configurations or carefully crafted payloads. EPSS score of 0.15% (36th percentile) indicates low current exploitation probability, and no active exploitation is confirmed per CISA KEV or public exploit databases at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28097
HIGH
CVSS 8.1
Local file inclusion in Artrium WordPress theme versions ≤1.0.14 allows remote unauthenticated attackers to read arbitrary server files and potentially execute PHP code through improper file inclusion controls. Despite a high CVSS 8.1 score, EPSS shows only 0.15% exploitation probability (36th percentile), suggesting limited real-world targeting. The vulnerability was disclosed by Patchstack's audit team with no confirmed active exploitation or public POC at time of analysis, though LFI vulnerabilities in WordPress themes are commonly targeted once proof-of-concept code becomes available.
PHP
Information Disclosure
LFI
-
CVE-2026-28096
HIGH
CVSS 8.1
Remote file inclusion vulnerability in ThemeREX WealthCo WordPress theme versions up to 2.18 allows unauthenticated remote attackers to include and execute arbitrary PHP files via manipulated filename parameters. Despite CVSS 8.1 rating, EPSS exploitation probability is low (0.15%, 36th percentile) with no CISA KEV listing or public exploit identified at time of analysis. Vulnerability stems from improper validation of file paths in PHP include/require statements, though attack complexity is rated High, suggesting specific conditions or chained exploitation required.
PHP
Information Disclosure
LFI
-
CVE-2026-28095
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Marcell WordPress theme versions ≤1.2.14 allows remote attackers to read arbitrary files from the server filesystem and potentially execute malicious code. The vulnerability stems from improper validation of file paths in PHP include/require statements. Exploitation probability is low (EPSS 0.15%) with no confirmed active exploitation or public proof-of-concept at time of analysis. Discovered and reported by Patchstack's security audit team.
PHP
Information Disclosure
LFI
-
CVE-2026-28094
HIGH
CVSS 8.1
Local file inclusion in ThemeREX RexCoin WordPress theme versions up to 1.2.6 allows remote attackers to read arbitrary files and potentially achieve code execution without authentication. Despite the high CVSS score of 8.1, the low EPSS percentile (36%) and AC:H complexity suggest limited active exploitation. Patchstack audit team reported this vulnerability with proof-of-concept available, indicating realistic exploit feasibility against improperly configured installations.
PHP
Information Disclosure
LFI
-
CVE-2026-28093
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Ozisti WordPress theme versions up to 1.1.10 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code by including malicious local files. Despite the high CVSS score of 8.1, exploitation requires high complexity (AC:H) and EPSS indicates only 0.15% probability of exploitation in the wild (36th percentile), suggesting limited real-world targeting. No active exploitation confirmed by CISA KEV, though Patchstack has documented the vulnerability with security researchers.
PHP
Information Disclosure
LFI
-
CVE-2026-28092
HIGH
CVSS 8.1
Local File Inclusion in ThemeREX Sounder WordPress theme versions through 1.3.11 enables remote attackers to include and execute arbitrary local PHP files without authentication. Despite the CVE title referencing 'Remote File Inclusion', technical analysis and Patchstack classification confirm this is a Local File Inclusion (LFI) vulnerability. With EPSS at 0.15% (36th percentile), widespread exploitation is unlikely, but successful attacks achieve high impact across confidentiality, integrity, and availability. No active exploitation confirmed via CISA KEV at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28091
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Coleo WordPress theme (versions ≤1.1.7) allows remote attackers to read arbitrary files and potentially execute PHP code via crafted file path manipulation. Despite high CVSS 8.1, exploitation requires high attack complexity (AC:H), and EPSS score of 0.15% (36th percentile) suggests limited real-world exploitation activity. No CISA KEV listing indicates this is not confirmed as actively exploited, though Patchstack database inclusion suggests security researcher identification and likely proof-of-concept existence.
PHP
Information Disclosure
LFI
-
CVE-2026-28090
HIGH
CVSS 8.1
Local file inclusion (LFI) vulnerability in ThemeREX Gamezone WordPress theme versions up to 1.1.11 allows remote unauthenticated attackers to read arbitrary files from the web server, potentially exposing configuration files, credentials, and sensitive application data. The CVSS score of 8.1 reflects high complexity exploitation requiring specific conditions, while the low EPSS score (0.15%, 36th percentile) indicates minimal observed exploitation attempts in the wild. No active exploitation confirmed by CISA KEV at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28089
HIGH
CVSS 8.1
PHP Local File Inclusion in ThemeREX Daiquiri WordPress theme versions ≤1.2.4 allows remote attackers to read arbitrary files or execute PHP code by exploiting improper filename control in include/require statements. Despite high CVSS (8.1), real-world risk is moderate: EPSS exploitation probability is low (0.15%, 36th percentile), no confirmed active exploitation exists, and attack complexity is high (AC:H). Patchstack audit identified this vulnerability, suggesting professional security review but no public exploit code at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28088
HIGH
CVSS 8.1
Local file inclusion vulnerability in ThemeREX Aqualots WordPress theme versions up to 1.1.6 enables remote attackers to include arbitrary PHP files on the server without authentication. Despite the description's mention of 'remote file inclusion', the CVE is classified as CWE-98 (PHP Local File Inclusion) and tagged as LFI by Patchstack, indicating attackers can read sensitive files or execute local PHP code. EPSS exploitation probability is low (0.15%, 36th percentile) with no evidence of active exploitation or public POCs, though the high-complexity network attack vector suggests targeted exploitation scenarios.
PHP
Information Disclosure
LFI
-
CVE-2026-28087
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Filmax WordPress theme versions ≤1.1.11 enables remote attackers to read arbitrary files from the web server and potentially execute malicious code. The vulnerability stems from improper filename validation in PHP include/require statements, categorized as CWE-98. Despite a CVSS score of 8.1, EPSS probability is low (0.15%, 36th percentile), suggesting targeted rather than widespread exploitation. Patchstack database identifies this as affecting information disclosure through LFI techniques, with no confirmed active exploitation or KEV listing at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28086
HIGH
CVSS 8.1
Local file inclusion vulnerability in ThemeREX Run Gran WordPress theme versions through 2.0 allows remote attackers to read arbitrary files from the web server filesystem via crafted PHP include statements. Despite the moderate EPSS score (0.15%, 36th percentile), the high-complexity attack vector suggests exploitation requires specific knowledge of file paths or application structure. No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept code identified at time of analysis. Patchstack has documented this vulnerability, indicating awareness within the WordPress security community.
PHP
Information Disclosure
LFI
-
CVE-2026-28085
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Mahogany WordPress theme versions through 2.9 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem via manipulated PHP include/require statements. While classified as high-severity (CVSS 8.1), real-world exploitation risk appears moderate given the EPSS score of 0.15% (36th percentile) and high attack complexity rating. No active exploitation or public exploit code identified at time of analysis. Patchstack security audit identified and disclosed this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-28084
HIGH
CVSS 8.1
PHP Local File Inclusion in ThemeREX Bazinga theme for WordPress (versions ≤1.1.9) allows remote unauthenticated attackers to include and execute arbitrary local files via improper filename control in require/include statements. Despite high CVSS 8.1 severity, EPSS exploitation probability is low (0.15%, 36th percentile), and no active exploitation or public POC has been identified at time of analysis. Patchstack database reports this as both a local file inclusion vector and potential information disclosure issue, suggesting exploitation could lead to code execution through PHP file inclusion or exposure of sensitive configuration data.
PHP
Information Disclosure
LFI
-
CVE-2026-28081
HIGH
CVSS 8.1
Local file inclusion in the ThemeREX Windsor WordPress theme allows remote attackers to include and execute arbitrary PHP files on the server through improper filename control. Affects all versions through 2.5.0. Despite CVSS 8.1 (High), EPSS indicates low exploitation probability (0.15%, 36th percentile), suggesting limited attacker interest. No active exploitation confirmed via CISA KEV at time of analysis. Patchstack database lists this vulnerability with PHP and information disclosure tags, indicating potential for data exfiltration beyond code execution.
PHP
Information Disclosure
LFI
-
CVE-2026-28079
HIGH
CVSS 8.1
Local File Inclusion in Conquerors WordPress theme 1.2.13 and earlier enables remote attackers to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, and sensitive data. Despite a CVSS score of 8.1, EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or public POC at time of analysis. However, the network-accessible attack vector with no authentication requirement makes this a priority for sites running the affected theme.
PHP
Information Disclosure
LFI
-
CVE-2026-28077
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Vapester WordPress theme versions ≤1.1.10 allows remote unauthenticated attackers to read arbitrary files from the web server, potentially exposing configuration files, credentials, and sensitive application data. Despite high CVSS score of 8.1, EPSS probability of 0.15% (36th percentile) suggests limited observed exploitation attempts. No active exploitation confirmed by CISA KEV, though Patchstack database listing indicates vulnerability is known to security researchers.
PHP
Information Disclosure
LFI
-
CVE-2026-28076
HIGH
CVSS 7.5
Unauthorized data disclosure in Frenify Guff WordPress theme versions through 1.0.1 allows unauthenticated remote attackers to access sensitive information via missing authorization controls. The vulnerability exploits incorrectly configured access control security levels, enabling attackers to bypass authentication mechanisms and read confidential data. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability in the wild, with no CISA KEV listing or public exploit code identified at time of analysis.
Authentication Bypass
-
CVE-2026-28075
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in Porto WordPress theme versions through 7.6.2 allows remote attackers to inject malicious JavaScript into web pages viewed by victims. Exploitation requires user interaction (clicking a malicious link). EPSS probability is low (0.04%, 10th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV. Patchstack has documented this vulnerability, suggesting detection capabilities exist.
XSS
-
CVE-2026-28072
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in pixfort Core WordPress plugin versions up to 3.2.22 enables remote attackers to inject malicious scripts into web pages viewed by victims. The attack requires user interaction (clicking a malicious link) but no authentication, allowing attackers to steal session tokens, perform actions as the victim, or redirect users to phishing sites. EPSS score of 0.04% (10th percentile) indicates low probability of mass exploitation, and no active exploitation or public proof-of-concept has been identified at time of analysis.
XSS
-
CVE-2026-28069
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Le Truffe WordPress theme versions up to 1.1.7 enables remote attackers to read arbitrary files from the web server without authentication. While CVSS scores 8.1 (High), EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation. The vulnerability stems from improper filename control in PHP include/require statements, allowing path traversal to access sensitive server files. No public exploit code identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28068
HIGH
CVSS 8.1
Local File Inclusion in ThemeREX Rhythmo WordPress theme through version 1.3.4 allows remote unauthenticated attackers to read arbitrary files on the server and potentially achieve remote code execution through log file poisoning or PHP wrapper exploitation. Despite network attack vector (AV:N) and high impact ratings (C:H/I:H/A:H), EPSS probability remains low at 0.15%, and no active exploitation has been confirmed in CISA KEV. Attack complexity is rated HIGH (AC:H), indicating specific conditions or timing required for successful exploitation.
PHP
Information Disclosure
LFI
-
CVE-2026-28067
HIGH
CVSS 8.1
Local File Inclusion vulnerability in ThemeREX Bassein WordPress theme versions up to 1.0.15 allows remote unauthenticated attackers to include and execute arbitrary PHP files on the server via improper filename handling. Despite CVSS 8.1 High severity, EPSS exploitation probability is only 0.15% (36th percentile), suggesting limited attacker interest. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis. Patchstack advisory indicates this is a PHP file inclusion flaw affecting theme installations.
PHP
Information Disclosure
LFI
-
CVE-2026-28066
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Legrand WordPress theme versions ≤2.17 allows remote attackers to read arbitrary files from the server filesystem through improper filename validation in PHP include/require statements. Despite high CVSS 8.1, EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or public exploit code. Reported by Patchstack security research team, this represents a moderate real-world risk primarily for installations where attackers can control file path parameters.
PHP
Information Disclosure
LFI
-
CVE-2026-28065
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Eject WordPress theme versions up to 2.17 enables remote attackers to read arbitrary files on the server or execute PHP code without authentication. Despite high CVSS 8.1 severity, EPSS exploitation probability remains low at 0.15% (36th percentile) with no confirmed active exploitation. Patchstack security audit identified the vulnerability as a PHP file inclusion flaw allowing information disclosure through improper filename control in include/require statements.
PHP
Information Disclosure
LFI
-
CVE-2026-28064
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Edge Decor WordPress theme through version 2.2 allows remote attackers to read arbitrary files on the server and potentially execute code via improper control of PHP include/require statements. Despite a CVSS score of 8.1, real-world exploitation risk appears moderate with EPSS at 0.15% (36th percentile) and no evidence of active exploitation or public POC. Attack complexity is rated high (AC:H), suggesting exploitation requires specific conditions beyond default configuration.
PHP
Information Disclosure
LFI
-
CVE-2026-28063
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Asia Garden WordPress theme (versions ≤1.3.1) allows remote attackers to include and execute arbitrary PHP files on the server. Despite a CVSS base score of 8.1 (High), the EPSS score of 0.15% (36th percentile) indicates low observed exploitation probability in the wild. The vulnerability requires high attack complexity (AC:H) but no authentication (PR:N), enabling unauthenticated remote exploitation under specific conditions. Patchstack database confirmed this LFI vulnerability affecting WordPress installations using this theme.
PHP
Information Disclosure
LFI
-
CVE-2026-28062
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Happy Baby WordPress theme versions ≤1.2.12 allows remote unauthenticated attackers to read arbitrary files from the web server and potentially execute PHP code. Patchstack reported this vulnerability (CWE-98) affecting file inclusion controls, though EPSS probability remains low at 0.15% with no confirmed active exploitation. The CVSS vector indicates network-based attack with high complexity but no authentication requirement, enabling confidentiality, integrity, and availability compromise.
PHP
Information Disclosure
LFI
-
CVE-2026-28061
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Tiger Claw WordPress theme allows remote attackers to read arbitrary files from the web server and potentially execute code. Affects versions up to and including 1.1.14. Despite a high CVSS score of 8.1, the EPSS probability is low at 0.15% (36th percentile), suggesting limited exploitation attempts observed to date. No active exploitation confirmed by CISA KEV, though the vulnerability was reported by Patchstack's security research team.
PHP
Information Disclosure
LFI
-
CVE-2026-28060
HIGH
CVSS 8.1
Local file inclusion in ThemeREX S.King WordPress theme through version 1.5.3 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute PHP code via path manipulation in include/require statements. Despite the 8.1 CVSS score reflecting high severity, EPSS exploitation probability is low (0.15%, 36th percentile) and no active exploitation or public POC has been reported. Patchstack audit team disclosed this vulnerability affecting WordPress deployments using this theme.
PHP
Information Disclosure
LFI
-
CVE-2026-28059
HIGH
CVSS 8.1
Local File Inclusion (LFI) vulnerability in ThemeREX Dermatology Clinic WordPress theme versions ≤1.4.3 allows remote attackers to include and execute arbitrary PHP files on the server. Despite CVSS 8.1, EPSS score of 0.15% (36th percentile) indicates low probability of mass exploitation. Patchstack database confirms the vulnerability but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited real-world targeting of this WordPress theme.
PHP
Information Disclosure
LFI
-
CVE-2026-28058
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Dixon WordPress theme through version 1.4.2.1 allows remote attackers to read arbitrary files from the server filesystem without authentication. Despite high attack complexity (AC:H), this vulnerability enables unauthorized access to sensitive configuration files, credentials, and potentially source code. EPSS score of 0.15% (36th percentile) indicates low probability of mass exploitation, consistent with targeting of a specific premium WordPress theme. No active exploitation confirmed (not in CISA KEV), but Patchstack public disclosure increases attack surface visibility.
PHP
Information Disclosure
LFI
-
CVE-2026-28057
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Mandala WordPress theme versions ≤2.8 allows remote unauthenticated attackers to read arbitrary server files and potentially execute PHP code through improper filename control in include/require statements. Despite a CVSS score of 8.1, the EPSS probability remains low (0.15%, 36th percentile), suggesting limited attacker interest or exploitation barriers. No active exploitation or public proof-of-concept has been identified, and the vulnerability requires high attack complexity (AC:H), indicating specific conditions must be met for successful exploitation.
PHP
Information Disclosure
LFI
-
CVE-2026-28056
HIGH
CVSS 8.1
Local file inclusion in MCKinney's Politics WordPress theme versions ≤1.2.8 allows remote attackers to read arbitrary files on the server via path traversal in include/require statements. Despite the high CVSS score (8.1), EPSS probability is low (0.15%, 36th percentile) and no active exploitation is documented. Patchstack has cataloged this as a confirmed vulnerability affecting the ThemeREX-developed WordPress theme, enabling information disclosure through improper input validation in PHP file inclusion functions.
PHP
Information Disclosure
LFI
-
CVE-2026-28055
HIGH
CVSS 8.1
Local file inclusion in the M.Williamson WordPress theme through version 1.2.11 enables remote attackers to read arbitrary files from the server filesystem without authentication. Despite high-complexity exploitation barriers (CVSS AC:H), this vulnerability carries an 8.1 CVSS score due to complete compromise of confidentiality and integrity if successfully exploited. EPSS score of 0.15% (36th percentile) suggests low probability of mass exploitation. No active exploitation confirmed via CISA KEV, though Patchstack database inclusion indicates researcher discovery and analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28054
HIGH
CVSS 8.1
Local file inclusion in Legal Stone WordPress theme 1.2.11 and earlier allows remote attackers to read arbitrary files and potentially execute malicious code through improper filename control in PHP include/require statements. Exploitation probability remains low (EPSS 0.15%, 36th percentile) with no confirmed active exploitation, though the network-accessible attack vector and lack of authentication requirements present material risk for sites using this theme. Patchstack database reports this vulnerability affecting all versions through 1.2.11.
PHP
Information Disclosure
LFI
-
CVE-2026-28053
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Miller WordPress theme through version 1.3.3 allows remote unauthenticated attackers to read arbitrary files and potentially execute malicious code via improper PHP include/require statement handling. CVSS rates this 8.1 (High) but EPSS exploitation probability is low at 0.15% (36th percentile), indicating targeted rather than widespread exploitation risk. Patchstack has documented this vulnerability but no CISA KEV listing exists, suggesting no confirmed active exploitation campaigns at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28052
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Peter Mason WordPress theme versions up to 1.4.5 allows remote unauthenticated attackers to include and execute arbitrary PHP files from the server's filesystem. The vulnerability stems from improper validation of file paths in include/require statements (CWE-98), enabling attackers to read sensitive files, execute malicious code, or escalate privileges. EPSS score of 0.15% (36th percentile) indicates relatively low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. Patchstack security research identified this flaw, suggesting security researchers are aware but widespread targeting is not yet evident.
PHP
Information Disclosure
LFI
-
CVE-2026-28051
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Yacht Rental theme versions through 2.6 enables remote attackers to read arbitrary files on the web server without authentication. The vulnerability stems from improper validation of include/require statements, classified as CWE-98 (PHP Remote File Inclusion). While CVSS scores 8.1 (High), the low EPSS score (0.15%, 36th percentile) suggests minimal observed exploitation activity. Patchstack audit team identified and reported this WordPress theme vulnerability, which affects default configurations requiring no special prerequisites beyond network access to the WordPress installation.
PHP
Information Disclosure
LFI
-
CVE-2026-28050
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Beacon WordPress theme versions ≤2.24 allows remote attackers to read arbitrary files from the web server through improper filename control in PHP include/require statements. Despite high-attack-complexity requirements (CVSS AC:H), this enables unauthenticated access to sensitive configuration files, credentials, and application source code. No public exploit identified at time of analysis, with low EPSS score (0.15%, 36th percentile) suggesting minimal observed exploitation activity. Patchstack advisory available but patched release version not independently confirmed.
PHP
Information Disclosure
LFI
-
CVE-2026-28049
HIGH
CVSS 8.1
Local file inclusion in the Police Department WordPress theme through version 2.17 allows remote attackers to read arbitrary files on the server and potentially achieve remote code execution through file disclosure and log poisoning techniques. Discovered by Patchstack's audit team, this vulnerability carries an EPSS score of 0.15%, indicating low probability of widespread exploitation despite its network-accessible attack vector. No public exploit code or active exploitation has been identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28048
HIGH
CVSS 8.1
Local file inclusion in FlashMart theme versions ≤2.0.15 allows remote attackers to read arbitrary files on the server through improper filename validation in PHP include/require statements. With CVSS 8.1 (High) and CWE-98 classification, attackers can potentially access sensitive configuration files, credentials, and application source code. EPSS exploitation probability is low (0.15%, 36th percentile), indicating limited observed exploitation activity. Patchstack vulnerability database confirms the flaw affects the WordPress theme variant.
PHP
Information Disclosure
LFI
-
CVE-2026-28047
HIGH
CVSS 8.1
Local file inclusion in Magentech Victo WordPress theme through version 1.4.16 allows remote attackers to read arbitrary server files and potentially execute code. Despite CWE-98 classification as 'Remote File Inclusion', technical evidence and Patchstack tagging confirm local file inclusion behavior. EPSS score of 0.15% (36th percentile) indicates low observed exploitation probability. No CISA KEV listing or public POC identified at time of analysis, though Patchstack reporting suggests researcher awareness of exploitation technique.
PHP
Information Disclosure
LFI
-
CVE-2026-28046
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Law Office WordPress theme versions up to 3.3.0 allows remote unauthenticated attackers to read arbitrary files from the server through improper PHP include/require controls. With EPSS score of 0.15%, this represents a moderate real-world exploitation probability. The vulnerability enables information disclosure attacks against WordPress sites using the affected theme, potentially exposing configuration files, credentials, and sensitive application data.
PHP
Information Disclosure
LFI
Microsoft
-
CVE-2026-28045
HIGH
CVSS 8.1
Local File Inclusion in N7 Golf Club WordPress theme through version 2.16.0 allows remote attackers to read arbitrary server files via crafted PHP file path manipulation. Despite CVSS 8.1, exploitation requires specific attack chain complexity (AC:H). EPSS 0.15% indicates minimal active exploitation observed. No CISA KEV listing or public POC identified at time of analysis, suggesting limited attacker interest in this WordPress theme vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-28042
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in Listify WordPress theme versions through 3.2.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exists due to improper input sanitization during web page generation, requiring user interaction to trigger. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation or public exploit code has been identified. Moderate CVSS score reflects changed scope (S:C) allowing potential session token theft across origins.
XSS
-
CVE-2026-28041
HIGH
CVSS 8.1
Local File Inclusion in AncoraThemes Grit WordPress theme (versions ≤1.0.1) allows remote attackers to include arbitrary local files through improper validation of PHP include/require statements. Attack requires high complexity (CVSS AC:H) but no authentication, enabling unauthenticated attackers to achieve high confidentiality, integrity, and availability impact. EPSS score of 0.15% (36th percentile) indicates relatively low mass exploitation probability despite network attack vector. Patchstack audit team identified this vulnerability affecting PHP-based file operations with potential for information disclosure.
PHP
Information Disclosure
LFI
-
CVE-2026-28039
HIGH
CVSS 7.5
Local file inclusion in wpDataTables plugin for WordPress (versions up to 6.5.0.1) enables authenticated attackers to read arbitrary files from the web server filesystem with high complexity conditions. An attacker with low-privilege access can include PHP files or extract sensitive configuration data (database credentials, API keys) from readable server files. EPSS score of 0.13% (32nd percentile) indicates low observed exploitation probability, with no CISA KEV listing or public POC identified at time of analysis. Patchstack researchers disclosed this as a PHP local file inclusion weakness (CWE-98) exploitable over the network.
PHP
Information Disclosure
LFI
-
CVE-2026-28037
HIGH
CVSS 7.1
Reflected cross-site scripting in EventON WordPress plugin versions up to 4.9.12 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. The vulnerability requires victim interaction (CVSS UI:R) and changes execution scope (S:C), allowing session hijacking, credential theft, or malicious actions within the WordPress admin interface. With EPSS exploitation probability at 0.04% (10th percentile) and no CISA KEV listing, this represents a lower-priority XSS requiring social engineering rather than mass exploitation.
XSS
-
CVE-2026-28035
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Printy theme versions through 1.8 allows remote attackers to read arbitrary files from the web server filesystem and potentially achieve code execution. Despite high CVSS 8.1, EPSS exploitation probability is low at 0.15% (36th percentile), suggesting limited attacker interest. Patchstack has published vulnerability details, but no public exploit code or active exploitation has been identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28034
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Progress WordPress theme version 1.2 and earlier allows remote attackers to read arbitrary files from the web server filesystem via PHP file inclusion flaws. Despite the 8.1 CVSS score, EPSS probability is low (0.15%, 36th percentile), indicating limited real-world exploitation activity. No CISA KEV listing confirms this remains a lower-priority vulnerability despite network reachability. Patchstack database identifies this as exploitable for information disclosure through local file access.
PHP
Information Disclosure
LFI
-
CVE-2026-28033
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Edifice WordPress theme through version 1.8 allows remote attackers to read arbitrary files on the server and potentially execute PHP code by manipulating file inclusion parameters. Exploitation requires bypassing a high attack complexity barrier (AC:H) without authentication, making this a critical vulnerability for websites using affected versions. EPSS score of 0.15% indicates minimal observed exploitation activity in the wild, and no CISA KEV listing exists at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28032
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Tuning WordPress theme versions ≤1.3 enables remote attackers to read arbitrary files and potentially achieve code execution through PHP file inclusion mechanisms. Despite the high CVSS score (8.1), exploitation probability remains low (EPSS 0.15%, 36th percentile) and no active exploitation has been confirmed. Patchstack vulnerability database identifies this as affecting the Tuning theme through version 1.3, with the attack requiring high complexity network-based exploitation without authentication or user interaction.
PHP
Information Disclosure
LFI
-
CVE-2026-28031
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Invetex WordPress theme versions ≤2.18 allows remote attackers to include and execute arbitrary PHP files from the server's filesystem, potentially leading to remote code execution, credential theft, or full site compromise. EPSS probability of 0.15% indicates relatively low observed exploitation despite network attack vector. Patchstack security audit identified the vulnerability in PHP file handling routines where inadequate validation enables path traversal to sensitive files.
PHP
Information Disclosure
LFI
-
CVE-2026-28030
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Bonbon WordPress theme through version 1.6 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Reported by Patchstack audit team with a 0.15% EPSS score (low exploitation probability), this vulnerability allows unauthenticated network-based attacks despite high complexity requirements. No active exploitation confirmed via CISA KEV, though the LFI attack pattern is well-understood by attackers. PHP-based themes with improper include/require statement controls are common attack surfaces in WordPress environments.
PHP
Information Disclosure
LFI
-
CVE-2026-28029
HIGH
CVSS 8.1
Local file inclusion in ThemeREX EmojiNation WordPress theme versions through 1.0.12 allows remote attackers to read arbitrary files on the web server without authentication. Despite a CVSS score of 8.1, EPSS probability of 0.15% (36th percentile) suggests limited real-world exploitation activity. Patchstack database reports this as a PHP local file inclusion vulnerability with information disclosure impact, indicating attackers can access sensitive configuration files, credentials, or source code to facilitate subsequent attacks.
PHP
Information Disclosure
LFI
-
CVE-2026-28028
HIGH
CVSS 8.1
Local file inclusion vulnerability in ThemeREX MoneyFlow WordPress theme version 1.0 and earlier enables remote attackers to read arbitrary files from the server filesystem and potentially execute PHP code. Reported by Patchstack security researchers, this vulnerability exploits improper validation of file paths in PHP include/require statements. With EPSS exploitation probability at 0.15% (36th percentile), widespread exploitation is not yet observed, though the network-accessible attack vector combined with high confidentiality, integrity, and availability impacts warrants immediate patching for sites using this theme.
PHP
Information Disclosure
LFI
-
CVE-2026-28027
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Kayon WordPress theme versions through 1.3 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Despite network-reachable attack vector (CVSS AV:N), exploitation requires high complexity conditions (AC:H) without authentication, resulting in a moderate EPSS score of 0.15% (36th percentile). Patchstack database lists this as an actively tracked vulnerability affecting WordPress installations, though no CISA KEV listing indicates limited widespread exploitation at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28026
HIGH
CVSS 8.1
Local file inclusion in the Motorix WordPress theme versions 1.6 and earlier permits remote attackers to include and execute arbitrary PHP files on the server, despite high attack complexity. The vulnerability stems from improper validation of file paths in include/require statements. With EPSS exploitation probability at 0.15% (low percentile 36%), this appears to be a targeted WordPress theme vulnerability rather than widespread attack vector, though the CVSS score of 8.1 reflects the potential for complete system compromise if successfully exploited.
PHP
Information Disclosure
LFI
-
CVE-2026-28025
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Stargaze WordPress theme versions through 1.5 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute malicious code. Reported by Patchstack security audit team. EPSS probability of 0.15% suggests low widespread exploitation likelihood, though network-accessible vector and high impact ratings warrant attention for sites using this theme. No active exploitation confirmed via CISA KEV at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28024
HIGH
CVSS 8.1
Local file inclusion in axiomthemes Helion WordPress theme through version 1.1.12 enables remote attackers to read arbitrary files and potentially execute malicious code through improper filename validation in PHP include/require statements. While CVSS scores 8.1 (High) with network vector and no authentication required, attack complexity is rated High and EPSS shows only 0.15% exploitation probability (36th percentile), suggesting limited real-world weaponization. The CWE-98 classification indicates classic PHP file inclusion vulnerabilities where attacker-controlled input influences file paths in include() or require() functions. Patchstack database lists this as both LFI and information disclosure, indicating read access is confirmed while remote code execution depends on exploitation chain completeness.
PHP
Information Disclosure
LFI
-
CVE-2026-28023
HIGH
CVSS 8.1
Local File Inclusion (LFI) in ThemeREX Nuts WordPress theme versions through 1.10 allows remote attackers to read arbitrary files from the web server filesystem without authentication. While CVSS rates this 8.1 High, EPSS exploitation probability is low (0.15%, 36th percentile), suggesting limited active targeting. No CISA KEV listing or public exploit code identified at time of analysis, indicating this remains a theoretical risk requiring specific attack conditions despite the network-accessible vector.
PHP
Information Disclosure
LFI
-
CVE-2026-28022
HIGH
CVSS 8.1
Local File Inclusion in ThemeREX Foodie WordPress theme through version 1.14 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute malicious code. Despite the high CVSS score of 8.1, real-world exploitation likelihood remains low (EPSS 0.15%, 36th percentile) with no active exploitation confirmed at time of analysis. The vulnerability stems from improper validation of file paths in PHP include/require statements, classified as CWE-98.
PHP
Information Disclosure
LFI
-
CVE-2026-28021
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Craftis WordPress theme versions through 1.2.8 enables remote attackers to read arbitrary server files and potentially achieve remote code execution via PHP file inclusion. The vulnerability stems from improper validation of filenames in include/require statements, allowing traversal to sensitive files. EPSS score of 0.15% indicates low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. Patchstack has documented this vulnerability affecting all installations prior to version 1.2.9.
PHP
Information Disclosure
LFI
-
CVE-2026-28020
HIGH
CVSS 8.1
Local file inclusion vulnerability in ThemeREX Chroma WordPress theme versions ≤1.11 allows remote attackers to read arbitrary files from the web server filesystem through improper filename validation in PHP include/require statements. Despite high CVSS 8.1, EPSS probability is low (0.15%, 36th percentile) and no active exploitation is confirmed. Patchstack has documented this vulnerability, indicating professional security researcher awareness and likely forthcoming vendor response.
PHP
Information Disclosure
LFI
-
CVE-2026-28019
HIGH
CVSS 8.1
Local file inclusion in the Manoir WordPress theme version 1.11 and earlier allows remote unauthenticated attackers to read arbitrary files on the server through improper validation of file inclusion parameters. Despite the high CVSS score of 8.1, EPSS data indicates low real-world exploitation probability (0.15%, 36th percentile), suggesting this is likely a targeted risk rather than widespread threat. Patchstack database confirms the vulnerability exists but no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2026-28018
HIGH
CVSS 8.1
Local file inclusion vulnerability in ThemeREX Global Logistics WordPress theme through version 3.20 allows remote attackers to include arbitrary local files without authentication. Exploitation requires high complexity but no user interaction. With EPSS score of 0.15% (36th percentile), real-world exploitation probability remains low despite theoretical remote attack vector and lack of authentication requirements. Vulnerability identified by Patchstack audit team with public advisory available.
PHP
Information Disclosure
LFI
-
CVE-2026-28017
HIGH
CVSS 8.1
ThemeREX Green Thumb plugin version 1.1.12 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling file disclosure without authentication. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-28016
HIGH
CVSS 8.1
Improper file inclusion handling in ThemeREX Luxury Wine plugin version 1.1.14 and earlier enables attackers to read arbitrary files on affected servers through local file inclusion attacks. The vulnerability requires network access but no authentication, allowing extraction of sensitive configuration data and source code. No patch is currently available for this high-severity issue affecting PHP-based WordPress installations.
PHP
Information Disclosure
LFI
-
CVE-2026-28015
HIGH
CVSS 8.1
ThemeREX ShiftCV versions up to 3.0.14 are vulnerable to local file inclusion through improper input validation in PHP include/require statements, allowing attackers to read arbitrary files on the affected server. With a CVSS score of 8.1, this vulnerability enables high-impact attacks including information disclosure and potential code execution, though exploitation requires specific conditions. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-28014
HIGH
CVSS 8.1
ThemeREX Translogic through version 1.2.11 contains a local file inclusion vulnerability in PHP that enables attackers to read and potentially execute arbitrary files on affected systems without authentication. The improper handling of file include/require statements allows an attacker to manipulate filename inputs and access sensitive server files. No patch is currently available, and exploitation requires specific conditions (network accessible, no user interaction required).
PHP
Information Disclosure
LFI
-
CVE-2026-28013
HIGH
CVSS 8.1
Improper file inclusion handling in ThemeREX Kratz plugin versions 1.0.12 and earlier enables attackers to read arbitrary files from affected systems through a local file inclusion vulnerability. An unauthenticated attacker can exploit this over the network to access sensitive configuration files and other protected data without authentication. No patch is currently available for this high-severity vulnerability affecting PHP-based installations.
PHP
Information Disclosure
LFI
-
CVE-2026-28012
HIGH
CVSS 8.1
ThemeREX Gridiron through version 1.0.14 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server by manipulating include/require statements. The vulnerability requires specific conditions to be met (AC:H) but could lead to full system compromise including confidentiality and integrity breaches. No patch is currently available, and exploitation remains unlikely in the near term based on current threat metrics.
PHP
Information Disclosure
LFI
-
CVE-2026-28011
HIGH
CVSS 8.1
ThemeREX Yottis plugin version 1.0.10 and earlier contains a local file inclusion vulnerability in PHP that permits unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion parameters. The vulnerability requires specific conditions to exploit (high attack complexity) but could lead to complete system compromise including confidential data exposure and code execution. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-28010
HIGH
CVSS 8.1
ThemeREX Scientia plugin versions 1.2.4 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. With no patch currently available, affected PHP installations running vulnerable versions of Scientia are at immediate risk.
PHP
Information Disclosure
LFI
-
CVE-2026-28009
HIGH
CVSS 8.1
ThemeREX DroneX versions up to 1.1.12 contain a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, potentially enabling information disclosure or further system compromise. No patch is currently available for this issue.
PHP
Information Disclosure
LFI
-
CVE-2026-28007
HIGH
CVSS 8.1
ThemeREX Coinpress through version 1.0.14 contains a local file inclusion vulnerability in its PHP include/require handling that enables unauthenticated attackers to read arbitrary files from the affected server. The vulnerability has a high severity rating (CVSS 8.1) and currently lacks a security patch. Attackers can leverage this flaw to access sensitive configuration files, credentials, and other protected data accessible to the web server process.
PHP
Information Disclosure
LFI
-
CVE-2026-28006
HIGH
CVSS 8.1
ThemeREX Yungen plugin versions 1.0.12 and earlier contain a local file inclusion vulnerability in PHP file handling that allows attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this weakness to access sensitive information or potentially execute code by manipulating filename parameters in include/require statements. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-27998
HIGH
CVSS 8.1
ThemeREX Vixus through version 1.0.16 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this by crafting malicious requests to access sensitive files and potentially execute arbitrary code. No patch is currently available, and exploitation requires specific conditions that increase the attack complexity.
PHP
Information Disclosure
LFI
-
CVE-2026-27997
HIGH
CVSS 8.1
ThemeREX Maxify through version 1.0.16 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. Currently no patch is available to remediate this issue.
PHP
Information Disclosure
LFI
-
CVE-2026-27996
HIGH
CVSS 8.1
ThemeREX Lingvico through version 1.0.14 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files on the affected system. The vulnerability requires network access but no authentication or user interaction, allowing an attacker to potentially disclose sensitive server information. No patch is currently available for this issue.
PHP
Information Disclosure
LFI
-
CVE-2026-27995
HIGH
CVSS 8.1
ThemeREX Justitia through version 1.1.0 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper control of file inclusion statements. This vulnerability has a CVSS score of 8.1, indicating high severity with potential for both information disclosure and system compromise. No patch is currently available, leaving affected installations vulnerable to exploitation.
PHP
Information Disclosure
LFI
-
CVE-2026-27994
HIGH
CVSS 8.1
ThemeREX Tediss versions 1.2.4 and earlier contain a local file inclusion vulnerability in their PHP include/require functionality, allowing unauthenticated attackers to read arbitrary files from the server. The vulnerability requires specific conditions to exploit (high complexity) but carries high impact including potential information disclosure and code execution. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-27993
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Aldo through version 1.0.10 enables unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. The vulnerability allows remote attackers to access sensitive system files and potentially execute code with no authentication required. No patch is currently available for this high-severity flaw.
PHP
Information Disclosure
LFI
-
CVE-2026-27992
HIGH
CVSS 8.1
ThemeREX Meals & Wheels plugin version 1.1.12 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other protected content without authentication. No patch is currently available, and exploitation difficulty is moderate with a CVSS score of 8.1 indicating high impact on confidentiality, integrity, and availability.
PHP
Information Disclosure
LFI
-
CVE-2026-27991
HIGH
CVSS 8.1
ThemeREX Avventure versions 1.1.12 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-27990
HIGH
CVSS 8.1
ThemeREX ConFix version 1.013 and earlier contains a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive configuration files or source code. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
PHP
Information Disclosure
LFI
-
CVE-2026-27989
HIGH
CVSS 8.1
ThemeREX Quanzo version 1.0.10 and earlier contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files through improper handling of include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though exploitation requires specific conditions. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-27988
HIGH
CVSS 8.1
ThemeREX Equadio versions 1.1.3 and earlier contain a local file inclusion vulnerability in their PHP implementation that allows attackers to manipulate filename parameters in include/require statements to read arbitrary files from the system. An attacker with network access can exploit this vulnerability to disclose sensitive information such as configuration files or source code. No patch is currently available for this issue.
PHP
Information Disclosure
LFI
-
CVE-2026-27987
HIGH
CVSS 8.1
ThemeREX The Qlean WordPress theme through version 2.12 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server. The vulnerability requires no authentication and can be exploited remotely to access sensitive configuration files and source code. While no patch is currently available, the relatively low EPSS score suggests limited real-world exploitation at this time.
PHP
Information Disclosure
LFI
-
CVE-2026-27986
HIGH
CVSS 8.1
ThemeREX OsTende versions up to 1.4.3 contain a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and application data. No patch is currently available for this issue.
PHP
Information Disclosure
LFI
-
CVE-2026-27985
HIGH
CVSS 8.1
Local file inclusion in ThemeREX Humanum through version 1.1.4 enables attackers to read arbitrary files on the server by exploiting improper input validation in file inclusion mechanisms. The vulnerability requires network access but no authentication or user interaction, allowing complete compromise of confidentiality and integrity with high impact. No patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-27750
HIGH
CVSS 7.8
Internet Security contains a vulnerability that allows attackers to deletion of protected files or directories and can lead to local privilege escal (CVSS 7.8).
Privilege Escalation
Denial Of Service
-
CVE-2026-27749
HIGH
CVSS 7.8
Arbitrary code execution as SYSTEM in Avira Internet Security's System Speedup component occurs when the privileged RealTimeOptimizer.exe process deserializes untrusted .NET binary data from a world-writable ProgramData location without validation. A local attacker can craft a malicious serialized payload to achieve immediate privilege escalation and full system compromise. No patch is currently available for this high-severity vulnerability.
RCE
Deserialization
-
CVE-2026-27748
HIGH
CVSS 7.8
Avira Internet Security's Software Updater fails to validate symbolic links when deleting files during updates, allowing a local attacker to redirect SYSTEM-level file deletion operations to arbitrary targets. An authenticated local user can exploit this improper link resolution to delete critical system files, potentially achieving privilege escalation, denial of service, or compromising system integrity. No patch is currently available.
Privilege Escalation
Denial Of Service
-
CVE-2026-27541
HIGH
CVSS 7.2
Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices contains a security vulnerability (CVSS 7.1).
WordPress
Privilege Escalation
-
CVE-2026-27428
HIGH
CVSS 8.5
Eagle Booking plugin versions 1.3.4.3 and earlier contain an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries over the network. An attacker with user-level privileges can exploit this to extract sensitive data from the database or potentially modify application data, though no patch is currently available.
SQLi
-
CVE-2026-27406
HIGH
CVSS 7.5
My Tickets plugin version 2.1.0 and earlier inadvertently exposes sensitive data in outbound communications due to improper data handling. An unauthenticated remote attacker can intercept and retrieve embedded sensitive information from sent data without user interaction. No patch is currently available for this high-severity vulnerability.
Information Disclosure
-
CVE-2026-27396
HIGH
CVSS 7.3
Improper access control in e-plugins Directory Pro up to version 2.5.6 enables unauthenticated attackers to bypass authorization checks and gain unauthorized access to sensitive directory information. The vulnerability allows attackers to read, modify, or delete data depending on the misconfigured security levels without requiring authentication or user interaction. A patch is not currently available.
Authentication Bypass
-
CVE-2026-27390
HIGH
CVSS 8.8
designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon contains a security vulnerability (CVSS 8.8).
Authentication Bypass
-
CVE-2026-27388
HIGH
CVSS 7.5
designthemes DesignThemes Booking Manager designthemes-booking-manager is affected by missing authorization (CVSS 7.5).
Authentication Bypass
-
CVE-2026-27386
HIGH
CVSS 7.5
designthemes DesignThemes Directory Addon designthemes-directory-addon is affected by missing authorization (CVSS 7.5).
Authentication Bypass
-
CVE-2026-27385
HIGH
CVSS 7.1
designthemes DesignThemes Portfolio designthemes-portfolio is affected by cross-site scripting (xss) (CVSS 7.1).
XSS
-
CVE-2026-27383
HIGH
CVSS 8.1
RadiusTheme Metro versions 2.13 and earlier are susceptible to local file inclusion through improper input validation in PHP include/require statements, enabling attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive information or potentially execute arbitrary code. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-27382
HIGH
CVSS 7.1
DOM-based cross-site scripting in RadiusTheme Metro versions 2.13 and earlier allows unauthenticated attackers to inject malicious scripts that execute in users' browsers with no interaction required beyond viewing a crafted page. Successful exploitation enables attackers to steal session tokens, perform unauthorized actions, or deface content for affected users. No patch is currently available.
XSS
-
CVE-2026-27381
HIGH
CVSS 8.1
PHP Local File Inclusion in Aora through version 1.3.15 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper validation of file inclusion parameters. The vulnerability carries a CVSS score of 8.1 with high impact across confidentiality, integrity, and availability, though no patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-27379
HIGH
CVSS 8.8
NextScripts NextScripts social-networks-auto-poster-facebook-twitter-g is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization
-
CVE-2026-27376
HIGH
CVSS 7.1
The Claue WordPress theme through version 2.2.7 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this by crafting a malicious URL to steal sensitive information, perform unauthorized actions, or compromise user sessions without requiring any special privileges or interaction with the application itself.
WordPress
XSS
-
CVE-2026-27375
HIGH
CVSS 7.1
JanStudio Gecko version 1.9.8 and earlier contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated remote attackers to inject malicious scripts through improper input validation during web page generation. Successful exploitation requires user interaction and can lead to unauthorized access to sensitive information, data modification, or service disruption. No patch is currently available.
XSS
-
CVE-2026-27374
HIGH
CVSS 7.5
vanquish WooCommerce Order Details woocommerce-order-details is affected by missing authorization (CVSS 7.5).
WordPress
Authentication Bypass
-
CVE-2026-27373
HIGH
CVSS 8.5
Essekia Tablesome versions up to 1.2.3 contain a blind SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries through improper input sanitization. An attacker with valid credentials can exploit this to extract sensitive data from the database, though no patch is currently available. The vulnerability has a CVSS score of 8.5 and requires network access with low attack complexity.
SQLi
-
CVE-2026-27370
HIGH
CVSS 7.5
Premio Chaty versions up to 3.5.1 expose sensitive data through improper handling of embedded information in outbound communications, allowing unauthenticated remote attackers to retrieve confidential data without user interaction. The vulnerability carries a high severity rating (CVSS 7.5) and currently has no available patch.
Information Disclosure
-
CVE-2026-27369
HIGH
CVSS 8.1
BoldThemes Celeste versions 1.3.6 and earlier are vulnerable to unsafe deserialization that enables arbitrary object injection attacks over the network without authentication. An attacker can exploit this to achieve remote code execution or other malicious operations on affected systems. No patch is currently available for this vulnerability.
Deserialization
-
CVE-2026-27367
HIGH
CVSS 7.1
Reflected cross-site scripting in ThemeGoods Musico through version 3.2.4 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user credentials. The vulnerability requires user interaction to trigger and affects all installations of the affected Musico versions, with no patch currently available.
XSS
-
CVE-2026-27363
HIGH
CVSS 7.1
kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by cross-site scripting (xss) (CVSS 7.1).
XSS
-
CVE-2026-27361
HIGH
CVSS 7.5
WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro is affected by missing authorization (CVSS 7.5).
Authentication Bypass
-
CVE-2026-27359
HIGH
CVSS 7.1
Reflected XSS in Awa Plugins through version 1.4.4 enables unauthenticated attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction via a crafted link and has cross-site impact, affecting all installations of the affected plugin versions. No patch is currently available.
XSS
-
CVE-2026-27358
HIGH
CVSS 7.1
Reflected cross-site scripting in ThemeGoods Architecturer versions up to 3.8.8 enables attackers to inject malicious scripts that execute in victims' browsers when they click a crafted link, potentially allowing session hijacking or credential theft. The vulnerability requires user interaction and affects all users of the vulnerable plugin versions. No patch is currently available.
XSS
-
CVE-2026-27353
HIGH
CVSS 7.1
Reflected cross-site scripting in ThemeGoods Grand News version 3.4.3 and earlier enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing credential theft or session hijacking. The vulnerability requires user interaction to trigger but can be exploited remotely without authentication. No patch is currently available.
XSS
-
CVE-2026-27352
HIGH
CVSS 7.1
ThemeGoods Starto versions 2.1.9 and earlier are vulnerable to reflected cross-site scripting (XSS) that can be exploited remotely without authentication, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can trick users into clicking a malicious link to steal session cookies, redirect to phishing sites, or perform actions on behalf of the victim. No patch is currently available for this vulnerability.
XSS
-
CVE-2026-27348
HIGH
CVSS 7.1
DOM-based cross-site scripting in ThemeGoods Photography plugin version 7.6.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers without authentication, potentially compromising sensitive data or session tokens. The vulnerability requires user interaction to trigger and has network-wide impact, affecting any website running the affected Photography plugin version.
XSS
-
CVE-2026-27342
HIGH
CVSS 8.1
Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit is affected by php remote file inclusion (CVSS 8.1).
PHP
WordPress
Information Disclosure
LFI
-
CVE-2026-27341
HIGH
CVSS 8.1
Mikado-Themes TopScorer - Sports WordPress Theme topscorer is affected by php remote file inclusion (CVSS 8.1).
PHP
WordPress
Information Disclosure
LFI
-
CVE-2026-27340
HIGH
CVSS 8.1
The AncoraThemes Apollo | Night Club, DJ Event WordPress Theme through version 1.3.1 contains a PHP local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server. This CWE-98 weakness in improper filename control could enable attackers to access sensitive configuration files or other protected data. No patch is currently available for affected installations.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2026-27339
HIGH
CVSS 8.1
The Buzz Stone WordPress theme through version 1.0.2 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files on the affected server. With network access and no user interaction required, an attacker can leverage improper input validation in file inclusion functions to access sensitive data or potentially execute code. No patch is currently available for this vulnerability affecting WordPress installations using the vulnerable theme versions.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2026-27338
HIGH
CVSS 8.8
Object injection through unsafe deserialization in AivahThemes Car Zone up to version 3.7 allows authenticated attackers to execute arbitrary code with network access and no user interaction required. With a CVSS score of 8.8 indicating high severity, this vulnerability poses a significant risk to affected installations, though no patch is currently available. Attackers with valid credentials can exploit this flaw to gain complete system compromise including confidentiality, integrity, and availability impact.
Deserialization
-
CVE-2026-27337
HIGH
CVSS 8.1
The Chronicle WordPress theme version 1.0 and earlier contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the affected server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, or other confidential data stored on the web server. Currently, no patch is available and the vulnerability has a 0.2% probability of exploitation according to EPSS scoring.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2026-27336
HIGH
CVSS 8.1
The Consultor WordPress theme through version 1.2.4 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files on the server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, and other confidential data. Currently no patch is available, leaving all affected installations vulnerable.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2026-27335
HIGH
CVSS 8.1
The Ekoterra WordPress theme through version 1.0.0 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and other protected data. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-27334
HIGH
CVSS 8.1
PHP Local File Inclusion in dan_fisher Alchemists versions through 4.6.0 allows unauthenticated remote attackers to read arbitrary files on affected servers through improper handling of file inclusion statements. The vulnerability requires specific network conditions to exploit but carries high impact potential across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-27332
HIGH
CVSS 7.1
Skygroup Agrofood versions 1.3.0 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks that allow unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. An attacker can exploit this vulnerability to steal session cookies, redirect users to malicious sites, or perform actions on behalf of victims. No patch is currently available.
XSS
-
CVE-2026-27326
HIGH
CVSS 8.1
The AC Services WordPress theme through version 1.2.5 contains a local file inclusion vulnerability in PHP that enables unauthenticated remote attackers to read arbitrary files on affected servers. This high-severity flaw allows attackers to access sensitive configuration files and potentially extract credentials or other confidential data. WordPress installations using this theme should upgrade immediately as no patch is currently available.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2026-27098
HIGH
CVSS 8.1
Unsafe deserialization in the Au Pair Agency theme (versions up to 1.2.2) enables object injection attacks that could allow remote code execution on affected WordPress sites. An unauthenticated attacker can exploit this vulnerability to inject malicious objects and compromise server integrity, confidentiality, and availability. No patch is currently available.
Deserialization
-
CVE-2026-27097
HIGH
CVSS 8.1
The CasaMia WordPress theme through version 1.1.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) could expose sensitive configuration files, database credentials, and other confidential data stored on affected WordPress installations. No patch is currently available for this vulnerability.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2026-26999
HIGH
CVSS 7.5
Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS records to TCP routers, which causes the TLS handshake process to hang indefinitely while holding connections open. An unauthenticated attacker can exploit this by opening many stalled connections in parallel to exhaust file descriptors and goroutines, degrading or disabling the proxy service.
TLS
Red Hat
Traefik
Suse
-
CVE-2026-26418
HIGH
CVSS 7.5
Cognix Platform's web API lacks authentication and authorization controls, enabling unauthenticated remote attackers to access restricted application functionality over the network. This vulnerability affects Tata Consultancy Services Cognix Recon Client v3.0 and poses a high risk due to its ease of exploitation and lack of authentication requirements. No patch is currently available.
Authentication Bypass
Cognix Platform
-
CVE-2026-26417
HIGH
CVSS 8.1
Cognix Platform's password reset function fails to properly validate user permissions, enabling authenticated attackers to reset passwords for any user account through specially crafted requests. This broken access control vulnerability affects Cognix Recon Client v3.0 and carries high severity due to the potential for unauthorized account takeovers. No patch is currently available.
Authentication Bypass
Cognix Platform
-
CVE-2026-26416
HIGH
CVSS 8.8
Privilege escalation in Cognix Platform v3.0 permits authenticated users to bypass authorization controls and assume higher-privileged roles through specially crafted requests. This vulnerability affects all users with valid credentials and could allow attackers to gain unauthorized administrative access. No patch is currently available.
Privilege Escalation
Cognix Platform
-
CVE-2026-26276
HIGH
CVSS 7.3
Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.
XSS
Gogs
Suse
-
CVE-2026-26194
HIGH
CVSS 7.3
Gogs prior to version 0.14.2 contains a command injection vulnerability in release deletion functionality where improper handling of user-controlled tag names allows git options to be injected into git commands. An authenticated attacker with UI interaction can exploit this to achieve integrity and availability impacts. Public exploit code exists for this vulnerability.
Code Injection
Gogs
Suse
-
CVE-2026-26125
HIGH
CVSS 8.6
Payment Orchestrator Service Elevation of Privilege Vulnerability [CVSS 8.6 HIGH]
Authentication Bypass
Payment Orchestrator Service
-
CVE-2026-26034
HIGH
CVSS 7.8
Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) is affected by incorrect default permissions (CVSS 7.8).
Privilege Escalation
RCE
Ups Multi Ups Management Console
-
CVE-2026-26022
HIGH
CVSS 8.7
Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in version 0.14.2 and later.
XSS
Gogs
Suse
-
CVE-2026-25702
HIGH
CVSS 7.3
Improper access control in the Linux kernel affects SUSE Linux Enterprise Server 12 SP5, causing nftables firewall rules to become ineffective and allowing network traffic to bypass intended filtering policies. An unauthenticated remote attacker can exploit this vulnerability to circumvent firewall protections without user interaction. No patch is currently available for this vulnerability.
Linux
Linux Enterprise Server
Suse
-
CVE-2026-25048
HIGH
CVSS 7.5
Xgrammar versions prior to 0.1.32 crash when processing multi-level nested syntax structures, causing a denial of service that halts the application. An attacker can trigger this segmentation fault remotely without authentication by submitting crafted input, disrupting any AI/ML system relying on this library for structured generation tasks. No patch is currently available for affected deployments.
Information Disclosure
Red Hat
AI / ML
Xgrammar
-
CVE-2026-24963
HIGH
CVSS 7.2
Privilege escalation in Amelia booking plugin through version 1.2.38 allows high-privileged users to gain unauthorized elevated access due to improper privilege assignment. An authenticated attacker with administrative credentials can exploit this vulnerability to compromise system integrity and confidentiality. No patch is currently available.
Privilege Escalation
-
CVE-2026-24385
HIGH
CVSS 7.5
gerritvanaaken Podlove Web Player podlove-web-player is affected by deserialization of untrusted data (CVSS 7.5).
Deserialization
-
CVE-2026-23801
HIGH
CVSS 8.1
Improper file inclusion handling in PHP-based The Issue theme versions 1.6.11 and earlier enables attackers to include and execute arbitrary local files, potentially leading to remote code execution. An unauthenticated attacker can exploit this vulnerability over the network to read sensitive files or execute malicious PHP code. No patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-23798
HIGH
CVSS 8.8
blubrry PowerPress Podcasting powerpress is affected by deserialization of untrusted data (CVSS 8.8).
Deserialization
-
CVE-2026-22479
HIGH
CVSS 7.5
Improper access control in Ruby's ThemeRuby Easy Post Submission plugin through version 2.2.0 allows unauthenticated remote attackers to bypass authorization checks and gain unauthorized read access to sensitive data. The vulnerability stems from misconfigured security levels that fail to properly enforce access restrictions on protected functionality. No patch is currently available for affected installations.
Authentication Bypass
-
CVE-2026-22478
HIGH
CVSS 8.1
The FindAll plugin for PHP through version 1.4 contains a local file inclusion vulnerability that enables attackers to read arbitrary files from the affected system through improper input validation on file inclusion statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive files and potentially execute arbitrary code with the privileges of the web server process. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22477
HIGH
CVSS 8.1
Local file inclusion in AncoraThemes Felizia through version 1.3.4 enables unauthenticated attackers to read arbitrary files from the affected server through improper input validation on file inclusion parameters. The vulnerability carries high severity with a CVSS score of 8.1 and impacts confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22476
HIGH
CVSS 8.1
Elated-Themes Etchy through version 1.0 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of filename parameters in include/require statements, allowing directory traversal attacks to access sensitive system files. While a patch is not currently available, the low EPSS score suggests limited real-world exploitation likelihood at this time.
PHP
Information Disclosure
LFI
-
CVE-2026-22473
HIGH
CVSS 8.8
Object injection through unsafe deserialization in designthemes Dental Clinic version 3.7 and earlier allows authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. An attacker with valid credentials can exploit this CWE-502 weakness to inject malicious objects during the deserialization process, potentially compromising the entire application. No patch is currently available for this vulnerability.
Deserialization
-
CVE-2026-22471
HIGH
CVSS 8.8
maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce is affected by deserialization of untrusted data (CVSS 8.6).
Deserialization
-
CVE-2026-22467
HIGH
CVSS 7.1
DeepDigital versions 1.0.2 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks due to insufficient input validation during web page generation, allowing unauthenticated remote attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction (clicking a malicious link) but can affect the entire application context, enabling attackers to steal sensitive data or perform actions on behalf of victims. No patch is currently available.
XSS
-
CVE-2026-22465
HIGH
CVSS 7.1
SeventhQueen BuddyApp through version 1.9.2 is vulnerable to reflected cross-site scripting (XSS) due to improper input validation during web page generation, allowing attackers to inject malicious scripts that execute in users' browsers when they click malicious links. An unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of users, or redirect them to phishing sites. No patch is currently available.
XSS
-
CVE-2026-22460
HIGH
CVSS 8.6
Path traversal in wpWax FormGent plugin versions up to 1.4.2 enables unauthenticated remote attackers to access files outside intended directories. The vulnerability requires no user interaction and can be exploited over the network to cause denial of service or potentially disclose sensitive information. No patch is currently available for this high-severity issue.
Path Traversal
-
CVE-2026-22457
HIGH
CVSS 8.1
Mikado-Themes Wanderland versions 1.5 and earlier contain a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of file paths in include/require statements, allowing an unauthenticated remote attacker to access sensitive system files. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22456
HIGH
CVSS 8.1
Local file inclusion in Elated-Themes Askka version 1.0 and earlier allows unauthenticated remote attackers to read arbitrary files from the affected server through improper validation of include/require statements. The vulnerability carries high severity with potential for information disclosure and system compromise. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22455
HIGH
CVSS 7.1
Reflected XSS in Thebe up to version 1.3.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user interactions across different sites. The vulnerability requires user interaction through a crafted link but has no authentication requirement, making it accessible to unauthenticated attackers. No patch is currently available.
XSS
-
CVE-2026-22452
HIGH
CVSS 8.1
ThemeREX Hoverex versions up to 1.5.10 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker with network access can exploit this to disclose sensitive configuration files, source code, or other critical data without authentication. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22449
HIGH
CVSS 8.1
Don Peppe WordPress theme version 1.3 and earlier contains a local file inclusion vulnerability in its file handling mechanism that could allow an attacker to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data. Currently, no patch is available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22446
HIGH
CVSS 8.1
Select-Themes Prowess version 1.8.1 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
PHP
Information Disclosure
LFI
-
CVE-2026-22443
HIGH
CVSS 8.1
ThemeREX Alliance versions up to 3.1.1 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of filename parameters in include/require statements. With a CVSS score of 8.1, this vulnerability enables attackers to access sensitive system files and potentially execute code depending on server configuration. No patch is currently available for affected versions.
PHP
Information Disclosure
LFI
-
CVE-2026-22442
HIGH
CVSS 8.1
LaunchandSell Tribe plugin for PHP versions through 1.7.3 contains a local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The flaw stems from improper validation of filenames in include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22441
HIGH
CVSS 8.1
Elated-Themes Zentrum version 1.0 and earlier contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server without authentication. The high CVSS score of 8.1 reflects the potential for complete compromise of confidentiality and integrity, though exploitation requires specific conditions. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-22440
HIGH
CVSS 7.1
Reflected cross-site scripting in Thecs through version 1.4.7 enables attackers to inject malicious scripts that execute in users' browsers when they click specially crafted links, potentially compromising session data and user credentials. The vulnerability requires user interaction and affects all versions up to 1.4.7, with no patch currently available. An attacker can exploit this to steal sensitive information or perform actions on behalf of affected users.
XSS
-
CVE-2026-22439
HIGH
CVSS 8.1
Local file inclusion in AncoraThemes Green Planet through version 1.1.14 allows unauthenticated attackers to read arbitrary files on affected servers by manipulating include/require statements in PHP. This CWE-98 vulnerability carries a CVSS score of 8.1 with high impact on confidentiality and integrity, though no patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-22438
HIGH
CVSS 7.1
Reflected cross-site scripting in TheBi through version 1.0.5 enables attackers to inject malicious scripts that execute in users' browsers when they click on specially crafted links. This vulnerability requires user interaction but can lead to session hijacking, credential theft, or malware distribution across trusted domains. No patch is currently available for affected installations.
XSS
-
CVE-2026-22437
HIGH
CVSS 8.1
AncoraThemes Playa versions up to 1.3.9 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The flaw stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive system files. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22436
HIGH
CVSS 8.1
Local file inclusion in Elated-Themes Helvig through version 1.0 enables unauthenticated remote attackers to read arbitrary files from affected systems. The vulnerability stems from improper control of filename parameters in PHP include/require statements, allowing attackers to traverse the filesystem and access sensitive data. No patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-22435
HIGH
CVSS 8.1
ElectroServ through version 1.3.2 contains a local file inclusion vulnerability in its PHP-based file handling that enables unauthenticated attackers to read arbitrary files from the server. An attacker can exploit this weakness over the network without user interaction to access sensitive data or potentially execute code through log poisoning techniques. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22434
HIGH
CVSS 8.1
Local file inclusion in AncoraThemes Crown Art through version 1.2.11 enables unauthenticated remote attackers to read arbitrary files from the affected server through improper handling of include/require statements. This vulnerability carries a high CVSS score of 8.1 and allows potential access to sensitive configuration files and application data. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22433
HIGH
CVSS 8.1
PHP Local File Inclusion in AncoraThemes CloudMe through version 1.2.2 enables unauthenticated attackers to read arbitrary files on affected systems through improper filename validation in include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though no patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-22432
HIGH
CVSS 8.1
Woopy through version 1.2 by AncoraThemes contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the file system and access sensitive data. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22431
HIGH
CVSS 8.1
AncoraThemes Wabi-Sabi theme version 1.2 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file inclusion parameters. An attacker can exploit this to access sensitive configuration files, database credentials, and other confidential data stored on the affected WordPress installation. No patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-22429
HIGH
CVSS 8.1
Mikado-Themes Verdure WordPress theme version 1.6 and earlier contains an improper file inclusion vulnerability that enables attackers to read arbitrary files from the affected server without authentication. The flaw in the theme's include/require statement handling allows local and remote file inclusion attacks, potentially exposing sensitive configuration files and other critical data. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22428
HIGH
CVSS 8.1
The Tooth Fairy WordPress theme through version 1.16 contains a local file inclusion vulnerability in its PHP file handling that allows attackers to read arbitrary files from the server. An unauthenticated remote attacker can exploit this by manipulating file inclusion parameters to access sensitive data or potentially execute code. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22427
HIGH
CVSS 8.1
Mikado-Themes GoTravel versions 2.1 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data without authentication.
PHP
Information Disclosure
LFI
-
CVE-2026-22425
HIGH
CVSS 8.1
Elated-Themes Sweet Jane theme through version 1.2 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-22424
HIGH
CVSS 8.1
Local file inclusion in AncoraThemes Shaha versions up to 1.1.2 enables attackers to read arbitrary files through improper input validation in PHP include/require statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive server files and potentially execute arbitrary code, with no patch currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-22423
HIGH
CVSS 8.1
SetSail theme versions 1.8 and earlier for PHP are vulnerable to local file inclusion attacks due to improper input validation on file inclusion statements, potentially allowing attackers to read arbitrary files on the server. The vulnerability carries a high CVSS score of 8.1 and affects confidentiality, integrity, and availability, though no patch is currently available. Remote exploitation is possible under specific conditions, and affected users should implement access controls or upgrade once patches become available.
PHP
Information Disclosure
LFI
-
CVE-2026-22421
HIGH
CVSS 8.1
AncoraThemes Quantum theme versions up to 1.0 contain a local file inclusion vulnerability that enables attackers to read arbitrary files from the server through improper input validation in file inclusion functions. An unauthenticated remote attacker can exploit this to access sensitive configuration files and potentially execute arbitrary code on affected WordPress installations. No patch is currently available, though the vulnerability has a low exploit probability (0.2% EPSS).
PHP
Information Disclosure
LFI
-
CVE-2026-22420
HIGH
CVSS 8.1
Local file inclusion in AncoraThemes Horizon through version 1.1 enables unauthenticated attackers to read arbitrary files on affected servers through improper filename validation in PHP include/require statements. With a CVSS score of 8.1, this vulnerability allows complete compromise of confidentiality, integrity, and availability, though exploitation requires specific conditions. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22419
HIGH
CVSS 8.1
AncoraThemes Honor version 2.3 and earlier contains a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this to access sensitive configuration files, source code, or other confidential data stored on the affected web server. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22418
HIGH
CVSS 8.1
Local file inclusion in AncoraThemes Great Lotus through version 1.3.1 allows unauthenticated attackers to read arbitrary files on affected servers by exploiting improper input validation in file inclusion functions. The vulnerability carries a CVSS score of 8.1 and enables attackers to access sensitive data including configuration files and source code, though no patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-22416
HIGH
CVSS 8.1
PHP Local File Inclusion in AncoraThemes FixTeam through version 1.4 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper handling of file include/require statements. The vulnerability carries a high CVSS score of 8.1 with potential for information disclosure and system compromise, though no patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-22415
HIGH
CVSS 8.1
The Mounty WordPress theme through version 1.1 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and potentially source code. With a CVSS score of 8.1 and no patch currently available, affected sites running vulnerable versions face significant risk of information disclosure.
PHP
Information Disclosure
LFI
-
CVE-2026-22414
HIGH
CVSS 8.1
Mikado-Themes Marra version 1.2 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this issue.
PHP
Information Disclosure
LFI
-
CVE-2026-22413
HIGH
CVSS 8.1
Local file inclusion in Mikado-Themes Malgré versions up to 1.0.3 allows unauthenticated attackers to read arbitrary files from the affected server through improper handling of file inclusion parameters. An attacker can exploit this vulnerability over the network without user interaction to access sensitive information, potentially leading to credential disclosure or further system compromise. No patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-22412
HIGH
CVSS 8.1
Mikado-Themes Eona versions 1.3 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22410
HIGH
CVSS 8.1
Local file inclusion in Mikado-Themes Dolcino through version 1.6 allows unauthenticated remote attackers to read arbitrary files on affected systems by manipulating include/require parameters. The vulnerability stems from improper validation of filenames in PHP file inclusion statements, enabling attackers to traverse the filesystem without authentication. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22408
HIGH
CVSS 8.1
Local and remote file inclusion in Mikado-Themes Justicia through version 1.2 enables attackers to read arbitrary files or execute malicious PHP code on affected systems. The vulnerability stems from improper validation of file paths in include/require statements, allowing unauthenticated remote exploitation. No patch is currently available; affected users should upgrade to a patched version when released or implement web application firewall rules to restrict suspicious file inclusion attempts.
PHP
Information Disclosure
LFI
-
CVE-2026-22405
HIGH
CVSS 8.1
Local file inclusion in Mikado-Themes Overton version 1.3 and earlier allows unauthenticated remote attackers to read arbitrary files on the server through improper handling of PHP include/require statements. The vulnerability requires specific conditions to exploit (high complexity) but could lead to complete compromise of confidentiality and integrity. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-22403
HIGH
CVSS 8.1
Mikado-Themes Innovio through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames used in PHP include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this high-severity issue affecting all versions through 1.7.
PHP
Information Disclosure
LFI
-
CVE-2026-22399
HIGH
CVSS 8.1
Local file inclusion in Mikado-Themes Holmes version 1.7 and earlier allows unauthenticated remote attackers to read arbitrary files on affected servers through improper input validation in PHP include/require statements. The vulnerability has a CVSS score of 8.1 and enables attackers to potentially access sensitive configuration files and database credentials. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22397
HIGH
CVSS 8.1
Mikado-Themes Fleur version 2.0 and earlier contains a local file inclusion vulnerability in PHP that permits attackers to read arbitrary files on affected systems through improper input validation in file inclusion functions. The vulnerability requires specific conditions to exploit but grants high-impact access to sensitive data and potential system compromise. No patch is currently available.
PHP
Information Disclosure
LFI
-
CVE-2026-22395
HIGH
CVSS 8.1
Mikado-Themes Fiorello through version 1.0 contains a local file inclusion vulnerability in its PHP code that fails to properly validate filenames used in include/require statements, enabling attackers to read arbitrary files on the affected server. The vulnerability requires specific conditions to exploit but carries high impact, allowing unauthorized access to sensitive data and potential code execution. No security patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22394
HIGH
CVSS 8.1
Mikado-Themes Evently plugin version 1.7 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the server without authentication. The flaw stems from improper filename validation, allowing unauthenticated remote attackers to disclose sensitive information such as configuration files and source code. No patch is currently available for affected installations.
PHP
Information Disclosure
LFI
-
CVE-2026-22392
HIGH
CVSS 8.1
Mikado-Themes Cortex version 1.5 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this vulnerability.
PHP
Information Disclosure
LFI
-
CVE-2026-22389
HIGH
CVSS 8.1
Mikado-Themes Cocco versions up to 1.5.1 contain a local file inclusion vulnerability in PHP file handling that enables attackers to read arbitrary files on affected systems. An unauthenticated remote attacker can exploit improper input validation in include/require statements to access sensitive data without authentication. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
PHP
Information Disclosure
LFI
-
CVE-2026-22387
HIGH
CVSS 8.1
Mikado-Themes Aviana through version 2.1 contains a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files on the server through improper handling of include/require statements. An unauthenticated remote attacker can exploit this weakness to access sensitive files and potentially execute arbitrary code, though no patch is currently available. The vulnerability carries a CVSS score of 8.1 and affects all versions up to and including Aviana 2.1.
PHP
Information Disclosure
LFI
-
CVE-2026-22385
HIGH
CVSS 8.1
PHP Local File Inclusion in Wolmart through version 1.9.6 enables unauthenticated attackers over the network to read arbitrary files on affected systems due to improper input validation in file inclusion functions. The vulnerability carries high impact potential for confidentiality and integrity, though no patch is currently available. An attacker with network access can leverage this flaw to access sensitive configuration files, source code, or other protected resources without authentication.
PHP
Information Disclosure
LFI
-
CVE-2026-21621
HIGH
CVSS 7.0
Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.
Authentication Bypass
Privilege Escalation
-
CVE-2026-3598
HIGH
CVSS 8.7
RustDesk Server Pro through version 1.7.5 uses weak cryptographic algorithms in configuration string generation and web console export functions, enabling attackers to extract sensitive embedded data from exported configurations. This vulnerability affects Windows, macOS, and Linux deployments and requires no authentication or user interaction to exploit. No patch is currently available.
Windows
Information Disclosure
Apple
macOS
Microsoft
-
CVE-2026-3459
HIGH
CVSS 8.1
Unauthenticated attackers can upload arbitrary files to WordPress sites running the Drag and Drop Multiple File Upload - Contact Form 7 plugin through versions 1.3.7.3 due to insufficient file type validation when wildcard characters are configured in upload fields. Successful exploitation could enable remote code execution on the affected server. No patch is currently available.
WordPress
RCE
File Upload
-
CVE-2026-3047
HIGH
CVSS 8.8
Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.
Authentication Bypass
Red Hat
-
CVE-2026-3009
HIGH
CVSS 8.1
Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.
Authentication Bypass
Red Hat
-
CVE-2026-2836
HIGH
CVSS 8.1
Pingora's default HTTP cache key implementation excludes the host header when generating cache keys, allowing attackers to poison the cache and serve cross-origin responses to victims. This affects deployments using the default CacheKey implementation in multi-tenant environments, where an attacker could cause users from one tenant to receive cached responses belonging to another tenant. No patch is currently available for this high-severity vulnerability.
Authentication Bypass
Pingora
-
CVE-2026-2365
HIGH
CVSS 7.2
Stored XSS in Fluent Forms Pro for WordPress through version 6.1.17 allows unauthenticated attackers to inject malicious scripts into draft form submissions due to missing authentication and insufficient input sanitization on the fluentform_step_form_save_data AJAX action. The injected scripts execute when site administrators access partial form entries, potentially compromising administrator accounts and site integrity. No patch is currently available.
WordPress
XSS
-
CVE-2026-1720
HIGH
CVSS 8.8
WowOptin: Next-Gen Popup Maker plugin for WordPress versions up to 1.4.24 fails to validate user permissions on plugin installation functions, allowing authenticated subscribers to install and activate arbitrary plugins. This privilege escalation vulnerability enables low-privileged attackers to execute remote code with full WordPress permissions. No patch is currently available.
WordPress
Authentication Bypass
-
CVE-2026-1605
HIGH
CVSS 7.5
Eclipse Jetty 12.0.0 through 12.0.31 and 12.1.0 through 12.1.5 suffer from a denial-of-service vulnerability in GzipHandler where decompressor resources leak when processing gzip-compressed requests that generate uncompressed responses. An unauthenticated remote attacker can exhaust server memory by repeatedly sending compressed requests, causing service degradation or unavailability. No patch is currently available.
Java
Red Hat
Jetty
-
CVE-2026-1321
HIGH
CVSS 8.1
Unauthenticated attackers can escalate privileges in WordPress installations using the Membership Plugin - Restrict Content (versions up to 3.2.20) by registering with arbitrary membership levels, including inactive levels or those granting administrator access, due to insufficient validation of the rcp_level parameter. This allows attackers to bypass payment requirements and gain unauthorized administrative roles without authentication. No patch is currently available for this vulnerability.
WordPress
Authentication Bypass
Privilege Escalation
-
CVE-2025-70995
HIGH
CVSS 8.8
An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. [CVSS 8.8 HIGH]
RCE
Code Injection
-
CVE-2025-70949
HIGH
CVSS 7.5
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel. [CVSS 7.5 HIGH]
Information Disclosure
-
CVE-2025-70616
HIGH
CVSS 7.8
A stack buffer overflow vulnerability exists in the Wincor Nixdorf wnBios64.sys kernel driver (version 1.2.0.0) in the IOCTL handler for code 0x80102058. [CVSS 7.8 HIGH]
Privilege Escalation
Buffer Overflow
Denial Of Service
Linux
Wnbios64.Sys
-
CVE-2025-69534
HIGH
CVSS 7.5
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. [CVSS 7.5 HIGH]
Denial Of Service
Python
Information Disclosure
Red Hat
Markdown
-
CVE-2025-69411
HIGH
CVSS 7.5
Robert Seyfriedsberger ionCube tester plus ioncube-tester-plus is affected by path traversal (CVSS 7.5).
Path Traversal
-
CVE-2025-69340
HIGH
CVSS 7.5
BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon is affected by missing authorization (CVSS 7.5).
Authentication Bypass
-
CVE-2025-69339
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Molla molla allows PHP Local File Inclusion.This issue affects Molla: from n/a through <= 1.5.16. [CVSS 8.1 HIGH]
PHP
Information Disclosure
LFI
-
CVE-2025-69090
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Remons remons allows PHP Local File Inclusion.This issue affects Remons: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]
PHP
Information Disclosure
LFI
-
CVE-2025-53335
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1. [CVSS 8.1 HIGH]
PHP
Information Disclosure
LFI
-
CVE-2025-45691
HIGH
CVSS 7.5
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs. [CVSS 7.5 HIGH]
Path Traversal
Red Hat
AI / ML
Ragas
-
CVE-2026-30777
MEDIUM
CVSS 6.5
EC-CUBE administrative authentication can be bypassed by attackers possessing valid admin credentials, allowing them to circumvent multi-factor authentication protections and access the admin panel. This vulnerability (CVSS 6.5) affects administrators or high-privileged users whose credentials have been compromised, potentially enabling unauthorized administrative access.
Authentication Bypass
Ec Cube
-
CVE-2026-29613
MEDIUM
CVSS 5.9
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).
React
Openclaw
-
CVE-2026-29612
MEDIUM
CVSS 5.5
Openclaw versions up to 2026.2.14 is affected by allocation of resources without limits or throttling (CVSS 5.5).
Denial Of Service
Openclaw
-
CVE-2026-29606
MEDIUM
CVSS 6.5
Openclaw versions up to 2026.2.14 is affected by missing authentication for critical function (CVSS 6.5).
Authentication Bypass
Openclaw
-
CVE-2026-29125
MEDIUM
CVSS 4.7
Sfx2100 Firmware versions up to - is affected by incorrect permission assignment for critical resource (CVSS 4.7).
Denial Of Service
DNS
Sfx2100 Firmware
-
CVE-2026-29122
MEDIUM
CVSS 5.5
Privileged file disclosure in IDC SFX2100 satellite receiver firmware results from a setuid-enabled date binary that allows local users to read root-owned files including /etc/shadow and other sensitive configuration data. A local attacker can leverage publicly available exploit techniques to gain unauthorized access to confidential system information. Public exploit code exists for this vulnerability, though no patch is currently available.
Privilege Escalation
Sfx2100 Firmware
-
CVE-2026-29081
MEDIUM
CVSS 6.5
Frappe versions prior to 14.100.1 and 15.100.0 contain a SQL injection vulnerability in an endpoint that allows authenticated attackers to extract sensitive information from the database. An attacker with valid credentials can craft malicious requests to bypass query protections and access confidential data without modifying or disrupting system availability. No patch is currently available for affected deployments.
SQLi
Frappe
-
CVE-2026-29052
MEDIUM
CVSS 6.1
HumHub Calendar module versions prior to 1.8.11 contain a stored XSS vulnerability in Event Types that allows attackers to inject malicious scripts viewed by users accessing events created by administrative accounts. An attacker with event creation privileges can execute arbitrary JavaScript in the browsers of users viewing affected events, potentially compromising session tokens or sensitive information. No patch is currently available for affected installations.
XSS
Calendar
-
CVE-2026-28552
MEDIUM
CVSS 6.5
Out-of-bounds write vulnerability in the IMS module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.5 MEDIUM]
Buffer Overflow
Emui
Harmonyos
-
CVE-2026-28551
MEDIUM
CVSS 4.7
Race condition vulnerability in the device security management module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.7 MEDIUM]
Race Condition
Harmonyos
-
CVE-2026-28550
MEDIUM
CVSS 4.0
Race condition vulnerability in the security control module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.0 MEDIUM]
Race Condition
Harmonyos
-
CVE-2026-28549
MEDIUM
CVSS 6.6
Race condition vulnerability in the permission management service. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.6 MEDIUM]
Race Condition
Harmonyos
-
CVE-2026-28547
MEDIUM
CVSS 6.8
Vulnerability of uninitialized pointer access in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.8 MEDIUM]
Buffer Overflow
Harmonyos
-
CVE-2026-28546
MEDIUM
CVSS 5.9
Buffer overflow vulnerability in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.9 MEDIUM]
Buffer Overflow
Harmonyos
-
CVE-2026-28545
MEDIUM
CVSS 5.9
Race condition vulnerability in the printing module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.9 MEDIUM]
Race Condition
Harmonyos
-
CVE-2026-28544
MEDIUM
CVSS 6.2
Race condition vulnerability in the printing module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.2 MEDIUM]
Race Condition
Harmonyos
-
CVE-2026-28543
MEDIUM
CVSS 4.4
Race condition vulnerability in the maintenance and diagnostics module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.4 MEDIUM]
Race Condition
Industrial
Harmonyos
-
CVE-2026-28541
MEDIUM
CVSS 4.0
Harmonyos versions up to 5.1.0 is affected by permissions, privileges, and access controls (CVSS 4.0).
Privilege Escalation
Harmonyos
-
CVE-2026-28540
MEDIUM
CVSS 4.0
Out-of-bounds character read vulnerability in Bluetooth. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 4.0 MEDIUM]
Buffer Overflow
Harmonyos
-
CVE-2026-28539
MEDIUM
CVSS 6.2
Data processing vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 6.2 MEDIUM]
Information Disclosure
Harmonyos
-
CVE-2026-28538
MEDIUM
CVSS 5.9
Path traversal vulnerability in the certificate management module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.9 MEDIUM]
Path Traversal
Harmonyos
-
CVE-2026-28537
MEDIUM
CVSS 5.1
Double free vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 5.1 MEDIUM]
Information Disclosure
Harmonyos
-
CVE-2026-28492
MEDIUM
CVSS 6.5
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public share links, enabling any user with a share link to access and download files from sibling directories beyond the intended shared folder. This authenticated network-based vulnerability affects Golang and Filebrowser and has public exploit code available. The issue is resolved in version 2.61.0 and later.
Golang
Filebrowser
Suse
-
CVE-2026-28486
MEDIUM
CVSS 6.1
OpenClaw versions 2026.1.16 through 2026.2.13 allow local attackers to write arbitrary files outside intended directories by supplying malicious archives to the skills, hooks, plugins, or signal installation commands. Successful exploitation enables attackers to achieve code execution or establish persistence on affected systems. A patch is available for affected users.
Path Traversal
Openclaw
-
CVE-2026-28481
MEDIUM
CVSS 6.5
OpenClaw versions 2026.1.30 and earlier leak authentication bearer tokens to untrusted domains when the optional MS Teams attachment downloader extension is enabled, due to overly permissive suffix-based domain allowlisting during download retries. An attacker could harvest these tokens from allowed domains to compromise authenticated sessions. No patch is currently available, affecting users of the vulnerable versions.
Information Disclosure
Openclaw
-
CVE-2026-28480
MEDIUM
CVSS 6.5
OpenClaw prior to version 2026.2.14 fails to properly validate Telegram allowlist entries by accepting mutable usernames instead of immutable user IDs, enabling attackers to register recycled usernames and bypass access controls. An unauthenticated attacker can exploit this flaw to impersonate legitimate users and send unauthorized commands to OpenClaw bots. No patch is currently available.
Authentication Bypass
Openclaw
-
CVE-2026-28476
MEDIUM
CVSS 6.3
OpenClaw versions before 2026.2.14 fail to validate base URLs in the Tlon Urbit extension, allowing attackers to trigger server-side request forgery attacks that direct the gateway to arbitrary hosts, including internal systems. This network-accessible vulnerability requires no authentication and can result in information disclosure and service disruption. No patch is currently available.
SSRF
-
CVE-2026-28475
MEDIUM
CVSS 4.8
OpenClaw versions before 2026.2.13 are vulnerable to timing side-channel attacks on hook token validation due to use of non-constant-time string comparison. Remote attackers can exploit this weakness by measuring response times across multiple requests to gradually recover authentication tokens for the hooks endpoint. This affects confidentiality and integrity of OpenClaw deployments accessible over the network.
Information Disclosure
Openclaw
-
CVE-2026-28471
MEDIUM
CVSS 5.3
OpenClaw versions 2026.1.14-1 through 2026.2.1 with the Matrix plugin enabled fail to validate homeserver identity when checking direct message allowlists, allowing remote attackers to impersonate authorized users by spoofing display names or local identifiers from different homeservers. This bypass enables unauthorized access to routing and agent pipelines for authenticated Matrix users on remote servers. A patch is available in version 2026.2.2 and later.
Authentication Bypass
Openclaw
-
CVE-2026-28467
MEDIUM
CVSS 6.5
OpenClaw prior to version 2026.2.2 is vulnerable to server-side request forgery through its attachment and media URL processing, allowing unauthenticated remote attackers to make arbitrary HTTP requests to internal resources. Attackers can exploit model-controlled message features to trigger the SSRF and exfiltrate response data as outbound attachments. Public exploit code exists for this vulnerability.
SSRF
AI / ML
Openclaw
-
CVE-2026-28465
MEDIUM
CVSS 5.9
OpenClaw voice-call plugin versions before 2026.2.3 allow remote attackers to forge webhook events by exploiting improper authentication in reverse-proxy environments where forwarded headers are implicitly trusted. An unauthenticated attacker can manipulate Forwarded or X-Forwarded-* headers to bypass webhook verification and spoof legitimate events. A patch is available to address this authentication bypass vulnerability.
Authentication Bypass
Openclaw
-
CVE-2026-28464
MEDIUM
CVSS 5.9
OpenClaw versions before 2026.2.12 are vulnerable to timing-based token extraction attacks due to non-constant-time string comparison in hook authentication. A network-based attacker can exploit this side-channel vulnerability to gradually recover the hook validation token through repeated timing measurements across multiple requests. The vulnerability requires repeated probing but poses a confidentiality risk to systems using vulnerable versions.
Information Disclosure
Openclaw
-
CVE-2026-28457
MEDIUM
CVSS 6.1
OpenClaw versions before 2026.2.14 allow local attackers to write arbitrary files outside the sandbox directory through path traversal sequences in crafted skill package names when sandbox skill mirroring is enabled. An attacker can exploit this by providing a malicious skill package with traversal patterns like ../ or absolute paths in the frontmatter name parameter, potentially compromising system integrity. A patch is available to remediate this vulnerability.
Path Traversal
Openclaw
-
CVE-2026-28452
MEDIUM
CVSS 5.5
Openclaw versions up to 2026.2.14 is affected by allocation of resources without limits or throttling (CVSS 5.5).
Denial Of Service
Openclaw
-
CVE-2026-28450
MEDIUM
CVSS 6.8
OpenClaw versions before 2026.2.12 with the Nostr plugin enabled contain unauthenticated API endpoints that allow remote attackers to read and modify Nostr profiles without authentication when the gateway HTTP port is network-accessible. Attackers can exploit this to steal sensitive profile data, alter gateway configuration, and sign malicious Nostr events using the bot's private key. A patch is available for affected installations.
Authentication Bypass
Information Disclosure
Openclaw
-
CVE-2026-28413
MEDIUM
CVSS 5.3
Products.isurlinportal is a replacement for isURLInPortal method in Plone. versions up to 2.1.0 is affected by url redirection to untrusted site (open redirect) (CVSS 5.3).
Open Redirect
Isurlinportal
-
CVE-2026-28395
MEDIUM
CVSS 6.3
OpenClaw Chrome extension relay server versions prior to 2026.2.12 improperly bind to all network interfaces when wildcard cdpUrl values are configured, enabling remote attackers to discover service endpoints and port information. An attacker can exploit this exposure to conduct denial-of-service attacks and brute-force attempts against the relay token authentication mechanism without requiring local access.
Information Disclosure
Google
-
CVE-2026-28394
MEDIUM
CVSS 6.5
Openclaw versions up to 2026.2.15 is affected by allocation of resources without limits or throttling (CVSS 6.5).
Denial Of Service
Openclaw
-
CVE-2026-28350
MEDIUM
CVSS 6.1
lxml_html_clean versions prior to 0.4.4 fail to sanitize <base> HTML tags, allowing attackers to inject malicious base tags and redirect relative links to attacker-controlled domains. Public exploit code exists for this vulnerability. The issue affects applications using the default Cleaner configuration and has been remediated in version 0.4.4.
XSS
Lxml Html Clean
Suse
-
CVE-2026-28348
MEDIUM
CVSS 6.1
lxml_html_clean versions before 0.4.4 fail to properly sanitize CSS Unicode escape sequences in the _has_sneaky_javascript() method, allowing attackers to bypass filters and inject malicious @import statements or XSS payloads. Public exploit code exists for this vulnerability, which affects applications using the library for HTML sanitization. A patch is available in version 0.4.4 and should be applied immediately to prevent CSS-based injection attacks.
XSS
Lxml Html Clean
Suse
-
CVE-2026-28343
MEDIUM
CVSS 6.4
CKEditor 5 versions before 47.6.0 contain a stored XSS vulnerability in the General HTML Support feature that allows attackers to execute arbitrary JavaScript by injecting malicious markup into documents processed by vulnerable editor instances. This vulnerability affects users relying on unsafe General HTML Support configurations, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for affected deployments.
XSS
RCE
Ckeditor5
-
CVE-2026-28277
MEDIUM
CVSS 6.8
LangGraph SQLite Checkpoint versions 1.0.9 and prior are vulnerable to unsafe deserialization of msgpack-encoded objects, allowing attackers with write access to the checkpoint database to execute arbitrary code when checkpoints are loaded. This vulnerability affects Python-based AI/ML applications using LangGraph's persistence layer and requires adversary control of the backing storage to exploit. No public patch is currently available for this issue.
Python
Deserialization
-
CVE-2026-28223
MEDIUM
CVSS 6.1
Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript through specially-crafted page titles that executes when other admins perform translation actions, potentially compromising their credentials. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, and requires admin-level access to exploit, limiting exposure to internal threats. Patches are available for all affected versions.
XSS
Django
Wagtail
-
CVE-2026-28222
MEDIUM
CVSS 6.1
Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class attributes that execute arbitrary JavaScript when pages are viewed by other users. An attacker could exploit this to perform administrative actions or steal credentials from higher-privileged users viewing the compromised content. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, with patches now available.
XSS
Django
Wagtail
-
CVE-2026-28104
MEDIUM
CVSS 6.5
Site Suggest plugin version 1.3.9 and earlier lacks proper access control checks, enabling unauthenticated remote attackers to access restricted functionality and modify data. The vulnerability affects installations without authentication requirements and could allow attackers to manipulate site suggestions or related content without authorization. No patch is currently available.
Authentication Bypass
-
CVE-2026-28078
MEDIUM
CVSS 4.9
Stylemix uListing versions 2.2.0 and earlier contain a path traversal vulnerability that allows authenticated users with high privileges to access files outside the intended directory structure and read sensitive information. The vulnerability requires valid credentials and does not enable file modification or system disruption, limiting its impact to unauthorized information disclosure.
Path Traversal
-
CVE-2026-28071
MEDIUM
CVSS 6.3
Unauthorized access in PixFort Core through version 3.2.22 allows authenticated attackers to bypass access control restrictions and modify system data due to improper authorization checks. An attacker with valid credentials could exploit this vulnerability to access or modify resources they should not have permission to interact with. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-28038
MEDIUM
CVSS 6.5
Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons is affected by missing authorization (CVSS 6.5).
Authentication Bypass
-
CVE-2026-28036
MEDIUM
CVSS 6.4
SkatDesign Ratatouille versions up to 1.2.6 contain a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests from the affected system. An attacker with valid credentials can leverage this flaw to access internal services, retrieve sensitive information, or perform actions on behalf of the server across different security domains. No patch is currently available for this medium-severity vulnerability.
SSRF
-
CVE-2026-27982
MEDIUM
CVSS 6.1
Allauth versions up to 65.14.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).
Open Redirect
Red Hat
Django
Allauth
-
CVE-2026-27723
MEDIUM
CVSS 4.3
Unauthorized wiki page creation in OpenProject prior to versions 17.0.5 and 17.1.2 allows authenticated attackers to bypass project access controls and create pages in projects they lack permission to access. The vulnerability stems from improper authentication validation on wiki page creation requests, enabling an attacker to modify project documentation without proper authorization. No patch is currently available for affected versions.
Authentication Bypass
Openproject
-
CVE-2026-27411
MEDIUM
CVSS 5.4
The SiteGuard WP Plugin for WordPress through version 1.7.9 contains a guessable CAPTCHA implementation that allows attackers to bypass security protections without authentication. This vulnerability enables attackers to circumvent the plugin's functionality controls and potentially gain unauthorized access to protected resources or perform actions that should be restricted.
Authentication Bypass
-
CVE-2026-27362
MEDIUM
CVSS 6.5
kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by missing authorization (CVSS 6.5).
Authentication Bypass
-
CVE-2026-27354
MEDIUM
CVSS 6.5
WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by cross-site scripting (xss) (CVSS 6.5).
WordPress
XSS
-
CVE-2026-27344
MEDIUM
CVSS 5.9
Inseri Core versions up to 1.0.5 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The vulnerability has a CVSS score of 5.3 and currently lacks a patch, putting deployments at risk until remediation is available.
Authentication Bypass
-
CVE-2026-27023
MEDIUM
CVSS 5.0
Twenty CRM versions prior to 1.18 allow authenticated users to bypass SSRF protections by exploiting unvalidated HTTP redirect targets, enabling access to private IP addresses through attacker-controlled intermediaries. An attacker with control over webhook endpoints or image URLs can leverage this vulnerability to reach restricted internal resources that would normally be blocked.
SSRF
Twenty
-
CVE-2026-26998
MEDIUM
CVSS 4.4
Traefik versions prior to 2.11.38 and 3.6.9 fail to limit memory allocation when processing ForwardAuth middleware responses, allowing a malicious or compromised authentication server to trigger unbounded memory consumption. An attacker controlling the auth server can return an arbitrarily large response body that causes the Traefik process to exhaust available memory and crash, resulting in denial of service for all proxied routes. A patch is available in the specified versions.
Denial Of Service
Red Hat
Traefik
Suse
-
CVE-2026-26377
MEDIUM
CVSS 5.4
Koha versions 25.11 and earlier contain a stored cross-site scripting vulnerability in the News function that allows authenticated users to inject malicious scripts affecting other users who view the compromised content. Public exploit code exists for this vulnerability, and attackers can leverage it to steal session data or perform actions on behalf of victims. A patch is not currently available for affected deployments.
XSS
Koha
-
CVE-2026-26196
MEDIUM
CVSS 5.3
Gogs versions prior to 0.14.2 expose authentication tokens in URL parameters, allowing credentials to be captured through server logs, browser history, and HTTP referrer headers. This information disclosure vulnerability affects self-hosted Gogs instances and could enable attackers to gain unauthorized API access if tokens are leaked through these channels. A patch is available in version 0.14.2 and later.
Information Disclosure
Gogs
Suse
-
CVE-2026-26195
MEDIUM
CVSS 6.1
Stored cross-site scripting in Gogs prior to version 0.14.2 allows unauthenticated attackers to inject malicious scripts through template rendering of user-controlled data, potentially affecting all users viewing compromised content. The vulnerability exploits unsafe handling of data URLs combined with permissive sanitization, enabling attackers to steal session cookies, deface pages, or perform actions on behalf of victims. A patch is available in version 0.14.2 and later.
XSS
Gogs
Suse
-
CVE-2026-26124
MEDIUM
CVSS 6.7
'.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. [CVSS 6.7 MEDIUM]
Information Disclosure
Microsoft
Aci Confidential Containers
-
CVE-2026-26122
MEDIUM
CVSS 6.5
Unauthorized information disclosure in Azure Compute Gallery occurs due to insecure default initialization settings that authenticated users can exploit to access sensitive data remotely. An authorized attacker can leverage this vulnerability to read confidential information without requiring user interaction. No patch is currently available for Microsoft products and ACI Confidential Containers.
Information Disclosure
Microsoft
Aci Confidential Containers
-
CVE-2026-26033
MEDIUM
CVSS 6.7
Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) contains a security vulnerability (CVSS 6.7).
RCE
Ups Multi Ups Management Console
-
CVE-2026-23799
MEDIUM
CVSS 6.5
Themeum Tutor LMS through version 3.9.5 contains an authorization bypass that allows authenticated users to modify content they should not have access to due to improper access control validation. An attacker with valid credentials can exploit this vulnerability to alter course materials and settings without proper permission checks. No patch is currently available for this medium-severity issue.
Authentication Bypass
-
CVE-2026-23651
MEDIUM
CVSS 6.7
Privilege escalation in Azure Compute Gallery's regex validation enables high-privileged local users to gain unauthorized system access on affected Microsoft and ACI Confidential Containers systems. An authenticated attacker with elevated permissions can exploit the permissive pattern matching to bypass security controls and achieve full system compromise. No patch is currently available, making this a medium-severity risk for environments running vulnerable versions.
Information Disclosure
Microsoft
Aci Confidential Containers
-
CVE-2026-23546
MEDIUM
CVSS 6.5
RadiusTheme Classified Listing plugin through version 5.3.4 exposes sensitive data in sent communications due to improper information handling. An authenticated attacker can retrieve embedded sensitive information from network traffic without modifying data or disrupting service. No patch is currently available for this vulnerability.
Information Disclosure
-
CVE-2026-22723
MEDIUM
CVSS 6.5
Cloudfoundry UAA versions 77.30.0 through 78.7.0 and Cloudfoundry Deployment versions 48.7.0 through 54.10.0 contain a logic error in the token revocation endpoint that allows authenticated users to inadvertently revoke tokens belonging to other users. An attacker with valid credentials could exploit this flaw to disrupt service availability by invalidating legitimate user sessions without authorization.
Information Disclosure
-
CVE-2026-22459
MEDIUM
CVSS 6.5
Improper access control in the Blend Media WordPress CTA easy-sticky-sidebar plugin through version 1.7.4 allows unauthenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive functionality. The vulnerability affects WordPress installations running the vulnerable plugin versions and could enable attackers to read restricted information or disrupt service availability. No security patch is currently available.
WordPress
Authentication Bypass
-
CVE-2026-22052
MEDIUM
CVSS 4.3
NetApp ONTAP 9.12.1 and later with S3 NAS buckets allows authenticated attackers to enumerate directory contents they lack authorization to access, resulting in unauthorized information disclosure. An attacker with valid credentials can exploit this to view sensitive file listings without proper permissions. No patch is currently available for this vulnerability.
Information Disclosure
Ontap
-
CVE-2026-3523
MEDIUM
CVSS 4.9
SQL injection in the Apocalypse Meow WordPress plugin up to version 22.1.0 allows authenticated administrators to execute arbitrary SQL queries due to a flawed validation check combined with improper quote escaping. An authenticated attacker with administrator privileges can exploit this via the 'type' parameter to extract sensitive database information. No patch is currently available.
PHP
WordPress
SQLi
-
CVE-2026-3236
MEDIUM
CVSS 4.3
Octopus Server allows authenticated attackers to generate new API keys from existing access tokens with extended lifetimes that exceed the original token's validity period. This token lifetime extension vulnerability (CWE-863) could enable attackers with valid credentials to maintain persistent access beyond intended restrictions. The vulnerability affects Octopus Server with no patch currently available.
Authentication Bypass
Octopus Server
-
CVE-2026-3072
MEDIUM
CVSS 4.3
The Media Library Assistant plugin for WordPress through version 3.33 fails to validate user permissions in the mla_update_compat_fields_action() function, allowing authenticated subscribers and higher-privileged users to modify taxonomy terms on any attachment. This authorization bypass enables attackers to alter attachment metadata without proper capability restrictions. A patch is not currently available.
WordPress
Authentication Bypass
-
CVE-2026-3034
MEDIUM
CVSS 6.4
OoohBoi Steroids for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
WordPress
XSS
-
CVE-2026-2899
MEDIUM
CVSS 6.5
Unauthenticated attackers can delete arbitrary WordPress media attachments in Fluent Forms Pro Add On Pack versions up to 6.1.17 due to missing authorization checks in the deleteFile() AJAX action. The vulnerable endpoint is accessible to unauthenticated users and accepts an attachment_id parameter without nonce verification or capability validation. No patch is currently available for this medium-severity vulnerability affecting WordPress sites.
WordPress
Authentication Bypass
-
CVE-2026-2893
MEDIUM
CVSS 6.5
SQL injection in WordPress Page and Post Clone plugin up to version 6.3 allows authenticated contributors and above to extract sensitive database information through a second-order injection via the meta_key parameter. The vulnerability stems from insufficient input escaping and query preparation in the content_clone() function, with malicious payloads stored as post metadata and executed during the clone operation. No patch is currently available.
WordPress
SQLi
-
CVE-2026-2593
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in the Greenshift page builder plugin for WordPress (versions up to 12.8.5) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the `_gspb_post_css` post meta and `dynamicAttributes` block attributes due to inadequate input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.
WordPress
XSS
-
CVE-2025-69343
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19. [CVSS 6.5 MEDIUM]
WordPress
XSS
-
CVE-2025-68515
MEDIUM
CVSS 5.8
Insertion of Sensitive Information Into Sent Data vulnerability in Roland Murg WP Booking System wp-booking-system allows Retrieve Embedded Sensitive Data.This issue affects WP Booking System: from n/a through <= 2.0.19.12. [CVSS 5.8 MEDIUM]
Information Disclosure
-
CVE-2025-64166
MEDIUM
CVSS 5.4
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misint...
CSRF
Mercurius
-
CVE-2025-7375
MEDIUM
CVSS 6.5
A denial-of-service (DoS) vulnerability was identified in Omada EAP610 v3. An attacker with adjacent network access can send crafted requests to cause the device’s HTTP service to crash. [CVSS 6.5 MEDIUM]
Denial Of Service
Omada Eap610 Firmware
-
CVE-2024-43035
MEDIUM
CVSS 5.8
Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. [CVSS 5.8 MEDIUM]
Path Traversal
-
CVE-2026-28436
LOW
CVSS 1.3
Stored cross-site scripting in Frappe versions prior to 16.11.0 and 15.102.0 allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers through malicious image URLs in avatar fields and website comments. The vulnerability affects any user viewing a page containing the compromised avatar, enabling session hijacking, credential theft, or malware distribution without user interaction.
XSS
-
CVE-2026-21786
LOW
CVSS 3.3
HCL Sametime for iOS is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URLs. [CVSS 3.3 LOW]
Information Disclosure
-
CVE-2026-3606
LOW
CVSS 1.9
A vulnerability has been found in Ettercap 0.8.4-Garofalo. Affected by this vulnerability is the function add_data_segment of the file src/ettercap/utils/etterfilter/ef_output.c of the component etterfilter. [CVSS 3.3 LOW]
Buffer Overflow
-
CVE-2025-66319
LOW
CVSS 3.3
Harmonyos versions up to 5.1.0 is affected by permissions, privileges, and access controls (CVSS 3.3).
Privilege Escalation
-
CVE-2025-13350
None
Ubuntu Linux 6.8 GA retains the legacy AF_UNIX garbage collector but backports upstream commit 8594d9b85c07 ("af_unix: Don’t call skb_get() for OOB skb"). When orphaned MSG_OOB sockets hit unix_gc(), the garbage collector still calls kfree_skb() as if OOB SKBs held two references; on Ubuntu Linux 6.8 (Noble Numbat) kernel tree, they have only the queue reference, so the buffer is freed while still reachable and subsequent queue walks dereference freed memory, yielding a reliable local privile...
Privilege Escalation
Linux
Use After Free
Ubuntu
Linux Kernel
-
CVE-2025-11143
LOW
CVSS 3.7
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. [CVSS 3.7 LOW]
Code Injection