Deserialization of untrusted data in Pizza House (pizzahouse) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Privilege escalation in LMS Elementor Pro WordPress plugin.
Deserialization of untrusted data in Dentario (dentario) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Kingler (kingler) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Tennis Club (tennis-sportclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Sweet Date (sweetdate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Mounthood (mounthood) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Jardi (jardi) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Estate (estate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Equestrian Centre (equestrian-centre) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Solaris (solaris) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Pets Club (petclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Handyman (handyman-services) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
ThemeGoods Grand Wedding through version 3.1.0 is vulnerable to remote object injection via unsafe deserialization of untrusted data, enabling attackers to execute arbitrary code without authentication. The vulnerability requires specific conditions to be met but carries high severity with complete compromise of confidentiality, integrity, and availability. No patch is currently available for affected installations.
Deserialization of untrusted data in Classter (classter) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Insecure embedded library in UnQLite 0.06 Perl module.
Privilege escalation in D-Link DIR-1253 MESH V1.6.1684 via etc/shadow.sample.
ESC/POS printer control language lacks authentication/authorization. Any device on the network can send print commands.
SQL injection in OpenReplay session replay before 1.20.0.
Static TLS fingerprint in Rakuten Viber Cloak mode enables tracking despite privacy mode.
Auth bypass in device authentication module.
Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.
Privileged file disclosure in IDC SFX2100 satellite receiver firmware results from a setuid-enabled date binary that allows local users to read root-owned files including /etc/shadow and other sensitive configuration data. A local attacker can leverage publicly available exploit techniques to gain unauthorized access to confidential system information. Public exploit code exists for this vulnerability, though no patch is currently available.
Koha versions 25.11 and earlier contain a stored cross-site scripting vulnerability in the News function that allows authenticated users to inject malicious scripts affecting other users who view the compromised content. Public exploit code exists for this vulnerability, and attackers can leverage it to steal session data or perform actions on behalf of victims. A patch is not currently available for affected deployments.
Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to bypass DM and room allowlists by spoofing display names. Attackers can change their Nextcloud display name to match an allowlisted user ID, gaining unauthorized access to restricted conversations without authentication. EPSS score is low (0.05%, 16th percentile), indicating low observed exploitation probability. No active exploitation confirmed; vulnerability was responsibly disclosed by AISLE Research Team and patched in version 2026.2.6.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
SQL injection in WP Attractive Donations System WordPress plugin.
Blind SQL injection in Riode Core (riode-core) WordPress theme/plugin core allows data extraction from the database.
Host header injection in @perfood/couch-auth v0.26.0 for password reset token theft.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Exec allowlist bypass in OpenClaw before 2026.2.2 via argument injection. Patch available.
Arbitrary file read in OpenMQ via configuration parsing. Can lead to full exploitation.
Auth bypass in Login with Salesforce WordPress plugin through 1.0.2.
HTTP request smuggling in Pingora HTTP/1.0 Transfer-Encoding handling.
HTTP request smuggling in Cloudflare Pingora HTTP/1.1 upgrade handling.
Deserialization of untrusted data in WooCommerce License Manager (fs-license-manager) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Arbitrary file upload in AI Engine WordPress plugin.
Insecure session ID generation in Apache::Session::Generate::MD5 through 1.94 for Perl.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.
Input quantity validation bypass in W3 Total Cache WordPress plugin.
Stored XSS in Chamilo LMS before 1.11.34 via file uploads in Social Networks. Leads to account takeover.
Code injection in Widget Options WordPress plugin.
Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.
An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. [CVSS 8.8 HIGH]
Unauthenticated attackers can abuse missing authorization controls in RustDesk Server's rendezvous and relay modules (hbbs/hbbr) to gain unauthorized privileges through exposed critical functions like punch hole requests and peer registration. This vulnerability affects RustDesk Server versions through 1.7.5 and 1.1.15, enabling remote privilege escalation over the network with no authentication required. No patch is currently available.
Unauthenticated command injection in FreePBX recordings module (versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4) allows authenticated attackers to execute arbitrary system commands with full system privileges. The vulnerability stems from improper input validation in the recordings functionality, enabling complete compromise of affected FreePBX installations. No patch is currently available.
Arbitrary command execution in OpenClaw prior to version 2026.2.14 stems from improper PATH validation during node-host execution and project bootstrapping, allowing authenticated attackers or those with local filesystem access to substitute malicious binaries for legitimate commands. An attacker can exploit this to bypass allowlisted command restrictions and achieve code execution with the privileges of the OpenClaw process. A patch is available for versions 2026.2.14 and later.
designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon contains a security vulnerability (CVSS 8.8).
NextScripts NextScripts social-networks-auto-poster-facebook-twitter-g is affected by deserialization of untrusted data (CVSS 8.8).