THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — March 07, 2026

111 CVEs tracked today. 9 Critical, 32 High, 60 Medium, 9 Low.

CVE-2026-30863 CRITICAL CVSS 9.8
Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.

Node.js Parse Server
CVE-2026-30861 CRITICAL CVSS 9.9
OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.

RCE Command Injection AI / ML Weknora
CVE-2026-30860 CRITICAL CVSS 9.9
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.

PostgreSQL RCE SQLi AI / ML Weknora
CVE-2026-30832 CRITICAL CVSS 9.1
SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.

Ssh Soft Serve
CVE-2026-30824 CRITICAL CVSS 9.8
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.

Authentication Bypass AI / ML Flowise
CVE-2026-30821 CRITICAL CVSS 9.8
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.

RCE AI / ML Flowise
CVE-2026-29191 CRITICAL CVSS 9.3
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.

XSS Zitadel
CVE-2026-25072 CRITICAL CVSS 9.8
Predictable session identifier generation in XikeStor SKS8310-8X network switch allows session hijacking even if the command injection (CVE-2026-25070) is patched.

Authentication Bypass Zikestor Sks8310 8x Firmware
CVE-2026-25070 CRITICAL CVSS 9.8
OS command injection in XikeStor SKS8310-8X network switch firmware 1.04.B07 and prior via management interface. Unauthenticated RCE on network infrastructure.

RCE Command Injection Zikestor Sks8310 8x Firmware
CVE-2026-30855 HIGH CVSS 8.8
Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.

Authentication Bypass AI / ML Weknora
CVE-2026-30852 HIGH CVSS 7.5
Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows remote attackers to perform double variable expansion on user-controlled input, enabling disclosure of environment variables and file contents. By injecting placeholders like {env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.

Tls Caddy
CVE-2026-30851 HIGH CVSS 8.1
Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.

Tls Privilege Escalation Caddy
CVE-2026-30840 HIGH CVSS 8.8
Server-side request forgery in Wallos versions before 4.6.2 allows authenticated attackers to conduct arbitrary network requests through the notification tester functionality. An attacker with user privileges can exploit this to access internal services, retrieve sensitive data, or interact with backend systems on behalf of the server. Public exploit code exists for this vulnerability, though a patch is available in version 4.6.2.

SSRF Wallos
CVE-2026-30834 HIGH CVSS 7.5
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. [CVSS 7.5 HIGH]

SSRF Pinchtab Chrome
CVE-2026-30828 HIGH CVSS 7.5
Path traversal in Wallos subscription tracker versions prior to 4.6.2 allows unauthenticated remote attackers to read arbitrary files from the hosting system via a malicious url parameter. Public exploit code exists for this vulnerability, which has a high severity CVSS score of 7.5. The vulnerability is patched in version 4.6.2 and later.

Path Traversal Wallos
CVE-2026-30827 HIGH CVSS 7.5
express-rate-limit versions 8.0.0 through 8.3.0 (excluding patched versions) collapse all IPv4 client traffic into a single rate-limit bucket due to incorrect IPv6 subnet masking of IPv4-mapped addresses, allowing any client to trigger denial of service for all other IPv4 users by exhausting the shared limit. Public exploit code exists for this vulnerability, affecting Node.js applications using the vulnerable middleware versions. Organizations should upgrade to versions 8.0.2, 8.1.1, 8.2.2, or 8.3.0 immediately.

Node.js Express Rate Limit
CVE-2026-30823 HIGH CVSS 8.8
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

Authentication Bypass AI / ML Flowise
CVE-2026-30822 HIGH CVSS 7.7
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).

Code Injection AI / ML Flowise
CVE-2026-30820 HIGH CVSS 8.8
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoofing an internal request header, granting access to sensitive administrative functions including API key and credential management. Public exploit code exists for this vulnerability, and an attacker with valid tenant credentials can escalate to administrative privileges without additional authentication. No patch is currently available for affected deployments.

Authentication Bypass AI / ML Flowise
CVE-2026-29784 HIGH CVSS 7.5
Cross-site request forgery (CSRF) in Ghost CMS versions 5.101.6 through 6.19.2 permits attackers to reuse one-time codes across different login sessions via the /session/verify endpoint, potentially enabling account takeover through phishing attacks. The vulnerability affects Ghost deployments on Node.js and related platforms, requiring no user authentication but relying on user interaction. A patch is available in Ghost version 6.19.3 and later.

Node.js CSRF Ghost
CVE-2026-29779 HIGH CVSS 7.5
UptimeFlare's configuration management fails to segregate server-only sensitive data from client-side code, causing the workerConfig object containing confidential settings to be exposed in the JavaScript bundle delivered to all website visitors. This information disclosure allows attackers to view sensitive configuration details without authentication. The vulnerability affects UptimeFlare instances prior to commit 377a596 and has been patched.

Information Disclosure Uptimeflare
CVE-2026-29778 HIGH CVSS 7.1
Path traversal in pyLoad versions 0.5.0b3.dev13 through 0.5.0b3.dev96 allows authenticated attackers to manipulate package folder locations through insufficient sanitization of the pack_folder parameter, bypassing directory traversal protections with recursive sequences. An attacker can exploit this to write files outside intended directories, causing data integrity issues and potential denial of service. Public exploit code exists for this vulnerability and no patch is currently available.

Python Pyload Ng
CVE-2026-29194 HIGH CVSS 8.1
Netmaker versions prior to 1.5.0 fail to properly validate host JWT tokens during authorization, allowing any attacker with knowledge of target object identifiers to bypass access controls and read, modify, or delete resources across different hosts. The vulnerability affects critical operations including node management, host deletion, and failover configurations, requiring only a valid host token and network access to exploit. Update to version 1.5.0 or later to remediate.

Wireguard Netmaker
CVE-2026-29193 HIGH CVSS 8.2
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]

Authentication Bypass Zitadel
CVE-2026-29192 HIGH CVSS 7.7
Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.

XSS Zitadel
CVE-2026-29186 HIGH CVSS 7.7
Backstage Plugin-Techdocs-Node versions up to 1.14.3 contains a vulnerability that allows attackers to craft an mkdocs (CVSS 7.7).

Python Backstage Plugin Techdocs Node
CVE-2026-29067 HIGH CVSS 8.1
ZITADEL versions 4.0.0-rc.1 through 4.7.0 are vulnerable to open redirect attacks through improper validation of the Forwarded and X-Forwarded-Host headers used in password reset links. An attacker can craft a malicious request to redirect users to an attacker-controlled domain when they click password reset confirmation links, enabling credential harvesting or phishing attacks. The vulnerability affects all deployments using affected versions and has been patched in version 4.7.1.

Open Redirect Zitadel
CVE-2026-28678 HIGH CVSS 8.1
DSA Study Hub stores JWT authentication tokens in unencrypted HTTP cookies, allowing attackers to extract and replay user credentials to gain unauthorized access to accounts. An unauthenticated remote attacker can intercept these tokens through network traffic analysis or client-side inspection to impersonate legitimate users. A patch is available in commit d527fba and should be applied immediately.

Information Disclosure Dsa Study Hub
CVE-2026-25071 HIGH CVSS 7.5
Unauthenticated remote attackers can download sensitive configuration files from ZikeStor SKS8310-8X network switches (firmware 1.04.B07 and earlier) via an unprotected /switch_config.src endpoint, exposing VLAN settings and IP addressing details without requiring credentials. This HIGH severity vulnerability (CVSS 7.5) affects confidentiality of device configurations and currently has no available patch.

Authentication Bypass Zikestor Sks8310 8x Firmware
CVE-2026-24308 HIGH CVSS 7.5
Apache ZooKeeper 3.8.5 and 3.9.4 improperly log sensitive client configuration data at INFO level, allowing unauthenticated remote attackers to extract credentials and other confidential information from application logfiles. The vulnerability affects all platforms and requires no user interaction or special privileges to exploit. No patch is currently available, leaving vulnerable deployments exposed until upgrades to versions 3.8.6 or 3.9.5 are deployed.

Apache Zookeeper Redhat
CVE-2026-24281 HIGH CVSS 7.4
Hostname verification bypass in Apache ZooKeeper's ZKTrustManager allows attackers with a valid certificate trusted by the server to impersonate ZooKeeper nodes by exploiting fallback to reverse DNS validation when IP SAN checks fail. An attacker controlling or spoofing PTR records can intercept and forge communications between ZooKeeper servers and clients, compromising confidentiality and integrity of the cluster. No patch is currently available; mitigation requires upgrading to ZooKeeper 3.8.6 or 3.9.5 or disabling reverse DNS lookup via configuration.

Apache Dns Zookeeper Redhat
CVE-2026-3679 HIGH CVSS 8.8
Remote code execution in Tenda FH451 firmware via stack-based buffer overflow in the QuickIndex function allows unauthenticated attackers to execute arbitrary code by sending crafted requests with oversized PPPOEPassword parameters. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and affects firmware version 1.0.0.9 and potentially other versions.

Buffer Overflow Stack Overflow F451 Firmware
CVE-2026-3678 HIGH CVSS 8.8
Remote code execution in Tenda FH451 firmware via stack-based buffer overflow in the WAN configuration endpoint allows unauthenticated attackers to achieve full system compromise through malicious wanmode or PPPOEPassword parameters. Public exploit code exists for this vulnerability, and no patch is currently available. Stack Overflow products are also reported as affected.

Buffer Overflow Stack Overflow Fh451 Firmware
CVE-2026-3677 HIGH CVSS 8.8
Stack overflow in Tenda FH451 firmware's setcfm function allows authenticated remote attackers to achieve complete system compromise through malicious funcname or funcpara1 parameters. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects firmware version 1.0.0.9 and enables remote code execution with high impact to confidentiality, integrity, and availability.

Buffer Overflow Stack Overflow Fh451 Firmware
CVE-2026-3352 HIGH CVSS 7.2
Arbitrary PHP code execution in the Easy PHP Settings WordPress plugin through versions 1.0.4 allows authenticated administrators to inject malicious code via inadequately sanitized memory limit configuration parameters that bypass quote filtering in wp-config.php. An attacker with administrator privileges can exploit insufficient input validation in the `update_wp_memory_constants()` method to break out of PHP string context and execute arbitrary commands that execute on every page request. No patch is currently available for this high-severity vulnerability.

WordPress PHP Code Injection
CVE-2026-2219 HIGH CVSS 7.5
dpkg-deb fails to properly validate zstd-compressed .deb archives during decompression, allowing unauthenticated remote attackers to trigger infinite loops that exhaust CPU resources on Debian systems. This denial of service condition affects the package management system without requiring user interaction or elevated privileges. No patch is currently available for this vulnerability.

Debian Denial Of Service Suse
CVE-2026-2020 HIGH CVSS 7.5
PHP object injection in the JS Archive List WordPress plugin (versions up to 6.1.7) allows authenticated contributors and above to deserialize untrusted data through the shortcode 'included' parameter. While no direct exploitation path exists in the plugin itself, attackers could leverage gadget chains from other installed plugins or themes to achieve arbitrary file deletion, information disclosure, or remote code execution. A patch is not currently available.

WordPress PHP Deserialization
CVE-2026-1074 HIGH CVSS 7.2
Unauthenticated attackers can inject malicious scripts into WordPress sites running the WP App Bar plugin (versions up to 1.5) through the 'app-bar-features' parameter due to missing input validation and authorization checks. When site administrators access the plugin's settings page, the stored payload executes in their browser, enabling credential theft or unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
CVE-2025-14675 HIGH CVSS 7.2
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. [CVSS 7.2 HIGH]

WordPress PHP RCE
CVE-2025-14353 HIGH CVSS 7.5
ZIP Code Based Content Protection (WordPress plugin) versions up to 1.0.2 is affected by sql injection (CVSS 7.5).

WordPress SQLi PHP
CVE-2025-8899 HIGH CVSS 8.8
The Paid Videochat Turnkey Site - HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an a...

WordPress Privilege Escalation PHP
CVE-2026-30859 MEDIUM CVSS 5.3
WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.

Authentication Bypass Information Disclosure AI / ML Weknora
CVE-2026-30858 MEDIUM CVSS 6.5
DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.

Dns AI / ML Weknora
CVE-2026-30857 MEDIUM CVSS 5.3
Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).

Authentication Bypass AI / ML Weknora
CVE-2026-30856 MEDIUM CVSS 5.9
Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.

Code Injection AI / ML
CVE-2026-30854 MEDIUM CVSS 5.3
Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.

Node.js Parse Server
CVE-2026-30850 MEDIUM CVSS 5.9
Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.

Node.js Parse Server
CVE-2026-30842 MEDIUM CVSS 4.3
Wallos prior to version 4.6.2 contains an authorization bypass allowing authenticated users to delete avatar files belonging to other users due to missing ownership verification on the avatar deletion endpoint. An attacker with valid credentials can enumerate or guess other users' avatar filenames to remove their files. Public exploit code exists for this vulnerability, and a patch is available in version 4.6.2 and later.

Authentication Bypass Wallos
CVE-2026-30841 MEDIUM CVSS 6.1
Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated attackers to inject malicious scripts by manipulating token and email parameters that are output without sanitization. Public exploit code exists for this vulnerability, affecting self-hosted instances of Wallos. A patch is available in version 4.6.2 and later.

PHP XSS Wallos
CVE-2026-30839 MEDIUM CVSS 4.3
Wallos versions prior to 4.6.2 contain a server-side request forgery (SSRF) vulnerability in the webhook notification testing function that fails to restrict requests to private IP ranges, allowing authenticated attackers to read internal server responses. Public exploit code exists for this vulnerability. The vulnerability affects Wallos and has been patched in version 4.6.2.

PHP SSRF Wallos
CVE-2026-30838 MEDIUM CVSS 6.1
The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.

PHP XSS Commonmark
CVE-2026-30830 MEDIUM CVSS 6.1
Defuddle versions prior to 0.9.0 fail to properly escape image attributes in HTML processing, allowing attackers to inject malicious event handlers through specially crafted alt text containing quote characters. Public exploit code exists for this cross-site scripting vulnerability. The vulnerability affects all users of Defuddle before version 0.9.0, and a patch is available.

XSS Defuddle
CVE-2026-30829 MEDIUM CVSS 5.3
Checkmate versions prior to 3.4.0 allow unauthenticated attackers to retrieve unpublished status pages and internal monitoring data through the GET /api/v1/status-page/:url endpoint due to missing authentication checks. Public exploit code exists for this information disclosure vulnerability, enabling remote attackers to access sensitive server hardware, uptime, and incident details without credentials. No patch is currently available for affected deployments.

Information Disclosure Checkmate
CVE-2026-30247 MEDIUM CVSS 5.9
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.

Docker SSRF AI / ML Weknora
CVE-2026-29787 MEDIUM CVSS 5.3
The /api/health/detailed endpoint in mcp-memory-service prior to version 10.21.0 discloses sensitive system information including OS details, Python version, CPU configuration, memory metrics, and database paths to unauthenticated network users when anonymous access is enabled. Public exploit code exists for this information disclosure vulnerability, which affects deployments using the default 0.0.0.0 network binding. A patch is available in version 10.21.0 to restrict endpoint access and redact sensitive data.

Python AI / ML Mcp Memory Service
CVE-2026-29786 MEDIUM CVSS 6.3
Path traversal in node-tar versions prior to 7.5.10 allows local attackers to write files outside the intended extraction directory by exploiting drive-relative link targets during archive extraction. An attacker with the ability to create or modify tar archives can overwrite arbitrary files on the system with elevated privileges. Public exploit code exists for this vulnerability affecting Node.js, D-Link, and Tar products.

D-Link Node.js Tar
CVE-2026-29781 MEDIUM CVSS 6.5
Sliver C2 server versions 1.7.3 and earlier can be remotely crashed by authenticated attackers who craft malformed Protobuf messages that exploit missing nil-pointer validation in the unmarshalling logic. Public exploit code exists for this vulnerability, which causes a denial of service affecting all active implant sessions across the entire infrastructure, as the mTLS, WireGuard, and DNS transports lack panic recovery mechanisms. An attacker with captured implant credentials can instantly terminate the server process, requiring manual intervention to restore operations.

Dns Wireguard Sliver
CVE-2026-29780 MEDIUM CVSS 5.5
Unsanitized attachment filenames in eml_parser prior to version 2.0.1 enable path traversal attacks, allowing attackers to write files outside the intended output directory when the example extraction script processes malicious emails. Organizations using the vulnerable example code or similar attachment handling logic are at risk of unauthorized file writes that could overwrite critical files or introduce malicious content. Public exploit code exists for this vulnerability, and a patch is available in version 2.0.1 and later.

Python Path Traversal Eml Parser
CVE-2026-29771 MEDIUM CVSS 6.5
Repeated denial of service attacks against Netmaker versions prior to 1.2.0 are possible when authenticated users invoke the /api/server/shutdown endpoint to forcibly terminate the server process. An attacker with valid credentials can cyclically crash the Netmaker service, causing intermittent unavailability with approximately 3-second restart intervals. No patch is currently available for affected deployments.

Wireguard Denial Of Service Netmaker
CVE-2026-29196 MEDIUM CVSS 4.3
Netmaker versions prior to 1.5.0 expose WireGuard private keys through unauthenticated API endpoints when accessed by users with the platform-user role, allowing credential theft across all network configurations despite UI-level access restrictions. An authenticated attacker can retrieve sensitive cryptographic material by directly calling GET /api/extclients/{network} or GET /api/nodes/{network} endpoints that lack proper output filtering. This vulnerability affects Netmaker and its integrated WireGuard deployments, with no patch currently available for affected versions.

Wireguard Netmaker
CVE-2026-29195 MEDIUM CVSS 6.5
Netmaker versions prior to 1.5.0 fail to properly validate role assignments in the user update API endpoint, allowing authenticated admin users to escalate their privileges to super-admin. An attacker with admin credentials can exploit this authorization bypass to gain unrestricted access to the platform. No patch is currently available for affected installations.

Wireguard Netmaker
CVE-2026-29190 MEDIUM CVSS 4.1
Karapace versions before 6.0.0 contain a path traversal vulnerability in the backup restoration functionality that allows attackers to read arbitrary files from the system by crafting malicious backup files. Organizations using Karapace's backup/restore feature with untrusted backup sources are at risk, with the actual impact limited by the file permissions of the Karapace process. No patch is currently available, requiring users to restrict backup sources or disable the backup functionality until version 6.0.0 is released.

Path Traversal Karapace
CVE-2026-29076 MEDIUM CVSS 5.9
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.

Stack Overflow Denial Of Service Cpp Httplib
CVE-2026-27797 MEDIUM CVSS 5.3
Unauthenticated Server-Side Request Forgery in Homarr versions before 1.54.0 enables remote attackers to initiate arbitrary outbound HTTP requests from the server, potentially accessing internal network resources and private IP ranges. Public exploit code exists for this vulnerability. The issue is resolved in version 1.54.0 and later.

SSRF Homarr
CVE-2026-27796 MEDIUM CVSS 5.3
Unauthenticated attackers can query the integration.all endpoint in Homarr prior to version 1.54.0 to enumerate all configured integrations and expose sensitive metadata including internal service URLs and integration details. Public exploit code exists for this information disclosure vulnerability. The vulnerability is patched in version 1.54.0 and later.

Information Disclosure Homarr
CVE-2026-25073 MEDIUM CVSS 5.4
Stored cross-site scripting in Zikestor SKS8310-8X firmware versions 1.04.B07 and earlier allows authenticated users to inject malicious scripts via the System Name field, which execute when other administrators view the configuration. The lack of proper output encoding enables attackers with login credentials to compromise the security of administrative sessions viewing the affected switch settings.

XSS Zikestor Sks8310 8x Firmware
CVE-2026-3681 MEDIUM CVSS 6.3
Server-side request forgery in welovemedia FFmate through version 2.0.15 allows authenticated remote attackers to manipulate the fireWebhook function and force the server to make arbitrary HTTP requests. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

SSRF
CVE-2026-3680 MEDIUM CVSS 6.3
Command injection in RyuzakiShinji biome-mcp-server versions up to 1.0.0 allows authenticated remote attackers to execute arbitrary commands through manipulation of the biome-mcp-server.ts file. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be triggered remotely without user interaction.

Command Injection
CVE-2026-3675 MEDIUM CVSS 5.3
Improper authorization in the FakeAppReceiver component of Freedom Factory dGEN1 (up to version 20260221) allows local attackers with user privileges to manipulate application permissions. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires local access but can result in unauthorized data access, modification, or service disruption.

Information Disclosure
CVE-2026-3674 MEDIUM CVSS 5.3
Improper authorization in the FakeAppProvider component of Freedom Factory dGEN1 (versions up to 20260221) allows local authenticated users to bypass access controls and modify system data. Public exploit code exists for this vulnerability, though no patch is currently available from the vendor.

Information Disclosure
CVE-2026-3672 MEDIUM CVSS 6.3
SQL injection in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to execute arbitrary SQL queries via the getDictItems API endpoint due to insufficient validation in the isExistSqlInjectKeyword function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete database contents. No patch is currently available, and public exploit code has been disclosed.

SQLi
CVE-2026-3670 MEDIUM CVSS 5.3
Improper authorization in Freedom Factory dGEN1's com.dgen.alarm component (up to version 20260221) allows local authenticated users to bypass access controls and modify system settings. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure attempts. The attack requires local access and valid credentials but poses a moderate risk to system integrity and confidentiality.

Information Disclosure
CVE-2026-3669 MEDIUM CVSS 5.3
Improper authorization in the AlarmService component of Freedom Factory dGEN1 (up to version 20260221) allows local users with limited privileges to gain unauthorized access to alarm functionality. The vulnerability requires local access and has been publicly disclosed with exploit code available, though the vendor has not provided a patch or responded to initial contact.

Information Disclosure
CVE-2026-3667 MEDIUM CVSS 5.3
Improper authorization in the FakeAppService function of Freedom Factory dGEN1 (up to version 20260221) allows local users with standard privileges to gain unauthorized access to protected resources. Public exploit code is available for this vulnerability, though no patch has been released by the vendor despite early notification.

Information Disclosure
CVE-2026-3662 MEDIUM CVSS 4.7
Command injection in Wavlink WL-NU516U1 firmware allows remote attackers with high privileges to execute arbitrary commands through the Pr_mode parameter in /cgi-bin/adm.cgi. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to confidentiality, integrity, and availability of the affected device.

Command Injection Wl Nu516u1 Firmware
CVE-2026-3661 MEDIUM CVSS 4.7
Command injection in Wavlink WL-NU516U1 firmware allows remote attackers with high privileges to execute arbitrary commands through the model parameter in the OTA upgrade function. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to confidentiality, integrity, and availability of the affected device.

Command Injection Wl Nu516u1 Firmware
CVE-2026-2722 MEDIUM CVSS 4.8
Stored XSS in WordPress Stock Ticker plugin through version 3.26.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users viewing affected pages. The vulnerability requires administrator privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
CVE-2026-2721 MEDIUM CVSS 4.8
Stored XSS in MailArchiver plugin for WordPress versions up to 4.4.0 allows authenticated administrators to inject malicious scripts through insufficiently sanitized admin settings, affecting multi-site installations and those with disabled unfiltered_html. Attackers with admin privileges can execute arbitrary JavaScript that persists and triggers when other users access affected pages. No patch is currently available.

WordPress XSS
CVE-2026-2494 MEDIUM CVSS 4.3
The ProfileGrid WordPress plugin through version 5.9.8.2 lacks nonce validation on membership request management functions, allowing unauthenticated attackers to forge requests that approve or deny group membership through social engineering of site administrators. An attacker can exploit this CSRF vulnerability to manipulate group membership status by tricking an admin into clicking a malicious link. No patch is currently available for this medium-severity vulnerability.

WordPress CSRF
CVE-2026-2488 MEDIUM CVSS 4.3
Unauthorized message deletion in ProfileGrid WordPress plugin versions up to 5.9.8.1 allows authenticated subscribers and above to delete arbitrary messages from any user due to missing capability checks in the pg_delete_msg() function. An attacker can exploit this by sending a crafted request with a valid message ID to remove messages without proper authorization. No patch is currently available for this vulnerability.

WordPress
CVE-2026-2433 MEDIUM CVSS 6.1
DOM-based XSS in the RSS Aggregator plugin for WordPress (versions up to 5.0.11) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by exploiting missing origin validation in postMessage handlers. An attacker can craft a malicious website that tricks an admin into visiting it, sending crafted payloads that bypass the plugin's unsafe URL handling in admin-shell.js. This affects all WordPress installations running the vulnerable plugin versions without authentication requirements.

WordPress XSS
CVE-2026-2431 MEDIUM CVSS 6.1
Reflected XSS in CM Custom Reports plugin for WordPress (versions up to 1.2.7) allows unauthenticated attackers to inject malicious scripts through inadequately sanitized 'date_from' and 'date_to' parameters. An attacker can exploit this by tricking users into clicking malicious links, causing arbitrary scripts to execute in their browsers with access to sensitive data or session information. No patch is currently available.

WordPress XSS
CVE-2026-2429 MEDIUM CVSS 4.9
SQL injection in WordPress Community Events plugin up to version 1.5.8 allows authenticated administrators to extract sensitive database information through malicious CSV file uploads exploiting inadequately sanitized venue name fields. The vulnerability requires high-level privileges and manual interaction but poses a significant confidentiality risk to WordPress installations using this plugin. No patch is currently available.

WordPress SQLi
CVE-2026-2420 MEDIUM CVSS 4.4
Stored XSS in LotekMedia Popup Form plugin for WordPress through version 1.0.6 allows administrators to inject malicious scripts into popup settings due to improper input sanitization. When site visitors view pages containing the affected popup, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. A patch is not currently available.

WordPress XSS
CVE-2026-2371 MEDIUM CVSS 5.3
Unauthenticated attackers can retrieve rendered HTML content from private, draft, and password-protected reusable blocks in the Greenshift plugin for WordPress (versions up to 12.8.3) due to missing authorization checks in an AJAX handler combined with exposed nonce values. The vulnerability allows an attacker to specify arbitrary post IDs and bypass post status validation to access sensitive block content. No patch is currently available for this medium-severity information disclosure vulnerability.

WordPress
CVE-2026-1981 MEDIUM CVSS 4.3
The HUMN-1 AI Website Scanner & Human Certification plugin for WordPress through version 0.0.3 fails to validate user permissions on the winston_disconnect AJAX function, allowing authenticated Subscriber-level users to disconnect the plugin's API credentials. This capability check bypass enables authenticated attackers to disrupt the plugin's functionality by resetting its API connection settings without proper authorization.

WordPress AI / ML
CVE-2026-1902 MEDIUM CVSS 6.4
Stored XSS in the Hammas Calendar WordPress plugin through version 1.5.11 allows authenticated contributors and above to inject malicious scripts via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode due to inadequate input sanitization. When users access pages containing the injected payload, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
CVE-2026-1825 MEDIUM CVSS 6.4
Stored XSS in the Show YouTube video WordPress plugin through improper sanitization of the 'syv' shortcode attributes allows authenticated users with contributor-level permissions to inject malicious scripts into pages. When other users view affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available for versions up to 1.1.

WordPress XSS
CVE-2026-1824 MEDIUM CVSS 6.4
Infomaniak Connect for OpenID (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
CVE-2026-1823 MEDIUM CVSS 6.4
Stored XSS in the WordPress Consensus Embed plugin through version 1.6 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
CVE-2026-1820 MEDIUM CVSS 6.4
Media Library Alt Text Editor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
CVE-2026-1805 MEDIUM CVSS 6.4
The DA Media GigList WordPress plugin up to version 1.9.0 contains stored cross-site scripting (XSS) in its shortcode functionality due to improper input validation, allowing authenticated contributors and above to inject malicious scripts that execute for all users viewing affected pages. This vulnerability requires valid WordPress account credentials but no user interaction to exploit, enabling persistent code injection across the site.

WordPress XSS
CVE-2026-1650 MEDIUM CVSS 5.3
Unauthenticated attackers can modify arbitrary custom event fields in the MDJM Event Management plugin for WordPress through versions 1.7.8.1 due to insufficient capability checks in the custom fields controller. This allows remote deletion of custom event data without requiring valid credentials or user interaction. No patch is currently available for this medium-severity vulnerability.

WordPress
CVE-2026-1644 MEDIUM CVSS 4.3
The WP Frontend Profile WordPress plugin through version 1.3.8 lacks CSRF protections on the update_action function, enabling unauthenticated attackers to manipulate user registration approvals or rejections by deceiving administrators into clicking malicious links. This allows attackers to perform unauthorized account management actions without authentication, potentially disrupting legitimate user onboarding processes. No patch is currently available for this vulnerability.

WordPress CSRF
CVE-2026-1574 MEDIUM CVSS 6.4
The MyQtip WordPress plugin through version 2.0.5 contains a stored cross-site scripting vulnerability in its shortcode handler that fails to properly sanitize user-supplied attributes. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute in the browsers of visitors viewing affected pages. No patch is currently available for this vulnerability.

WordPress XSS
CVE-2026-1569 MEDIUM CVSS 6.4
Stored cross-site scripting in the WordPress Wueen plugin through version 0.2.0 allows authenticated users with contributor-level permissions to inject malicious scripts via the wueen-blocket shortcode due to inadequate input validation. Injected scripts execute in the browsers of any user viewing affected pages, potentially enabling session hijacking, credential theft, or defacement. No patch is currently available.

WordPress XSS
CVE-2026-1087 MEDIUM CVSS 4.3
The Guardian News Feed WordPress plugin through version 1.2 lacks CSRF protections on its settings update function, allowing unauthenticated attackers to modify plugin configuration including API credentials through social engineering. Site administrators can be tricked into clicking a malicious link that silently changes settings with their authenticated session. No patch is currently available.

WordPress CSRF
CVE-2026-1086 MEDIUM CVSS 4.3
Font Pairing Preview For Landing Pages (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
CVE-2026-1085 MEDIUM CVSS 4.3
WordPress True Ranker plugin versions up to 2.2.9 lack proper CSRF protections on the account disconnection function, enabling unauthenticated attackers to disconnect an administrator's True Ranker account by tricking them into clicking a malicious link. An attacker exploiting this vulnerability could disrupt SEO monitoring capabilities for affected sites without requiring authentication or special privileges.

WordPress CSRF
CVE-2026-1073 MEDIUM CVSS 4.3
Purchase Button For Affiliate Link (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress PHP CSRF
CVE-2026-1071 MEDIUM CVSS 4.4
Stored XSS in the Carta Online WordPress plugin through version 2.13.0 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users accessing affected pages. The vulnerability requires administrator privileges and only impacts WordPress multisite installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
CVE-2026-30848 LOW CVSS 3.7
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. [CVSS 3.7 LOW]

Node.js Path Traversal
CVE-2026-30825 NONE
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification.

Authentication Bypass
CVE-2026-29185 LOW CVSS 2.7
Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API e...

Path Traversal
CVE-2026-29184 LOW CVSS 2.0
Backstage is an open framework for building developer portals. versions up to 3.1.4 is affected by insertion of sensitive information into log file (CVSS 2.0).

Information Disclosure
CVE-2026-3671 LOW CVSS 3.3
A flaw has been found in Freedom Factory dGEN1 versions up to 20260221. contains a vulnerability that allows attackers to improper authorization (CVSS 3.3).

Information Disclosure
CVE-2026-3668 LOW CVSS 3.1
A weakness has been identified in Freedom Factory dGEN1 versions up to 20260221. contains a security vulnerability (CVSS 3.1).

Android
CVE-2026-3665 LOW CVSS 3.3
A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsx_consumer::read_office_document of the file source/detail/serialization/xlsx_consumer.cpp of the component XLSX File Parser. [CVSS 3.3 LOW]

Null Pointer Dereference
CVE-2026-3664 LOW CVSS 3.3
A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. [CVSS 3.3 LOW]

Buffer Overflow
CVE-2026-3663 LOW CVSS 3.3
A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. [CVSS 3.3 LOW]

Buffer Overflow
CVE-2026-2671 LOW CVSS 3.1
A vulnerability was detected in Mendi Neurofeedback Headset V4. Affected by this vulnerability is an unknown functionality of the component Bluetooth Low Energy Handler. [CVSS 3.1 LOW]

Information Disclosure

Today's Vulnerabilities Vulnerabilities