Openclaw versions up to 2026.2.2 is affected by insufficient verification of data authenticity (CVSS 7.5).
RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive embedded data during config import, URI scheme handling, or CLI operations across Windows, macOS, Linux, iOS, Android, and web clients. An unauthenticated remote attacker can exploit this vulnerability without user interaction to extract sensitive configuration information. No patch is currently available for this high-severity vulnerability.
Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS records to TCP routers, which causes the TLS handshake process to hang indefinitely while holding connections open. An unauthenticated attacker can exploit this by opening many stalled connections in parallel to exhaust file descriptors and goroutines, degrading or disabling the proxy service.
OpenClaw versions up to 2026.2.15 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that allows unauthenticated remote attackers to remove critical X-Forwarded headers by using lowercase Connection tokens, potentially enabling header spoofing attacks. An attacker can exploit this to manipulate forwarded client information such as IP addresses and hostnames, compromising the integrity of upstream application data. A patch is available for affected versions.
Improper access control in the Linux kernel affects SUSE Linux Enterprise Server 12 SP5, causing nftables firewall rules to become ineffective and allowing network traffic to bypass intended filtering policies. An unauthenticated remote attacker can exploit this vulnerability to circumvent firewall protections without user interaction. No patch is currently available for this vulnerability.
Improper access control in e-plugins Directory Pro up to version 2.5.6 enables unauthenticated attackers to bypass authorization checks and gain unauthorized access to sensitive directory information. The vulnerability allows attackers to read, modify, or delete data depending on the misconfigured security levels without requiring authentication or user interaction. A patch is not currently available.
Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.
Permission bypass vulnerability in the system service framework. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 7.3 HIGH]
Stored XSS in Fluent Forms Pro for WordPress through version 6.1.17 allows unauthenticated attackers to inject malicious scripts into draft form submissions due to missing authentication and insufficient input sanitization on the fluentform_step_form_save_data AJAX action. The injected scripts execute when site administrators access partial form entries, potentially compromising administrator accounts and site integrity. No patch is currently available.
Unauthenticated command injection in FreePBX versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4 via the ElevenLabs Text-to-Speech integration allows authenticated users with high privileges to execute arbitrary system commands. The vulnerability exists in the recordings module and affects all installations using the vulnerable TTS engine. No patch is currently available, leaving affected systems at risk of full system compromise.
Improper path validation in OpenClaw Gateway versions before 2026.2.14 enables authenticated administrators to achieve arbitrary code execution by manipulating hook module paths passed to dynamic imports. An attacker with configuration modification privileges can load and execute malicious local modules within the Node.js process, gaining full system compromise capabilities.
Privilege escalation in Amelia booking plugin through version 1.2.38 allows high-privileged users to gain unauthorized elevated access due to improper privilege assignment. An authenticated attacker with administrative credentials can exploit this vulnerability to compromise system integrity and confidentiality. No patch is currently available.
Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices contains a security vulnerability (CVSS 7.1).
Frappe versions prior to 15.98.0 and 14.100.0 contain an improper access control vulnerability that allows authenticated users to grant document permissions they do not possess to other users. An attacker with valid credentials could escalate privileges by sharing documents with elevated permissions, potentially exposing sensitive information or enabling unauthorized modifications. No patch is currently available.
Arbitrary file write in OpenClaw prior to version 2026.2.12 allows authenticated gateway clients to bypass path validation on the sessionFile parameter and write transcript data to any location on the host filesystem. An attacker with valid credentials can repeatedly append data to arbitrary files, potentially corrupting configurations or exhausting disk space to cause denial of service. A patch is available.
QuanticaLabs MediCenter - Health Medical Clinic medicenter is affected by cross-site scripting (xss) (CVSS 7.1).
Reflected cross-site scripting in AndonDesign UDesign versions up to 4.14.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction to click a malicious link but can affect any organization using the affected UDesign versions. No patch is currently available to remediate this issue.
The e-plugins Lawyer Directory plugin through version 1.3.2 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for affected installations.
Reflected cross-site scripting in sizam RH Frontend Publishing Pro through version 4.3.2 enables attackers to inject malicious scripts that execute in users' browsers when they click a crafted link. The vulnerability requires user interaction but can compromise session integrity and steal sensitive data across affected sites. No patch is currently available.
The ListingPro plugin for CridioStudio through version 2.9.8 contains a reflected cross-site scripting vulnerability that allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. Successful exploitation requires user interaction but can compromise confidentiality, integrity, and availability across security domains. No patch is currently available for affected installations.
Reflected cross-site scripting (XSS) in Ultimate Learning Pro WordPress plugin versions 3.9.1 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages via crafted URLs. Successful exploitation requires tricking a victim user into clicking a malicious link (UI:R in CVSS vector). EPSS probability is low at 0.04% (10th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a lower-priority remediation despite the 7.1 CVSS score.
Reflected cross-site scripting in AllInOne Banner Rotator WordPress plugin allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. Affects versions up to and including 3.8. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, though vulnerability discovered and reported by Patchstack security audit team.
Reflected cross-site scripting in the LambertGroup AllInOne Banner with Playlist WordPress plugin (versions ≤3.8) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. With EPSS exploitation probability at 0.04% (10th percentile), this represents a low likelihood of automated or widespread exploitation despite the network attack vector. No active exploitation or public POC has been identified at time of analysis. Impact requires user interaction (clicking malicious link), limiting autonomous exploitation scenarios.
Reflected cross-site scripting (XSS) in LambertGroup AllInOne Content Slider WordPress plugin through version 3.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability allows content injection with low-level impacts across confidentiality, integrity, and availability due to scope change (S:C in CVSS vector). Reported by Patchstack security researchers, EPSS exploitation probability is very low (0.04%, 10th percentile), indicating minimal observed real-world targeting despite no authentication requirement.
Reflected cross-site scripting (XSS) in LambertGroup AllInOne Banner with Thumbnails WordPress plugin through version 3.8 allows unauthenticated remote attackers to inject malicious scripts via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. Exploitation probability is low (EPSS 0.04%, 10th percentile), with no confirmed active exploitation or public POC at time of analysis. Changed scope (S:C) in CVSS vector indicates potential to impact resources beyond the vulnerable component.
Reflected cross-site scripting in LBG Zoominoutslider WordPress plugin versions through 5.4.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation is confirmed. A Patchstack database entry documents the vulnerability, but no vendor-released patch version is identified at time of analysis.
Reflected cross-site scripting in UberSlider Classic WordPress plugin through version 2.5 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. Exploitation requires user interaction (clicking malicious link). EPSS score of 0.04% (10th percentile) indicates minimal observed exploitation activity. No CISA KEV listing confirms this is not being actively exploited in widespread campaigns, though the low attack complexity and network vector make exploitation straightforward once a victim is socially engineered.
Reflected cross-site scripting in UberSlider MouseInteraction WordPress plugin versions ≤2.3 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack audit team. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public proof-of-concept identified at time of analysis.
Reflected cross-site scripting in UberSlider PerpetuumMobile WordPress plugin versions ≤2.3 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability requires user interaction but no authentication, with CVSS 7.1 (High) severity due to scope change enabling attacks across security boundaries. EPSS score of 0.04% (10th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis. Patchstack vulnerability database confirms the flaw affects default plugin configurations.
Reflected cross-site scripting in UberSlider Ultra WordPress plugin (versions ≤2.3) enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. EPSS exploitation probability is low (0.04%, 10th percentile), and no active exploitation or public proof-of-concept has been identified at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component itself.
Reflected cross-site scripting (XSS) in Porto WordPress theme versions through 7.6.2 allows remote attackers to inject malicious JavaScript into web pages viewed by victims. Exploitation requires user interaction (clicking a malicious link). EPSS probability is low (0.04%, 10th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV. Patchstack has documented this vulnerability, suggesting detection capabilities exist.
Reflected cross-site scripting (XSS) in pixfort Core WordPress plugin versions up to 3.2.22 enables remote attackers to inject malicious scripts into web pages viewed by victims. The attack requires user interaction (clicking a malicious link) but no authentication, allowing attackers to steal session tokens, perform actions as the victim, or redirect users to phishing sites. EPSS score of 0.04% (10th percentile) indicates low probability of mass exploitation, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Reflected cross-site scripting (XSS) in Listify WordPress theme versions through 3.2.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exists due to improper input sanitization during web page generation, requiring user interaction to trigger. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation or public exploit code has been identified. Moderate CVSS score reflects changed scope (S:C) allowing potential session token theft across origins.
Reflected cross-site scripting in EventON WordPress plugin versions up to 4.9.12 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. The vulnerability requires victim interaction (CVSS UI:R) and changes execution scope (S:C), allowing session hijacking, credential theft, or malicious actions within the WordPress admin interface. With EPSS exploitation probability at 0.04% (10th percentile) and no CISA KEV listing, this represents a lower-priority XSS requiring social engineering rather than mass exploitation.
designthemes DesignThemes Portfolio designthemes-portfolio is affected by cross-site scripting (xss) (CVSS 7.1).
DOM-based cross-site scripting in RadiusTheme Metro versions 2.13 and earlier allows unauthenticated attackers to inject malicious scripts that execute in users' browsers with no interaction required beyond viewing a crafted page. Successful exploitation enables attackers to steal session tokens, perform unauthorized actions, or deface content for affected users. No patch is currently available.
The Claue WordPress theme through version 2.2.7 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this by crafting a malicious URL to steal sensitive information, perform unauthorized actions, or compromise user sessions without requiring any special privileges or interaction with the application itself.
JanStudio Gecko version 1.9.8 and earlier contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated remote attackers to inject malicious scripts through improper input validation during web page generation. Successful exploitation requires user interaction and can lead to unauthorized access to sensitive information, data modification, or service disruption. No patch is currently available.
Reflected cross-site scripting in ThemeGoods Musico through version 3.2.4 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user credentials. The vulnerability requires user interaction to trigger and affects all installations of the affected Musico versions, with no patch currently available.
kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by cross-site scripting (xss) (CVSS 7.1).
Reflected XSS in Awa Plugins through version 1.4.4 enables unauthenticated attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction via a crafted link and has cross-site impact, affecting all installations of the affected plugin versions. No patch is currently available.
Reflected cross-site scripting in ThemeGoods Architecturer versions up to 3.8.8 enables attackers to inject malicious scripts that execute in victims' browsers when they click a crafted link, potentially allowing session hijacking or credential theft. The vulnerability requires user interaction and affects all users of the vulnerable plugin versions. No patch is currently available.
Reflected cross-site scripting in ThemeGoods Grand News version 3.4.3 and earlier enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing credential theft or session hijacking. The vulnerability requires user interaction to trigger but can be exploited remotely without authentication. No patch is currently available.
ThemeGoods Starto versions 2.1.9 and earlier are vulnerable to reflected cross-site scripting (XSS) that can be exploited remotely without authentication, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can trick users into clicking a malicious link to steal session cookies, redirect to phishing sites, or perform actions on behalf of the victim. No patch is currently available for this vulnerability.
DOM-based cross-site scripting in ThemeGoods Photography plugin version 7.6.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers without authentication, potentially compromising sensitive data or session tokens. The vulnerability requires user interaction to trigger and has network-wide impact, affecting any website running the affected Photography plugin version.
Skygroup Agrofood versions 1.3.0 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks that allow unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. An attacker can exploit this vulnerability to steal session cookies, redirect users to malicious sites, or perform actions on behalf of victims. No patch is currently available.
DeepDigital versions 1.0.2 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks due to insufficient input validation during web page generation, allowing unauthenticated remote attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction (clicking a malicious link) but can affect the entire application context, enabling attackers to steal sensitive data or perform actions on behalf of victims. No patch is currently available.
SeventhQueen BuddyApp through version 1.9.2 is vulnerable to reflected cross-site scripting (XSS) due to improper input validation during web page generation, allowing attackers to inject malicious scripts that execute in users' browsers when they click malicious links. An unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of users, or redirect them to phishing sites. No patch is currently available.
Reflected XSS in Thebe up to version 1.3.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user interactions across different sites. The vulnerability requires user interaction through a crafted link but has no authentication requirement, making it accessible to unauthenticated attackers. No patch is currently available.