Skip to main content
CVE-2026-29784 HIGH PATCH This Week

Cross-site request forgery (CSRF) in Ghost CMS versions 5.101.6 through 6.19.2 permits attackers to reuse one-time codes across different login sessions via the /session/verify endpoint, potentially enabling account takeover through phishing attacks. The vulnerability affects Ghost deployments on Node.js and related platforms, requiring no user authentication but relying on user interaction. A patch is available in Ghost version 6.19.3 and later.

Node.js CSRF Ghost
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24308 HIGH PATCH This Week

Apache ZooKeeper 3.8.5 and 3.9.4 improperly log sensitive client configuration data at INFO level, allowing unauthenticated remote attackers to extract credentials and other confidential information from application logfiles. The vulnerability affects all platforms and requires no user interaction or special privileges to exploit. No patch is currently available, leaving vulnerable deployments exposed until upgrades to versions 3.8.6 or 3.9.5 are deployed.

Apache Zookeeper Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-2219 HIGH PATCH This Week

dpkg-deb fails to properly validate zstd-compressed .deb archives during decompression, allowing unauthenticated remote attackers to trigger infinite loops that exhaust CPU resources on Debian systems. This denial of service condition affects the package management system without requiring user interaction or elevated privileges. No patch is currently available for this vulnerability.

Debian Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14675 HIGH PATCH This Week

The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. [CVSS 7.2 HIGH]

WordPress PHP RCE Path Traversal
NVD GitHub
CVSS 3.1
7.2
EPSS
0.7%
CVE-2026-1074 HIGH This Week

Unauthenticated attackers can inject malicious scripts into WordPress sites running the WP App Bar plugin (versions up to 1.5) through the 'app-bar-features' parameter due to missing input validation and authorization checks. When site administrators access the plugin's settings page, the stored payload executes in their browser, enabling credential theft or unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3352 HIGH This Week

Arbitrary PHP code execution in the Easy PHP Settings WordPress plugin through versions 1.0.4 allows authenticated administrators to inject malicious code via inadequately sanitized memory limit configuration parameters that bypass quote filtering in wp-config.php. An attacker with administrator privileges can exploit insufficient input validation in the `update_wp_memory_constants()` method to break out of PHP string context and execute arbitrary commands that execute on every page request. No patch is currently available for this high-severity vulnerability.

WordPress PHP Code Injection RCE
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-29195 MEDIUM PATCH This Month

Netmaker versions prior to 1.5.0 fail to properly validate role assignments in the user update API endpoint, allowing authenticated admin users to escalate their privileges to super-admin. An attacker with admin credentials can exploit this authorization bypass to gain unrestricted access to the platform. No patch is currently available for affected installations.

Wireguard Netmaker Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1823 MEDIUM This Month

Stored XSS in the WordPress Consensus Embed plugin through version 1.6 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1805 MEDIUM This Month

The DA Media GigList WordPress plugin up to version 1.9.0 contains stored cross-site scripting (XSS) in its shortcode functionality due to improper input validation, allowing authenticated contributors and above to inject malicious scripts that execute for all users viewing affected pages. This vulnerability requires valid WordPress account credentials but no user interaction to exploit, enabling persistent code injection across the site.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1902 MEDIUM This Month

Stored XSS in the Hammas Calendar WordPress plugin through version 1.5.11 allows authenticated contributors and above to inject malicious scripts via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode due to inadequate input sanitization. When users access pages containing the injected payload, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS HP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1825 MEDIUM This Month

Stored XSS in the Show YouTube video WordPress plugin through improper sanitization of the 'syv' shortcode attributes allows authenticated users with contributor-level permissions to inject malicious scripts into pages. When other users view affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available for versions up to 1.1.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1824 MEDIUM This Month

Infomaniak Connect for OpenID (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1820 MEDIUM This Month

Media Library Alt Text Editor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1574 MEDIUM This Month

The MyQtip WordPress plugin through version 2.0.5 contains a stored cross-site scripting vulnerability in its shortcode handler that fails to properly sanitize user-supplied attributes. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute in the browsers of visitors viewing affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1569 MEDIUM This Month

Stored cross-site scripting in the WordPress Wueen plugin through version 0.2.0 allows authenticated users with contributor-level permissions to inject malicious scripts via the wueen-blocket shortcode due to inadequate input validation. Injected scripts execute in the browsers of any user viewing affected pages, potentially enabling session hijacking, credential theft, or defacement. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2431 MEDIUM This Month

Reflected XSS in CM Custom Reports plugin for WordPress (versions up to 1.2.7) allows unauthenticated attackers to inject malicious scripts through inadequately sanitized 'date_from' and 'date_to' parameters. An attacker can exploit this by tricking users into clicking malicious links, causing arbitrary scripts to execute in their browsers with access to sensitive data or session information. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-29781 LOW POC Monitor

Sliver C2 server versions 1.7.3 and earlier can be remotely crashed by authenticated attackers who craft malformed Protobuf messages that exploit missing nil-pointer validation in the unmarshalling logic. Public exploit code exists for this vulnerability, which causes a denial of service affecting all active implant sessions across the entire infrastructure, as the mTLS, WireGuard, and DNS transports lack panic recovery mechanisms. An attacker with captured implant credentials can instantly terminate the server process, requiring manual intervention to restore operations.

Null Pointer Dereference Denial Of Service Sliver
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2433 MEDIUM This Month

DOM-based XSS in the RSS Aggregator plugin for WordPress (versions up to 5.0.11) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by exploiting missing origin validation in postMessage handlers. An attacker can craft a malicious website that tricks an admin into visiting it, sending crafted payloads that bypass the plugin's unsafe URL handling in admin-shell.js. This affects all WordPress installations running the vulnerable plugin versions without authentication requirements.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30838 MEDIUM PATCH This Month

The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.

PHP XSS Commonmark
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3662 LOW POC Monitor

Command injection in Wavlink WL-NU516U1 firmware allows remote attackers with high privileges to execute arbitrary commands through the Pr_mode parameter in /cgi-bin/adm.cgi. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to confidentiality, integrity, and availability of the affected device.

Command Injection Wl Nu516u1 Firmware
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-3661 LOW POC Monitor

Command injection in Wavlink WL-NU516U1 firmware allows remote attackers with high privileges to execute arbitrary commands through the model parameter in the OTA upgrade function. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to confidentiality, integrity, and availability of the affected device.

Command Injection Wl Nu516u1 Firmware
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-30856 MEDIUM PATCH This Month

Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.

Code Injection Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-30850 MEDIUM PATCH This Month

Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.

Node.js Parse Server
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-3665 LOW POC Monitor

A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsx_consumer::read_office_document of the file source/detail/serialization/xlsx_consumer.cpp of the component XLSX File Parser. [CVSS 3.3 LOW]

Denial Of Service Xlnt
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3663 LOW POC Monitor

A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. [CVSS 3.3 LOW]

Buffer Overflow Xlnt
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3664 LOW POC Monitor

A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. [CVSS 3.3 LOW]

Buffer Overflow Xlnt
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-25073 MEDIUM This Month

Stored cross-site scripting in Zikestor SKS8310-8X firmware versions 1.04.B07 and earlier allows authenticated users to inject malicious scripts via the System Name field, which execute when other administrators view the configuration. The lack of proper output encoding enables attackers with login credentials to compromise the security of administrative sessions viewing the affected switch settings.

XSS Zikestor Sks8310 8x Firmware
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30854 MEDIUM PATCH This Month

Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.

Node.js Parse Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30859 MEDIUM PATCH This Month

WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.

Authentication Bypass Information Disclosure AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1650 MEDIUM This Month

Unauthenticated attackers can modify arbitrary custom event fields in the MDJM Event Management plugin for WordPress through versions 1.7.8.1 due to insufficient capability checks in the custom fields controller. This allows remote deletion of custom event data without requiring valid credentials or user interaction. No patch is currently available for this medium-severity vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2371 MEDIUM This Month

Unauthenticated attackers can retrieve rendered HTML content from private, draft, and password-protected reusable blocks in the Greenshift plugin for WordPress (versions up to 12.8.3) due to missing authorization checks in an AJAX handler combined with exposed nonce values. The vulnerability allows an attacker to specify arbitrary post IDs and bypass post status validation to access sensitive block content. No patch is currently available for this medium-severity information disclosure vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2429 MEDIUM This Month

SQL injection in WordPress Community Events plugin up to version 1.5.8 allows authenticated administrators to extract sensitive database information through malicious CSV file uploads exploiting inadequately sanitized venue name fields. The vulnerability requires high-level privileges and manual interaction but poses a significant confidentiality risk to WordPress installations using this plugin. No patch is currently available.

WordPress SQLi File Upload
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-2721 MEDIUM This Month

Stored XSS in MailArchiver plugin for WordPress versions up to 4.4.0 allows authenticated administrators to inject malicious scripts through insufficiently sanitized admin settings, affecting multi-site installations and those with disabled unfiltered_html. Attackers with admin privileges can execute arbitrary JavaScript that persists and triggers when other users access affected pages. No patch is currently available.

WordPress XSS
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2722 MEDIUM This Month

Stored XSS in WordPress Stock Ticker plugin through version 3.26.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users viewing affected pages. The vulnerability requires administrator privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2420 MEDIUM This Month

Stored XSS in LotekMedia Popup Form plugin for WordPress through version 1.0.6 allows administrators to inject malicious scripts into popup settings due to improper input sanitization. When site visitors view pages containing the affected popup, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1071 MEDIUM This Month

Stored XSS in the Carta Online WordPress plugin through version 2.13.0 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users accessing affected pages. The vulnerability requires administrator privileges and only impacts WordPress multisite installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-29196 MEDIUM PATCH This Month

{network} or GET /api/nodes/{network} endpoints that lack proper output filtering. This vulnerability affects Netmaker and its integrated WireGuard deployments, with no patch currently available for affected versions.

Wireguard Netmaker Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2488 MEDIUM This Month

Unauthorized message deletion in ProfileGrid WordPress plugin versions up to 5.9.8.1 allows authenticated subscribers and above to delete arbitrary messages from any user due to missing capability checks in the pg_delete_msg() function. An attacker can exploit this by sending a crafted request with a valid message ID to remove messages without proper authorization. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1087 MEDIUM This Month

The Guardian News Feed WordPress plugin through version 1.2 lacks CSRF protections on its settings update function, allowing unauthenticated attackers to modify plugin configuration including API credentials through social engineering. Site administrators can be tricked into clicking a malicious link that silently changes settings with their authenticated session. No patch is currently available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1086 MEDIUM This Month

Font Pairing Preview For Landing Pages (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1085 MEDIUM This Month

WordPress True Ranker plugin versions up to 2.2.9 lack proper CSRF protections on the account disconnection function, enabling unauthenticated attackers to disconnect an administrator's True Ranker account by tricking them into clicking a malicious link. An attacker exploiting this vulnerability could disrupt SEO monitoring capabilities for affected sites without requiring authentication or special privileges.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1073 MEDIUM This Month

Purchase Button For Affiliate Link (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress PHP CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2494 MEDIUM This Month

The ProfileGrid WordPress plugin through version 5.9.8.2 lacks nonce validation on membership request management functions, allowing unauthenticated attackers to forge requests that approve or deny group membership through social engineering of site administrators. An attacker can exploit this CSRF vulnerability to manipulate group membership status by tricking an admin into clicking a malicious link. No patch is currently available for this medium-severity vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1981 MEDIUM This Month

The HUMN-1 AI Website Scanner & Human Certification plugin for WordPress through version 0.0.3 fails to validate user permissions on the winston_disconnect AJAX function, allowing authenticated Subscriber-level users to disconnect the plugin's API credentials. This capability check bypass enables authenticated attackers to disrupt the plugin's functionality by resetting its API connection settings without proper authorization.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1644 MEDIUM This Month

The WP Frontend Profile WordPress plugin through version 1.3.8 lacks CSRF protections on the update_action function, enabling unauthenticated attackers to manipulate user registration approvals or rejections by deceiving administrators into clicking malicious links. This allows attackers to perform unauthorized account management actions without authentication, potentially disrupting legitimate user onboarding processes. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-29190 MEDIUM This Month

Karapace versions before 6.0.0 contain a path traversal vulnerability in the backup restoration functionality that allows attackers to read arbitrary files from the system by crafting malicious backup files. Organizations using Karapace's backup/restore feature with untrusted backup sources are at risk, with the actual impact limited by the file permissions of the Karapace process. No patch is currently available, requiring users to restrict backup sources or disable the backup functionality until version 6.0.0 is released.

Path Traversal Karapace
NVD GitHub
CVSS 3.1
4.1
EPSS
0.1%
CVE-2026-30848 LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. [CVSS 3.7 LOW]

Node.js Path Traversal
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-29185 LOW PATCH Monitor

Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API e...

Path Traversal Backstage Integration
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-2671 LOW Monitor

A vulnerability was detected in Mendi Neurofeedback Headset V4. Affected by this vulnerability is an unknown functionality of the component Bluetooth Low Energy Handler. [CVSS 3.1 LOW]

Information Disclosure
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-3680 LOW Monitor

Command injection in RyuzakiShinji biome-mcp-server versions up to 1.0.0 allows authenticated remote attackers to execute arbitrary commands through manipulation of the biome-mcp-server.ts file. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be triggered remotely without user interaction.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.9%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy