Skip to main content
CVE-2026-26034 HIGH This Week

Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) is affected by incorrect default permissions (CVSS 7.8).

Privilege Escalation RCE Ups Multi Ups Management Console
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-27750 HIGH This Week

Internet Security contains a vulnerability that allows attackers to deletion of protected files or directories and can lead to local privilege escal (CVSS 7.8).

Denial Of Service Privilege Escalation Internet Security
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-28393 HIGH PATCH This Week

Arbitrary JavaScript execution in OpenClaw versions prior to 2026.2.14 results from improper path validation in the hook transform module loader, allowing attackers with configuration write access to load malicious modules with gateway process privileges. The vulnerability affects the hooks.mappings[].transform.module parameter, which fails to restrict absolute paths and directory traversal sequences. A patch is available.

Path Traversal Openclaw
NVD GitHub
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-28468 HIGH PATCH This Week

Openclaw versions up to 2026.2.14 is affected by missing authentication for critical function (CVSS 7.7).

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-29053 HIGH PATCH This Week

Arbitrary code execution in Ghost CMS versions 0.7.2 through 6.19.0 allows authenticated attackers with theme upload privileges to execute malicious code on the server by crafting specially designed theme files. The vulnerability affects Ghost installations running on Node.js and requires high privileges to exploit, though successful attacks compromise complete server integrity with confidentiality, integrity, and availability impact. No patch is currently available for affected versions.

Node.js Ghost
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-29609 HIGH PATCH This Week

Openclaw versions up to 2026.2.14 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Denial Of Service Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-28039 HIGH This Week

Local file inclusion in wpDataTables plugin for WordPress (versions up to 6.5.0.1) enables authenticated attackers to read arbitrary files from the web server filesystem with high complexity conditions. An attacker with low-privilege access can include PHP files or extract sensitive configuration data (database credentials, API keys) from readable server files. EPSS score of 0.13% (32nd percentile) indicates low observed exploitation probability, with no CISA KEV listing or public POC identified at time of analysis. Patchstack researchers disclosed this as a PHP local file inclusion weakness (CWE-98) exploitable over the network.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28478 HIGH PATCH This Week

OpenClaw versions up to 2026.2.13 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Denial Of Service Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69534 HIGH PATCH This Week

Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. [CVSS 7.5 HIGH]

Python Denial Of Service Information Disclosure Markdown
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26418 HIGH This Week

Cognix Platform's web API lacks authentication and authorization controls, enabling unauthenticated remote attackers to access restricted application functionality over the network. This vulnerability affects Tata Consultancy Services Cognix Recon Client v3.0 and poses a high risk due to its ease of exploitation and lack of authentication requirements. No patch is currently available.

Authentication Bypass Cognix Platform
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28453 HIGH PATCH This Week

OpenClaw before version 2026.2.14 fails to properly validate file paths when extracting TAR archives, enabling attackers to use path traversal sequences to write files outside the intended extraction directory. An unauthenticated remote attacker can exploit this to overwrite configuration files or inject malicious code into the system. A patch is available for affected versions.

Path Traversal Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28462 HIGH PATCH This Week

OpenClaw versions before 2026.2.13 suffer from a path traversal vulnerability in the browser control API that allows authenticated attackers to write arbitrary files outside designated temporary directories via the trace and download endpoints. An attacker with API access can exploit this to place malicious files in unintended locations on the system. A patch is available to address this high-severity flaw.

Path Traversal Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1605 HIGH PATCH This Week

Eclipse Jetty 12.0.0 through 12.0.31 and 12.1.0 through 12.1.5 suffer from a denial-of-service vulnerability in GzipHandler where decompressor resources leak when processing gzip-compressed requests that generate uncompressed responses. An unauthenticated remote attacker can exhaust server memory by repeatedly sending compressed requests, causing service degradation or unavailability. No patch is currently available.

Jetty Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27388 HIGH This Week

designthemes DesignThemes Booking Manager designthemes-booking-manager is affected by missing authorization (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24385 HIGH This Week

gerritvanaaken Podlove Web Player podlove-web-player is affected by deserialization of untrusted data (CVSS 7.5).

Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28076 HIGH This Week

Unauthorized data disclosure in Frenify Guff WordPress theme versions through 1.0.1 allows unauthenticated remote attackers to access sensitive information via missing authorization controls. The vulnerability exploits incorrectly configured access control security levels, enabling attackers to bypass authentication mechanisms and read confidential data. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability in the wild, with no CISA KEV listing or public exploit code identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27386 HIGH This Week

designthemes DesignThemes Directory Addon designthemes-directory-addon is affected by missing authorization (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27374 HIGH This Week

vanquish WooCommerce Order Details woocommerce-order-details is affected by missing authorization (CVSS 7.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27361 HIGH This Week

WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro is affected by missing authorization (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22479 HIGH This Week

Improper access control in Ruby's ThemeRuby Easy Post Submission plugin through version 2.2.0 allows unauthenticated remote attackers to bypass authorization checks and gain unauthorized read access to sensitive data. The vulnerability stems from misconfigured security levels that fail to properly enforce access restrictions on protected functionality. No patch is currently available for affected installations.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69340 HIGH This Week

BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon is affected by missing authorization (CVSS 7.5).

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27406 HIGH This Week

My Tickets plugin version 2.1.0 and earlier inadvertently exposes sensitive data in outbound communications due to improper data handling. An unauthenticated remote attacker can intercept and retrieve embedded sensitive information from sent data without user interaction. No patch is currently available for this high-severity vulnerability.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27370 HIGH This Week

Premio Chaty versions up to 3.5.1 expose sensitive data through improper handling of embedded information in outbound communications, allowing unauthenticated remote attackers to retrieve confidential data without user interaction. The vulnerability carries a high severity rating (CVSS 7.5) and currently has no available patch.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28392 HIGH PATCH This Week

OpenClaw versions before 2026.2.14 allow unauthenticated attackers to execute privileged slash commands via direct message when the dmPolicy setting is configured to open, bypassing security controls like allowlists and access groups. This privilege escalation stems from improper authorization checks in the Slack slash-command handler that fails to validate direct message senders. A patch is available for affected users.

Privilege Escalation Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29611 HIGH PATCH This Week

Openclaw versions up to 2026.2.14 contains a vulnerability that allows attackers to read arbitrary files from the local filesystem (CVSS 7.5).

LFI Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-70949 HIGH This Week

An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel. [CVSS 7.5 HIGH]

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28469 HIGH PATCH This Week

Openclaw versions up to 2026.2.14 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Industrial Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28454 HIGH PATCH This Week

Openclaw versions up to 2026.2.2 is affected by insufficient verification of data authenticity (CVSS 7.5).

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30791 HIGH This Week

RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive embedded data during config import, URI scheme handling, or CLI operations across Windows, macOS, Linux, iOS, Android, and web clients. An unauthenticated remote attacker can exploit this vulnerability without user interaction to extract sensitive configuration information. No patch is currently available for this high-severity vulnerability.

Microsoft Apple Google Information Disclosure Rustdesk +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26999 HIGH PATCH This Week

Traefik versions before 2.11.38 and 3.6.9 allow remote attackers to cause denial of service by sending incomplete TLS records to TCP routers, which causes the TLS handshake process to hang indefinitely while holding connections open. An unauthenticated attacker can exploit this by opening many stalled connections in parallel to exhaust file descriptors and goroutines, degrading or disabling the proxy service.

Traefik Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28479 HIGH PATCH This Week

OpenClaw versions up to 2026.2.15 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

Docker Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29054 HIGH PATCH This Week

Traefik versions 2.11.9-2.11.37 and 3.1.3-3.6.8 contain a case-sensitivity bypass in Connection header handling that allows unauthenticated remote attackers to remove critical X-Forwarded headers by using lowercase Connection tokens, potentially enabling header spoofing attacks. An attacker can exploit this to manipulate forwarded client information such as IP addresses and hostnames, compromising the integrity of upstream application data. A patch is available for affected versions.

Information Disclosure Traefik
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25702 HIGH PATCH This Week

Improper access control in the Linux kernel affects SUSE Linux Enterprise Server 12 SP5, causing nftables firewall rules to become ineffective and allowing network traffic to bypass intended filtering policies. An unauthenticated remote attacker can exploit this vulnerability to circumvent firewall protections without user interaction. No patch is currently available for this vulnerability.

Linux Linux Enterprise Server Suse
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-27396 HIGH This Week

Improper access control in e-plugins Directory Pro up to version 2.5.6 enables unauthenticated attackers to bypass authorization checks and gain unauthorized access to sensitive directory information. The vulnerability allows attackers to read, modify, or delete data depending on the misconfigured security levels without requiring authentication or user interaction. A patch is not currently available.

Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-26276 HIGH This Week

Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.

XSS Gogs Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-28542 HIGH This Week

Permission bypass vulnerability in the system service framework. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 7.3 HIGH]

Authentication Bypass Emui Harmonyos
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-2365 HIGH This Week

Stored XSS in Fluent Forms Pro for WordPress through version 6.1.17 allows unauthenticated attackers to inject malicious scripts into draft form submissions due to missing authentication and insufficient input sanitization on the fluentform_step_form_save_data AJAX action. The injected scripts execute when site administrators access partial form entries, potentially compromising administrator accounts and site integrity. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-28209 HIGH This Week

Unauthenticated command injection in FreePBX versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4 via the ElevenLabs Text-to-Speech integration allows authenticated users with high privileges to execute arbitrary system commands. The vulnerability exists in the recordings module and affects all installations using the vulnerable TTS engine. No patch is currently available, leaving affected systems at risk of full system compromise.

Command Injection AI / ML Freepbx
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-28456 HIGH PATCH This Week

Improper path validation in OpenClaw Gateway versions before 2026.2.14 enables authenticated administrators to achieve arbitrary code execution by manipulating hook module paths passed to dynamic imports. An attacker with configuration modification privileges can load and execute malicious local modules within the Node.js process, gaining full system compromise capabilities.

Node.js Openclaw
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-24963 HIGH This Week

Privilege escalation in Amelia booking plugin through version 1.2.38 allows high-privileged users to gain unauthorized elevated access due to improper privilege assignment. An authenticated attacker with administrative credentials can exploit this vulnerability to compromise system integrity and confidentiality. No patch is currently available.

Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-27541 HIGH This Week

Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices contains a security vulnerability (CVSS 7.1).

WordPress Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-29077 HIGH This Week

Frappe versions prior to 15.98.0 and 14.100.0 contain an improper access control vulnerability that allows authenticated users to grant document permissions they do not possess to other users. An attacker with valid credentials could escalate privileges by sharing documents with elevated permissions, potentially exposing sensitive information or enabling unauthorized modifications. No patch is currently available.

Authentication Bypass Frappe
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-28459 HIGH PATCH This Week

Arbitrary file write in OpenClaw prior to version 2026.2.12 allows authenticated gateway clients to bypass path validation on the sessionFile parameter and write transcript data to any location on the host filesystem. An attacker with valid credentials can repeatedly append data to arbitrary files, potentially corrupting configurations or exhausting disk space to cause denial of service. A patch is available.

Denial Of Service Openclaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28137 HIGH This Week

QuanticaLabs MediCenter - Health Medical Clinic medicenter is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28130 HIGH This Week

Reflected cross-site scripting in AndonDesign UDesign versions up to 4.14.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction to click a malicious link but can affect any organization using the affected UDesign versions. No patch is currently available to remediate this issue.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28127 HIGH This Week

The e-plugins Lawyer Directory plugin through version 1.3.2 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28126 HIGH This Week

Reflected cross-site scripting in sizam RH Frontend Publishing Pro through version 4.3.2 enables attackers to inject malicious scripts that execute in users' browsers when they click a crafted link. The vulnerability requires user interaction but can compromise session integrity and steal sensitive data across affected sites. No patch is currently available.

XSS
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28122 HIGH This Week

The ListingPro plugin for CridioStudio through version 2.9.8 contains a reflected cross-site scripting vulnerability that allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. Successful exploitation requires user interaction but can compromise confidentiality, integrity, and availability across security domains. No patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28113 HIGH This Week

Reflected cross-site scripting (XSS) in Ultimate Learning Pro WordPress plugin versions 3.9.1 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages via crafted URLs. Successful exploitation requires tricking a victim user into clicking a malicious link (UI:R in CVSS vector). EPSS probability is low at 0.04% (10th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a lower-priority remediation despite the 7.1 CVSS score.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28112 HIGH This Week

Reflected cross-site scripting in AllInOne Banner Rotator WordPress plugin allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. Affects versions up to and including 3.8. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, though vulnerability discovered and reported by Patchstack security audit team.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 7 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy