Skip to main content
CVE-2026-28074 CRITICAL Act Now

Deserialization of untrusted data in Pizza House (pizzahouse) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27983 CRITICAL Act Now

Privilege escalation in LMS Elementor Pro WordPress plugin.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27439 CRITICAL Act Now

Deserialization of untrusted data in Dentario (dentario) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27438 CRITICAL Act Now

Deserialization of untrusted data in Kingler (kingler) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27437 CRITICAL Act Now

Deserialization of untrusted data in Tennis Club (tennis-sportclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27417 CRITICAL Act Now

Deserialization of untrusted data in Sweet Date (sweetdate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22501 CRITICAL Act Now

Deserialization of untrusted data in Mounthood (mounthood) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22497 CRITICAL Act Now

Deserialization of untrusted data in Jardi (jardi) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22475 CRITICAL Act Now

Deserialization of untrusted data in Estate (estate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22474 CRITICAL Act Now

Deserialization of untrusted data in Equestrian Centre (equestrian-centre) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22454 CRITICAL Act Now

Deserialization of untrusted data in Solaris (solaris) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22453 CRITICAL Act Now

Deserialization of untrusted data in Pets Club (petclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22451 CRITICAL Act Now

Deserialization of untrusted data in Handyman (handyman-services) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22417 CRITICAL Act Now

ThemeGoods Grand Wedding through version 3.1.0 is vulnerable to remote object injection via unsafe deserialization of untrusted data, enabling attackers to execute arbitrary code without authentication. The vulnerability requires specific conditions to be met but carries high severity with complete compromise of confidentiality, integrity, and availability. No patch is currently available for affected installations.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-54001 CRITICAL Act Now

Deserialization of untrusted data in Classter (classter) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-3257 CRITICAL Act Now

Insecure embedded library in UnQLite 0.06 Perl module.

Heap Overflow Unqlite
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-29165 CRITICAL Act Now

Privilege escalation in D-Link DIR-1253 MESH V1.6.1684 via etc/shadow.sample.

D-Link Privilege Escalation
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-23767 CRITICAL Act Now

ESC/POS printer control language lacks authentication/authorization. Any device on the network can send print commands.

Authentication Bypass Tm M30iii H Firmware Tm T88vi Ihub Firmware Tm T88vii Firmware Tm L100 Firmware +20
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-28443 CRITICAL Act Now

SQL injection in OpenReplay session replay before 1.20.0.

SQLi Openreplay
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-13476 CRITICAL Act Now

Static TLS fingerprint in Rakuten Viber Cloak mode enables tracking despite privacy mode.

Windows Android TLS Viber
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-28536 CRITICAL Act Now

Auth bypass in device authentication module.

Authentication Bypass Harmonyos
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-21622 CRITICAL Act Now

Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.

Information Disclosure Hexpm
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.1%
CVE-2026-29122 MEDIUM POC This Month

Privileged file disclosure in IDC SFX2100 satellite receiver firmware results from a setuid-enabled date binary that allows local users to read root-owned files including /etc/shadow and other sensitive configuration data. A local attacker can leverage publicly available exploit techniques to gain unauthorized access to confidential system information. Public exploit code exists for this vulnerability, though no patch is currently available.

Privilege Escalation Sfx2100 Firmware
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26377 MEDIUM POC This Month

Koha versions 25.11 and earlier contain a stored cross-site scripting vulnerability in the News function that allows authenticated users to inject malicious scripts affecting other users who view the compromised content. Public exploit code exists for this vulnerability, and attackers can leverage it to steal session data or perform actions on behalf of victims. A patch is not currently available for affected deployments.

XSS Koha
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-28474 CRITICAL PATCH Act Now

Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to bypass DM and room allowlists by spoofing display names. Attackers can change their Nextcloud display name to match an allowlisted user ID, gaining unauthorized access to restricted conversations without authentication. EPSS score is low (0.05%, 16th percentile), indicating low observed exploitation probability. No active exploitation confirmed; vulnerability was responsibly disclosed by AISLE Research Team and patched in version 2026.2.6.

Authentication Bypass Nextcloud
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-30797 CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Google Apple Information Disclosure Microsoft Android +2
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-28115 CRITICAL Act Now

SQL injection in WP Attractive Donations System WordPress plugin.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-69338 CRITICAL Act Now

Blind SQL injection in Riode Core (riode-core) WordPress theme/plugin core allows data extraction from the database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-70948 CRITICAL Act Now

Host header injection in @perfood/couch-auth v0.26.0 for password reset token theft.

Code Injection
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-30793 CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

CSRF Privilege Escalation Authentication Bypass Google Apple +4
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-28470 CRITICAL PATCH Act Now

Exec allowlist bypass in OpenClaw before 2026.2.2 via argument injection. Patch available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-24457 CRITICAL Act Now

Arbitrary file read in OpenMQ via configuration parsing. Can lead to full exploitation.

Path Traversal Open Message Queue
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-2418 CRITICAL Act Now

Auth bypass in Login with Salesforce WordPress plugin through 1.0.2.

WordPress Information Disclosure
NVD WPScan
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-2835 CRITICAL PATCH Act Now

HTTP request smuggling in Pingora HTTP/1.0 Transfer-Encoding handling.

Code Injection Pingora Cloudflare
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-2833 CRITICAL PATCH Act Now

HTTP request smuggling in Cloudflare Pingora HTTP/1.1 upgrade handling.

Code Injection Pingora Cloudflare
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28114 CRITICAL Act Now

Deserialization of untrusted data in WooCommerce License Manager (fs-license-manager) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.

WordPress File Upload
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-23802 CRITICAL Act Now

Arbitrary file upload in AI Engine WordPress plugin.

File Upload
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-40931 CRITICAL Act Now

Insecure session ID generation in Apache::Session::Generate::MD5 through 1.94 for Perl.

Apache Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-30794 CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Apple Information Disclosure Microsoft Google Rustdesk
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.0%
CVE-2024-57854 CRITICAL PATCH Act Now

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

Information Disclosure Net
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27384 CRITICAL Act Now

Input quantity validation bypass in W3 Total Cache WordPress plugin.

Information Disclosure
NVD
CVSS 3.1
9.0
EPSS
0.1%
CVE-2025-55208 CRITICAL Act Now

Stored XSS in Chamilo LMS before 1.11.34 via file uploads in Social Networks. Leads to account takeover.

XSS Chamilo Lms
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-27984 CRITICAL Act Now

Code injection in Widget Options WordPress plugin.

Code Injection RCE
NVD
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-3047 HIGH PATCH This Week

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.

Authentication Bypass Build Of Keycloak Keycloak
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-70995 HIGH This Week

An issue in Aranda Service Desk Web Edition (ASDK API 8.6) allows authenticated attackers to achieve remote code execution due to improper validation of uploaded files. [CVSS 8.8 HIGH]

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-30784 HIGH This Week

Unauthenticated attackers can abuse missing authorization controls in RustDesk Server's rendezvous and relay modules (hbbs/hbbr) to gain unauthorized privileges through exposed critical functions like punch hole requests and peer registration. This vulnerability affects RustDesk Server versions through 1.7.5 and 1.1.15, enabling remote privilege escalation over the network with no authentication required. No patch is currently available.

Authentication Bypass Suse
NVD VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-28287 HIGH This Week

Unauthenticated command injection in FreePBX recordings module (versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4) allows authenticated attackers to execute arbitrary system commands with full system privileges. The vulnerability stems from improper input validation in the recordings functionality, enabling complete compromise of affected FreePBX installations. No patch is currently available.

Command Injection Freepbx
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-29610 HIGH PATCH This Week

Arbitrary command execution in OpenClaw prior to version 2026.2.14 stems from improper PATH validation during node-host execution and project bootstrapping, allowing authenticated attackers or those with local filesystem access to substitute malicious binaries for legitimate commands. An attacker can exploit this to bypass allowlisted command restrictions and achieve code execution with the privileges of the OpenClaw process. A patch is available for versions 2026.2.14 and later.

Privilege Escalation Openclaw
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-27390 HIGH This Week

designthemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon contains a security vulnerability (CVSS 8.8).

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-27379 HIGH This Week

NextScripts NextScripts social-networks-auto-poster-facebook-twitter-g is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
Prev Page 2 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy