Skip to main content
CVE-2026-28110 HIGH This Week

Reflected cross-site scripting in the LambertGroup AllInOne Banner with Playlist WordPress plugin (versions ≤3.8) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. With EPSS exploitation probability at 0.04% (10th percentile), this represents a low likelihood of automated or widespread exploitation despite the network attack vector. No active exploitation or public POC has been identified at time of analysis. Impact requires user interaction (clicking malicious link), limiting autonomous exploitation scenarios.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28109 HIGH This Week

Reflected cross-site scripting (XSS) in LambertGroup AllInOne Content Slider WordPress plugin through version 3.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability allows content injection with low-level impacts across confidentiality, integrity, and availability due to scope change (S:C in CVSS vector). Reported by Patchstack security researchers, EPSS exploitation probability is very low (0.04%, 10th percentile), indicating minimal observed real-world targeting despite no authentication requirement.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28108 HIGH This Week

Reflected cross-site scripting (XSS) in LambertGroup AllInOne Banner with Thumbnails WordPress plugin through version 3.8 allows unauthenticated remote attackers to inject malicious scripts via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. Exploitation probability is low (EPSS 0.04%, 10th percentile), with no confirmed active exploitation or public POC at time of analysis. Changed scope (S:C) in CVSS vector indicates potential to impact resources beyond the vulnerable component.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28103 HIGH This Week

Reflected cross-site scripting in LBG Zoominoutslider WordPress plugin versions through 5.4.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation is confirmed. A Patchstack database entry documents the vulnerability, but no vendor-released patch version is identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28102 HIGH This Week

Reflected cross-site scripting in UberSlider Classic WordPress plugin through version 2.5 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. Exploitation requires user interaction (clicking malicious link). EPSS score of 0.04% (10th percentile) indicates minimal observed exploitation activity. No CISA KEV listing confirms this is not being actively exploited in widespread campaigns, though the low attack complexity and network vector make exploitation straightforward once a victim is socially engineered.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28101 HIGH This Week

Reflected cross-site scripting in UberSlider MouseInteraction WordPress plugin versions ≤2.3 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack audit team. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public proof-of-concept identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28100 HIGH This Week

Reflected cross-site scripting in UberSlider PerpetuumMobile WordPress plugin versions ≤2.3 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability requires user interaction but no authentication, with CVSS 7.1 (High) severity due to scope change enabling attacks across security boundaries. EPSS score of 0.04% (10th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis. Patchstack vulnerability database confirms the flaw affects default plugin configurations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28099 HIGH This Week

Reflected cross-site scripting in UberSlider Ultra WordPress plugin (versions ≤2.3) enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. EPSS exploitation probability is low (0.04%, 10th percentile), and no active exploitation or public proof-of-concept has been identified at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component itself.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28075 HIGH This Week

Reflected cross-site scripting (XSS) in Porto WordPress theme versions through 7.6.2 allows remote attackers to inject malicious JavaScript into web pages viewed by victims. Exploitation requires user interaction (clicking a malicious link). EPSS probability is low (0.04%, 10th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV. Patchstack has documented this vulnerability, suggesting detection capabilities exist.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28072 HIGH This Week

Reflected cross-site scripting (XSS) in pixfort Core WordPress plugin versions up to 3.2.22 enables remote attackers to inject malicious scripts into web pages viewed by victims. The attack requires user interaction (clicking a malicious link) but no authentication, allowing attackers to steal session tokens, perform actions as the victim, or redirect users to phishing sites. EPSS score of 0.04% (10th percentile) indicates low probability of mass exploitation, and no active exploitation or public proof-of-concept has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28042 HIGH This Week

Reflected cross-site scripting (XSS) in Listify WordPress theme versions through 3.2.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exists due to improper input sanitization during web page generation, requiring user interaction to trigger. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation or public exploit code has been identified. Moderate CVSS score reflects changed scope (S:C) allowing potential session token theft across origins.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28037 HIGH This Week

Reflected cross-site scripting in EventON WordPress plugin versions up to 4.9.12 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. The vulnerability requires victim interaction (CVSS UI:R) and changes execution scope (S:C), allowing session hijacking, credential theft, or malicious actions within the WordPress admin interface. With EPSS exploitation probability at 0.04% (10th percentile) and no CISA KEV listing, this represents a lower-priority XSS requiring social engineering rather than mass exploitation.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27385 HIGH This Week

designthemes DesignThemes Portfolio designthemes-portfolio is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27382 HIGH This Week

DOM-based cross-site scripting in RadiusTheme Metro versions 2.13 and earlier allows unauthenticated attackers to inject malicious scripts that execute in users' browsers with no interaction required beyond viewing a crafted page. Successful exploitation enables attackers to steal session tokens, perform unauthorized actions, or deface content for affected users. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27376 HIGH This Week

The Claue WordPress theme through version 2.2.7 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this by crafting a malicious URL to steal sensitive information, perform unauthorized actions, or compromise user sessions without requiring any special privileges or interaction with the application itself.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27375 HIGH This Week

JanStudio Gecko version 1.9.8 and earlier contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated remote attackers to inject malicious scripts through improper input validation during web page generation. Successful exploitation requires user interaction and can lead to unauthorized access to sensitive information, data modification, or service disruption. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27367 HIGH This Week

Reflected cross-site scripting in ThemeGoods Musico through version 3.2.4 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user credentials. The vulnerability requires user interaction to trigger and affects all installations of the affected Musico versions, with no patch currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27363 HIGH This Week

kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27359 HIGH This Week

Reflected XSS in Awa Plugins through version 1.4.4 enables unauthenticated attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction via a crafted link and has cross-site impact, affecting all installations of the affected plugin versions. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27358 HIGH This Week

Reflected cross-site scripting in ThemeGoods Architecturer versions up to 3.8.8 enables attackers to inject malicious scripts that execute in victims' browsers when they click a crafted link, potentially allowing session hijacking or credential theft. The vulnerability requires user interaction and affects all users of the vulnerable plugin versions. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27353 HIGH This Week

Reflected cross-site scripting in ThemeGoods Grand News version 3.4.3 and earlier enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing credential theft or session hijacking. The vulnerability requires user interaction to trigger but can be exploited remotely without authentication. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27352 HIGH This Week

ThemeGoods Starto versions 2.1.9 and earlier are vulnerable to reflected cross-site scripting (XSS) that can be exploited remotely without authentication, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can trick users into clicking a malicious link to steal session cookies, redirect to phishing sites, or perform actions on behalf of the victim. No patch is currently available for this vulnerability.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27348 HIGH This Week

DOM-based cross-site scripting in ThemeGoods Photography plugin version 7.6.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers without authentication, potentially compromising sensitive data or session tokens. The vulnerability requires user interaction to trigger and has network-wide impact, affecting any website running the affected Photography plugin version.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27332 HIGH This Week

Skygroup Agrofood versions 1.3.0 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks that allow unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. An attacker can exploit this vulnerability to steal session cookies, redirect users to malicious sites, or perform actions on behalf of victims. No patch is currently available.

XSS
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22467 HIGH This Week

DeepDigital versions 1.0.2 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks due to insufficient input validation during web page generation, allowing unauthenticated remote attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction (clicking a malicious link) but can affect the entire application context, enabling attackers to steal sensitive data or perform actions on behalf of victims. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22465 HIGH This Week

SeventhQueen BuddyApp through version 1.9.2 is vulnerable to reflected cross-site scripting (XSS) due to improper input validation during web page generation, allowing attackers to inject malicious scripts that execute in users' browsers when they click malicious links. An unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of users, or redirect them to phishing sites. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22455 HIGH This Week

Reflected XSS in Thebe up to version 1.3.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user interactions across different sites. The vulnerability requires user interaction through a crafted link but has no authentication requirement, making it accessible to unauthenticated attackers. No patch is currently available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22440 HIGH This Week

Reflected cross-site scripting in Thecs through version 1.4.7 enables attackers to inject malicious scripts that execute in users' browsers when they click specially crafted links, potentially compromising session data and user credentials. The vulnerability requires user interaction and affects all versions up to 1.4.7, with no patch currently available. An attacker can exploit this to steal sensitive information or perform actions on behalf of affected users.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22438 HIGH This Week

Reflected cross-site scripting in TheBi through version 1.0.5 enables attackers to inject malicious scripts that execute in users' browsers when they click on specially crafted links. This vulnerability requires user interaction but can lead to session hijacking, credential theft, or malware distribution across trusted domains. No patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28482 HIGH PATCH This Week

OpenClaw versions before 2026.2.12 suffer from a path traversal vulnerability in transcript file handling that allows authenticated local users to read and modify arbitrary files on the system by injecting directory traversal sequences into sessionId or sessionFile parameters. An attacker with local access can exploit this to access sensitive files outside the intended agent sessions directory without additional privileges. No patch is currently available for this vulnerability.

Path Traversal Openclaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28477 HIGH PATCH This Week

OpenClaw versions before 2026.2.14 fail to properly validate OAuth state parameters in the Chutes login flow, allowing attackers to bypass CSRF protections and hijack user sessions. An attacker can trick a user into pasting malicious OAuth callback data to gain unauthorized access and maintain persistent tokens under a compromised account. No patch is currently available for this high-severity vulnerability.

CSRF Openclaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28548 HIGH This Week

Vulnerability of improper verification in the email application. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 7.1 HIGH]

Privilege Escalation Emui Harmonyos
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-21621 HIGH This Week

Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.

Privilege Escalation Authentication Bypass Hexpm
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-30796 MEDIUM This Month

RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network heartbeat synchronization API, enabling attackers to intercept and obtain authentication credentials without authentication. The vulnerability affects Windows, macOS, and Linux deployments where the address book sync functionality is enabled. No patch is currently available.

Apple Microsoft Information Disclosure Rustdesk Rustdesk Server
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-28450 MEDIUM PATCH This Month

OpenClaw versions before 2026.2.12 with the Nostr plugin enabled contain unauthenticated API endpoints that allow remote attackers to read and modify Nostr profiles without authentication when the gateway HTTP port is network-accessible. Attackers can exploit this to steal sensitive profile data, alter gateway configuration, and sign malicious Nostr events using the bot's private key. A patch is available for affected installations.

Authentication Bypass Information Disclosure Openclaw
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-28277 MEDIUM PATCH This Month

LangGraph SQLite Checkpoint versions 1.0.9 and prior are vulnerable to unsafe deserialization of msgpack-encoded objects, allowing attackers with write access to the checkpoint database to execute arbitrary code when checkpoints are loaded. This vulnerability affects Python-based AI/ML applications using LangGraph's persistence layer and requires adversary control of the backing storage to exploit. No public patch is currently available for this issue.

Python Deserialization
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-28547 MEDIUM This Month

Vulnerability of uninitialized pointer access in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.8 MEDIUM]

Buffer Overflow Harmonyos
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-26124 MEDIUM PATCH This Month

'.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. [CVSS 6.7 MEDIUM]

Information Disclosure Microsoft Aci Confidential Containers
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-23651 MEDIUM PATCH This Month

Privilege escalation in Azure Compute Gallery's regex validation enables high-privileged local users to gain unauthorized system access on affected Microsoft and ACI Confidential Containers systems. An authenticated attacker with elevated permissions can exploit the permissive pattern matching to bypass security controls and achieve full system compromise. No patch is currently available, making this a medium-severity risk for environments running vulnerable versions.

Information Disclosure Microsoft Aci Confidential Containers
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-26033 MEDIUM This Month

Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) contains a security vulnerability (CVSS 6.7).

RCE Ups Multi Ups Management Console
NVD
CVSS 3.0
6.7
EPSS
0.0%
CVE-2026-28549 MEDIUM This Month

Race condition vulnerability in the permission management service. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.6 MEDIUM]

Race Condition Harmonyos
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-26122 MEDIUM PATCH This Month

Unauthorized information disclosure in Azure Compute Gallery occurs due to insecure default initialization settings that authenticated users can exploit to access sensitive data remotely. An authorized attacker can leverage this vulnerability to read confidential information without requiring user interaction. No patch is currently available for Microsoft products and ACI Confidential Containers.

Information Disclosure Microsoft Aci Confidential Containers
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-28394 MEDIUM PATCH This Month

Openclaw versions up to 2026.2.15 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Denial Of Service Openclaw
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-2899 MEDIUM This Month

Unauthenticated attackers can delete arbitrary WordPress media attachments in Fluent Forms Pro Add On Pack versions up to 6.1.17 due to missing authorization checks in the deleteFile() AJAX action. The vulnerable endpoint is accessible to unauthenticated users and accepts an attachment_id parameter without nonce verification or capability validation. No patch is currently available for this medium-severity vulnerability affecting WordPress sites.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-30777 MEDIUM PATCH This Month

EC-CUBE administrative authentication can be bypassed by attackers possessing valid admin credentials, allowing them to circumvent multi-factor authentication protections and access the admin panel. This vulnerability (CVSS 6.5) affects administrators or high-privileged users whose credentials have been compromised, potentially enabling unauthorized administrative access.

Authentication Bypass Ec Cube
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-28104 MEDIUM This Month

Site Suggest plugin version 1.3.9 and earlier lacks proper access control checks, enabling unauthenticated remote attackers to access restricted functionality and modify data. The vulnerability affects installations without authentication requirements and could allow attackers to manipulate site suggestions or related content without authorization. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-22459 MEDIUM This Month

Improper access control in the Blend Media WordPress CTA easy-sticky-sidebar plugin through version 1.7.4 allows unauthenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive functionality. The vulnerability affects WordPress installations running the vulnerable plugin versions and could enable attackers to read restricted information or disrupt service availability. No security patch is currently available.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-29606 MEDIUM PATCH This Month

Openclaw versions up to 2026.2.14 is affected by missing authentication for critical function (CVSS 6.5).

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22723 MEDIUM PATCH This Month

Cloudfoundry UAA versions 77.30.0 through 78.7.0 and Cloudfoundry Deployment versions 48.7.0 through 54.10.0 contain a logic error in the token revocation endpoint that allows authenticated users to inadvertently revoke tokens belonging to other users. An attacker with valid credentials could exploit this flaw to disrupt service availability by invalidating legitimate user sessions without authorization.

Information Disclosure Cf Deployment Uaa Release
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28480 MEDIUM POC PATCH This Month

OpenClaw prior to version 2026.2.14 fails to properly validate Telegram allowlist entries by accepting mutable usernames instead of immutable user IDs, enabling attackers to register recycled usernames and bypass access controls. An unauthenticated attacker can exploit this flaw to impersonate legitimate users and send unauthorized commands to OpenClaw bots. No patch is currently available.

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 8 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy