Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.
Path traversal in D-Link DIR-513 verification code processing. PoC available.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetEnableWizard. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetMACFilter. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetDDNS. Part of a family of 15+ critical buffer overflows in this router.
Stack buffer overflow in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSchedule. Part of a family of 15+ critical buffer overflows in this router.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.
Unauthorized file operations in File Browser before fix. PoC and patch available.
Remote code execution in SeppMail secure email gateway versions 15.0.2.1 and earlier allows unauthenticated attackers to write arbitrary files via path traversal in the Large File Transfer (LFT) feature of the User Web Interface, leading to full system compromise. The flaw carries a maximum CVSS 4.0 score of 10.0 reflecting network-reachable, no-privilege exploitation with scope-changing impact, and was disclosed by InfoGuard Labs alongside CVE-2026-7864, CVE-2026-44127, and CVE-2026-44128. No public exploit identified at time of analysis and EPSS sits at 0.52% (67th percentile), so widespread automated abuse has not yet materialized despite the critical severity.
Remote code execution in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows unauthenticated attackers to execute arbitrary Java bytecode through the StanfordSegmenter module's unvalidated loading of external JAR files. The vulnerability is exploitable via model poisoning, MITM attacks during JAR downloads, or dependency poisoning, with execution occurring automatically at import time. Despite a critical CVSS 10.0 score, EPSS probability of 0.48% (65th percentile) suggests low observed exploitation activity. No CISA KEV listing indicates no confirmed widespread active exploitation, though the vulnerability is publicly documented on huntr.com with technical details available.
Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities.
Gateway authorization bypass in OpenClaw before 2026.2.14. Unsanitized approval fields in node.invoke. Patch available.
Builderall Builderall Builder for WordPress builderall-cheetah-for-wp is affected by code injection (CVSS 9.9).
Unrestricted file upload in Charety (charety) WordPress theme allows uploading web shells for remote code execution.
Unrestricted file upload in Nutrie (nutrie) WordPress theme allows uploading web shells for remote code execution.
Unrestricted file upload in Keenarch (keenarch) WordPress theme allows uploading web shells for remote code execution.
Unrestricted file upload in Lendiz (lendiz) WordPress theme allows uploading web shells for remote code execution.
RCE in Microsoft Devices Pricing Program.
Unauthenticated RCE via file upload in industrial/enterprise application.
The ThemeREX Healer WordPress theme through version 1.0.0 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file include statements. An attacker can exploit this to access sensitive configuration files, database credentials, and other protected data without authentication. No patch is currently available and exploitation requires no user interaction.
PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.
Windows cmd.exe metacharacter injection in OpenClaw before 2026.2.2. Bypass exec whitelist. Patch available.
Insecure embedded zlib in Compress::Raw::Zlib through 2.219 for Perl.
Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.
Auth bypass in WeDesignTech Ultimate Booking Addon for WordPress.
Deserialization of untrusted data in Good Energy (goodenergy) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Pizza House (pizzahouse) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Privilege escalation in LMS Elementor Pro WordPress plugin.
Deserialization of untrusted data in Dentario (dentario) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Kingler (kingler) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Tennis Club (tennis-sportclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Sweet Date (sweetdate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Mounthood (mounthood) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Jardi (jardi) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Estate (estate) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Equestrian Centre (equestrian-centre) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Solaris (solaris) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Pets Club (petclub) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Deserialization of untrusted data in Handyman (handyman-services) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
ThemeGoods Grand Wedding through version 3.1.0 is vulnerable to remote object injection via unsafe deserialization of untrusted data, enabling attackers to execute arbitrary code without authentication. The vulnerability requires specific conditions to be met but carries high severity with complete compromise of confidentiality, integrity, and availability. No patch is currently available for affected installations.
Deserialization of untrusted data in Classter (classter) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
Insecure embedded library in UnQLite 0.06 Perl module.
Privilege escalation in D-Link DIR-1253 MESH V1.6.1684 via etc/shadow.sample.
ESC/POS printer control language lacks authentication/authorization. Any device on the network can send print commands.
SQL injection in OpenReplay session replay before 1.20.0.
Static TLS fingerprint in Rakuten Viber Cloak mode enables tracking despite privacy mode.
Auth bypass in device authentication module.