Skip to main content
CVE-2026-21290 HIGH This Week

Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available.

Adobe XSS Commerce Magento Commerce B2b
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-31844 HIGH This Week

SQL injection in the Koha library management system's staff interface allows authenticated users to manipulate the displayby parameter in suggestion.pl, enabling arbitrary SQL query execution against the backend database. Low-privileged staff members can exploit this vulnerability to extract sensitive data or modify database contents without additional privileges. No patch is currently available to remediate this high-severity vulnerability.

SQLi Koha
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-1090 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 versions up to 18.7.6 is affected by cross-site scripting (xss) (CVSS 8.7).

Gitlab XSS
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-20892 HIGH This Week

Code injection in MitsubishiChemical network devices MR-GM5L-S1 and MR-GM5A-L1 allows authenticated administrators to execute arbitrary commands via crafted inputs. While requiring high-privilege access (CVSS:4.0 PR:H), successful exploitation achieves complete system compromise with high confidentiality, integrity, and availability impact. EPSS score of 0.05% (16th percentile) indicates low probability of mass exploitation. No active exploitation or public proof-of-concept identified at time of analysis, though JPCERT/CC coordination suggests vendor awareness and patch availability.

Code Injection RCE
NVD
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-32110 HIGH PATCH This Week

High severity vulnerability in SiYuan Note. # The `/api/network/forwardProxy` endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.

SSRF Siyuan Suse
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-31839 HIGH PATCH This Week

Striae versions prior to 3.0.0 allow local attackers to bypass package integrity verification by modifying both the manifest hash and package contents simultaneously, enabling delivery of tampered firearm examination data that passes validation checks. This integrity bypass affects forensic workflows relying on Striae's digital confirmation mechanism. No patch is currently available for affected installations.

Authentication Bypass Striae
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-21361 HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields, which execute when victims visit the affected pages. Successful exploitation enables session hijacking and compromise of user confidentiality and integrity, though user interaction is required for the attack to succeed. No patch is currently available for this vulnerability.

Adobe XSS Commerce B2b Magento Commerce
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-21284 HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 enables high-privileged attackers to inject malicious scripts into form fields, which execute in victim browsers during page visits. An attacker exploiting this vulnerability can achieve session hijacking and compromise both confidentiality and integrity, though successful exploitation requires user interaction and administrative privileges. No patch is currently available.

Adobe XSS Commerce Magento Commerce B2b
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67298 HIGH This Week

An issue in ClasroomIO before v.0.2.6 allows a remote attacker to escalate privileges via the endpoints /api/verify and /rest/v1/profile [CVSS 8.1 HIGH]

Authentication Bypass Classroomio
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-3453 HIGH This Week

Authenticated users can terminate arbitrary subscriptions in WordPress ProfilePress plugin versions up to 4.16.11 through an IDOR vulnerability in the checkout process that lacks ownership validation on subscription IDs. Any subscriber-level user can exploit the change_plan_sub_id parameter to cancel or expire other users' active subscriptions, immediately revoking their paid access. The vulnerability remains unpatched and affects all current versions of the plugin.

WordPress Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-2626 HIGH This Week

divi-booster WordPre versions up to 5.0.2 is affected by cross-site request forgery (csrf) (CVSS 8.1).

WordPress PHP CSRF Deserialization
NVD WPScan
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-21311 HIGH This Week

Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows privileged attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and credential theft. Exploitation requires user interaction and a high-privileged attacker account, but successful attacks compromise both confidentiality and integrity. No patch is currently available for affected versions.

Adobe XSS Commerce Magento Commerce B2b
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-22248 HIGH This Week

licenses tracking and software auditing. From 11.0.0 to versions up to 11.0.5 is affected by deserialization of untrusted data (CVSS 8.0).

PHP Deserialization
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2024-14026 HIGH This Week

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. [CVSS 7.8 HIGH]

Qnap Command Injection Quts Hero Qts
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-30900 HIGH This Week

Zoom's Windows client fails to properly validate minimum version requirements during updates, enabling authenticated local users to escalate their privileges on affected systems. An attacker with local access and valid credentials could exploit this validation bypass to gain elevated permissions. No patch is currently available for this vulnerability.

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30902 HIGH This Week

Zoom Client for Windows contains a privilege escalation vulnerability that allows authenticated local users to gain elevated system privileges through improper access controls. An attacker with valid credentials can exploit this weakness to execute arbitrary code or access sensitive system resources without administrative approval. No patch is currently available for this issue.

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31881 HIGH This Week

Runtipi versions prior to 4.8.0 allow unauthenticated attackers to reset the admin password through an unprotected POST /api/auth/reset-password endpoint, enabling complete account takeover during active password-reset windows. Any remote user can set a new operator password within the 15-minute reset window without authentication or authorization checks. This vulnerability remains unpatched in affected versions.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-32121 HIGH This Week

Stored DOM-based cross-site scripting (XSS) in OpenEMR prior to version 8.0.0.1 allows authenticated attackers with low privileges to inject malicious scripts through unsanitized patient names in the portal signing component, which are rendered client-side via jQuery. Successful exploitation requires user interaction and could enable attackers to perform actions in the context of affected users or steal sensitive health information. A patch is available in OpenEMR 8.0.0.1 and later versions.

PHP XSS Openemr
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-32123 HIGH This Week

OpenEMR versions prior to 8.0.0.1 fail to properly enforce access controls on group encounters due to sensitivity checks only querying the wrong database table, allowing authenticated users to view restricted medical records such as mental health encounters they should not access. The vulnerability affects multi-user deployments where role-based restrictions are relied upon to protect sensitive patient information. No patch is currently available for affected versions.

Authentication Bypass Openemr
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-32131 HIGH This Week

ZITADEL is an open source identity management platform. versions up to 3.4.8 is affected by authorization bypass through user-controlled key (CVSS 7.7).

Authentication Bypass Zitadel
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-32101 HIGH PATCH This Week

High severity vulnerability in StudioCMS. The S3 storage manager's `isAuthorized()` function is declared `async` (returns `Promise<boolean>`) but is called without `await` in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, `!isAuthorized(type)` always evaluates to `false`, completely bypassing the authorization check. Any authenticated user with the lowest `visitor` role can upload, delete, rename...

Authentication Bypass Studiocms
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-32117 HIGH This Week

Grafana Cubism Panel versions 0.1.2 and earlier contain a stored cross-site scripting (XSS) vulnerability where dashboard editors can inject malicious javascript: URIs into zoom-link handlers that execute with Grafana origin privileges when viewers interact with the panel. An authenticated attacker with editor permissions can craft a malicious dashboard that executes arbitrary JavaScript in the context of any user who zooms on the affected panel, potentially compromising sensitive data or session tokens.

Grafana XSS Grafanacubism Panel
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-3222 HIGH This Week

Unauthenticated attackers can exploit a time-based blind SQL injection in the WP Maps plugin for WordPress (versions up to 4.9.1) through the location_id parameter in the wpgmp_ajax_call AJAX handler to extract sensitive database information. The vulnerability stems from improper input validation that allows backtick-wrapped user input to bypass SQL escaping functions. No patch is currently available, leaving all affected WordPress installations at risk of data disclosure.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-32130 HIGH This Week

ZITADEL is an open source identity management platform. From 2.68.0 to versions up to 3.4.8 contains a security vulnerability (CVSS 7.5).

Information Disclosure Zitadel
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1708 HIGH This Week

Simply Schedule Appointments Booking Plugin versions up to 1.6.9.27. is affected by sql injection (CVSS 7.5).

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21309 HIGH This Week

Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from improper access controls that allow attackers to bypass security features and view sensitive information without authentication or user interaction. Multiple supported versions remain vulnerable as no patch is currently available.

Adobe Commerce B2b Commerce Magento
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21289 HIGH This Week

Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from an authorization bypass flaw that allows unauthenticated attackers to view sensitive information without user interaction. The vulnerability exploits improper access controls to circumvent security protections, exposing confidential data to remote threat actors. Currently no patch is available for affected versions.

Adobe Commerce B2b Commerce Magento
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3496 HIGH This Week

Unauthenticated attackers can exploit SQL injection in the JetBooking WordPress plugin through the check_in_date parameter to extract sensitive database information, affecting all versions up to 4.0.3. The vulnerability exists due to insufficient input escaping and unprepared SQL statements. No patch is currently available.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-31870 HIGH PATCH This Week

cpp-httplib versions prior to 0.37.1 crash when the streaming API receives a malformed Content-Length header from any server, as the library fails to validate or handle exceptions from the underlying string parsing function. An attacker can exploit this denial of service condition by hosting a malicious server, performing a man-in-the-middle attack, or leveraging HTTP redirects to crash any client application using the vulnerable library. Currently no patch is available for this issue.

Denial Of Service Cpp Httplib Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-31866 HIGH PATCH This Week

Kubernetes flagd feature flag daemon versions before 0.14.2 are vulnerable to denial of service through unbounded memory allocation on publicly accessible evaluation endpoints. An unauthenticated attacker can send HTTP requests with arbitrarily large payloads to exhaust memory and crash the service. This affects deployments without external authentication controls, allowing trivial process termination in containerized environments.

Kubernetes Denial Of Service Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21888 HIGH This Week

NanoMQ MQTT Broker versions 0.24.6 and earlier are vulnerable to an out-of-bounds read in the MQTT v5 Variable Byte Integer parser, which lacks proper bounds validation when processing 5-byte varints. Remote unauthenticated attackers can trigger a denial of service by sending malformed MQTT packets that crash the broker. No patch is currently available for this vulnerability.

Information Disclosure Buffer Overflow Nanomq
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27703 HIGH This Week

Stack buffer overflow in RIOT OS coap_well_known_core_default_handler allows unauthenticated remote attackers to overwrite critical stack data including return addresses through oversized CoAP option responses. Affected IoT devices running RIOT 2026.01 and earlier are vulnerable to denial of service or arbitrary code execution without any user interaction required. No patch is currently available for this vulnerability.

IoT Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30226 HIGH PATCH This Week

In devalue v5.6.3, `devalue.parse` and `devalue.unflatten` were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion.

Denial Of Service Prototype Pollution Devalue Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31894 HIGH This Week

WeGIA 3.6.5 allows unauthenticated remote attackers to read arbitrary files on the server through symlink traversal in backup database extraction functionality. When processing tar.gz archives, the application fails to validate whether extracted members are symbolic links before reading their contents, enabling an attacker to access sensitive files like database credentials or configuration data. No patch is currently available for this vulnerability.

Information Disclosure Wegia
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32098 HIGH PATCH This Week

### Impact An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. ### Patches The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. ### Workarounds Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35

Node.js Information Disclosure AI / ML Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31872 HIGH PATCH This Week

Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.

Node.js PostgreSQL Authentication Bypass Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3924 HIGH PATCH This Week

use after free in WindowDialog in Google Chrome versions up to 146.0.7680.71 is affected by use after free (CVSS 7.5).

Google Use After Free Denial Of Service Memory Corruption Chrome +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-13929 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.0 versions up to 18.7.6 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Gitlab Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-70027 HIGH This Week

An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. This allows attackers to obtain sensitive information [CVSS 7.5 HIGH]

SSRF Sunbirded Portal
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1069 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 versions up to 18.9.2 is affected by uncontrolled recursion (CVSS 7.5).

Gitlab Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3932 HIGH PATCH This Week

Insufficient policy enforcement in PDF in Google Chrome on Android versions up to 146.0.7680.71 contains a security vulnerability.

Google Authentication Bypass Chrome Android Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14513 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 versions up to 18.7.6 contains a security vulnerability (CVSS 7.5).

Gitlab Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32132 HIGH This Week

ZITADEL is an open source identity management platform. versions up to 3.4.8 is affected by insufficient session expiration (CVSS 7.4).

Information Disclosure Zitadel
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-20074 HIGH This Week

Cisco IOS XR Software's IS-IS routing implementation fails to properly validate incoming protocol packets, enabling an adjacent network attacker to trigger repeated process crashes and temporary routing outages. An attacker with Layer 2 adjacency can send malformed IS-IS packets to force denial of service conditions affecting network connectivity. No patch is currently available for this high-severity vulnerability.

Cisco Denial Of Service Apple Ios Xr
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-12690 HIGH This Week

Execution with unnecessary privileges in Forcepoint NGFW Engine allows local privilege escalation.This issue affects NGFW Engine versions up to 6.10.19 is affected by execution with unnecessary privileges.

Privilege Escalation Next Generation Firewall
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-23815 HIGH This Week

Authenticated administrators of AOS-CX Switches can inject arbitrary commands through a custom binary in the CLI, potentially compromising switch integrity and network operations. This high-privilege attack requires valid credentials and direct network access but carries no patch availability, leaving affected deployments at persistent risk.

Command Injection
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-23816 HIGH This Week

Authenticated attackers can execute arbitrary OS commands on AOS-CX Switches through improper input validation in the CLI, potentially compromising network infrastructure. This command injection flaw (CWE-78) affects high-privileged users with network access and carries a CVSS score of 7.2, with no patch currently available.

Command Injection RCE
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3178 HIGH This Week

Unauthenticated attackers can inject malicious scripts into the Name Directory WordPress plugin (versions up to 1.32.1) through the 'name_directory_name' parameter, which are then executed in users' browsers when they visit affected pages. The vulnerability stems from inadequate input sanitization and output escaping, allowing stored cross-site scripting attacks that impact all unauthenticated visitors. No patch is currently available, though partial mitigations were attempted in versions 1.30.3 and 1.32.1.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3231 HIGH This Week

for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted versions up to 2.1.7. is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress PHP XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1454 HIGH This Week

The Responsive Contact Form Builder & Lead Generation Plugin for WordPress through version 2.0.1 fails to properly sanitize form field submissions, allowing unauthenticated attackers to inject malicious scripts that execute in the administrator dashboard when viewing lead entries. The vulnerability stems from incomplete input validation in the sanitization function combined with overly permissive output filtering that permits onclick attributes on links. Attackers can exploit this to steal admin credentials, modify site content, or perform arbitrary actions within WordPress.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy