Skip to main content
CVE-2026-20162 MEDIUM This Month

Stored XSS via path traversal in Splunk Enterprise and Cloud Platform allows low-privileged users to inject malicious JavaScript into Views, compromising any user who visits the affected page. An attacker must socially engineer a victim into initiating the malicious request, but no special privileges or user interaction beyond initial page load is required. Affected versions include Splunk Enterprise below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, with no patch currently available.

XSS Path Traversal Splunk Splunk Cloud Platform
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-30868 MEDIUM This Month

OPNsense prior to version 26.1.4 contains a CSRF vulnerability where state-changing API endpoints accept HTTP GET requests without proper anti-CSRF protections, allowing authenticated users to be tricked into triggering unintended system operations. An attacker can craft a malicious website that, when visited by an authenticated OPNsense administrator, performs unauthorized configuration changes or service reloads through the vulnerable endpoints. No patch is currently available for this medium-severity vulnerability affecting OPNsense firewall deployments.

CSRF Opnsense
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-3904 MEDIUM PATCH This Month

Denial of service in GNU C Library 2.36 on x86_64 systems occurs when nscd-backed functions trigger a race condition in the optimized memcmp implementation, allowing concurrent thread modification of input data to cause application crashes. This affects any application using NSS caching functionality under high load conditions. No patch is currently available.

Denial Of Service Glibc
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-12473 MEDIUM This Month

The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-31859 MEDIUM PATCH This Month

Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.

PHP XSS Craft Cms
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31868 MEDIUM PATCH This Month

Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.

Node.js XSS Parse Server
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-20117 MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into Cisco Unified CCX's web management interface due to insufficient input validation, enabling XSS attacks against administrators and users. Successful exploitation allows arbitrary JavaScript execution within the browser context or theft of sensitive session information. No patch is currently available.

Cisco XSS Unified Contact Center Express
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-20116 MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into the web management interfaces of multiple Cisco contact center products (Finesse, Packaged CCE, Unified CCE, Unified CCX, and Unified Intelligence Center) due to insufficient input validation. Successful exploitation allows arbitrary script execution in the victim's browser context, potentially enabling session hijacking or credential theft from administrators. No patch is currently available for this cross-site scripting vulnerability.

Cisco XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3825 MEDIUM This Month

Reflected XSS in the Organization Portal System's IFTOP module enables authenticated attackers to inject malicious JavaScript that executes in victims' browsers via social engineering or phishing links. This vulnerability requires user interaction to trigger and affects confidentiality and integrity with no current patch available.

XSS Organization Portal System
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3824 MEDIUM This Month

WellChoose's IFTOP Organization Portal System contains an open redirect vulnerability that permits authenticated attackers to craft deceptive URLs capable of redirecting users to malicious websites. The vulnerability requires user interaction to trigger and affects cross-origin requests, enabling credential theft or malware distribution through social engineering. No patch is currently available to remediate this issue.

Open Redirect Organization Portal System
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1652 MEDIUM This Month

The Lenovo Virtual Bus driver in Smart Connect contains a buffer overflow that allows local authenticated users to corrupt memory and trigger system crashes on Windows systems. This vulnerability requires valid credentials and local access, limiting exposure to users already present on affected machines. No patch is currently available to address this issue.

Windows Buffer Overflow
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2324 MEDIUM This Month

The LatePoint Calendar Booking Plugin for WordPress versions up to 5.2.7 contains a cross-site request forgery vulnerability in the reload_preview() function due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings and inject malicious scripts if a site administrator can be tricked into clicking a malicious link. An attacker exploiting this vulnerability can alter configurations and inject web-based payloads that execute in the administrator's browser session. No patch is currently available for this vulnerability.

WordPress CSRF
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31875 MEDIUM PATCH This Month

Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.

Node.js Information Disclosure Parse Server
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-1867 MEDIUM This Month

The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 exposes sensitive form data and settings through an unauthenticated URL parameter that regenerates JSON files, allowing attackers to download administrator email addresses and other configuration details. This vulnerability affects WordPress installations using the vulnerable plugin versions when admin notifications are enabled. No patch is currently available for this medium-severity information disclosure.

WordPress Information Disclosure
NVD WPScan
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-31853 MEDIUM PATCH This Month

ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by heap-based buffer overflow (CVSS 5.7).

Buffer Overflow Heap Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-3943 MEDIUM This Month

Command injection in H3C ACG1000-AK230 through the /webui/?aaa_portal_auth_local_submit endpoint allows unauthenticated remote attackers to execute arbitrary commands by manipulating the suffix parameter. Public exploit code exists for this vulnerability, which affects versions up to 20260227 with no patch currently available. The vulnerability carries a CVSS score of 7.3 and provides attackers with partial access to confidentiality, integrity, and availability.

Command Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-3954 MEDIUM This Month

OpenBMB XAgent 1.0.0 contains a path traversal vulnerability in the workspace router that allows unauthenticated remote attackers to manipulate the file_name parameter and access or modify arbitrary files on the system. Public exploit code is available for this vulnerability, which affects the integrity and availability of the application. The vendor has not yet released a patch despite early notification of the issue.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-21294 MEDIUM This Month

Server-side request forgery in multiple Adobe Commerce versions allows high-privileged attackers to bypass security controls by manipulating internal server requests without user interaction. Affected versions include 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 or earlier. No patch is currently available.

Adobe SSRF Commerce B2b Magento Commerce
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21293 MEDIUM This Month

Server-side request forgery in Adobe Commerce 2.4.4 through 2.4.9-alpha3 enables high-privileged attackers to bypass security controls and access unauthorized resources without user interaction. The vulnerability affects multiple versions across the Commerce and Commerce B2B product lines, allowing manipulation of internal server requests from an authenticated administrative context. No patch is currently available.

Adobe SSRF Commerce Magento Commerce B2b
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-1653 MEDIUM This Month

The Lenovo Virtual Bus driver in Smart Connect contains a divide-by-zero flaw that enables local authenticated users to trigger a system crash (blue screen). No patch is currently available, leaving affected Windows systems vulnerable to denial-of-service attacks by privileged local users.

Windows
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31961 MEDIUM PATCH This Month

Quill before v0.7.1 is susceptible to denial of service through unbounded memory allocation when processing maliciously crafted Mach-O binaries. Environments accepting externally-submitted binaries for signing—such as CI/CD pipelines and shared signing services—face resource exhaustion attacks if they process attacker-controlled files. An authenticated local attacker can trigger excessive memory consumption by exploiting unvalidated size fields in code signing structures, causing the application to crash or hang.

Golang Denial Of Service Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-2640 MEDIUM This Month

Lenovo PC Manager permits local authenticated users to terminate privileged processes due to improper privilege management, potentially disrupting system operations or enabling denial of service. An attacker with valid credentials could leverage this vulnerability to halt critical processes without administrative approval. No patch is currently available to address this issue.

Privilege Escalation
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31879 MEDIUM This Month

Frappe is a full-stack web application framework. versions up to 14.100.2 is affected by cross-site scripting (xss).

XSS Frappe
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32104 MEDIUM PATCH This Month

A security vulnerability in StudioCMS (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Studiocms
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2917 MEDIUM This Month

Unauthorized post duplication in Happy Addons for Elementor (WordPress plugin) versions up to 3.21.0 allows authenticated contributors and above to clone any published content by reusing a nonce from their own posts and modifying the target post ID. The vulnerability stems from insufficient object-level permission checks in the duplicate function, which only validates generic edit capabilities rather than verifying access to specific posts. Attackers can exploit this to duplicate other users' posts, pages, or custom post types without authorization.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21292 MEDIUM This Month

Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.

Adobe XSS Magento Commerce Commerce B2b
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27266 MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims access pages containing the injected payload, the JavaScript executes in their browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27265 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged users to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can leverage this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims within the AEM environment. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27264 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials can compromise other users' sessions and steal sensitive data by crafting specially crafted input. Currently no patch is available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27263 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials could leverage this vulnerability to steal session tokens, modify page content, or perform actions on behalf of victims who view the compromised forms. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27262 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the page is viewed. An attacker with login credentials can craft payloads in vulnerable fields to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27261 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can leverage this to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites when they view compromised pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27260 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts through form fields that execute in other users' browsers. An attacker with valid credentials can craft payloads to steal session tokens, redirect users, or perform actions on their behalf when victims view affected pages. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27259 MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts executed in other users' browsers. An attacker can exploit this to steal credentials, perform unauthorized actions, or deface content when victims access affected pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27257 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. This requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims within the application context. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27256 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27255 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the compromised pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27254 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can exploit this vulnerability to steal session tokens, perform unauthorized actions, or redirect users to malicious sites through script execution in victims' browsers. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27253 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with valid credentials can exploit this vulnerability to steal session tokens, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this vulnerability.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27252 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can exploit this vulnerability to perform actions on behalf of victims or steal sensitive information when they visit pages containing the compromised fields. No patch is currently available for this vulnerability.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27251 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in victims' browsers. An attacker can exploit this vulnerability by injecting JavaScript that runs when other users access pages containing the compromised fields, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27250 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker could exploit this to steal session tokens, redirect users, or perform actions on behalf of victims viewing affected pages. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27249 MEDIUM This Month

Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims visit pages containing the injected payload, the attacker's JavaScript executes in their browser, potentially compromising user sessions or stealing sensitive data. No patch is currently available.

Adobe XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27248 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in other users' browsers. An attacker with low privileges can craft malicious input that persists in the application and compromises confidentiality and integrity for victims who access the affected pages. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27247 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers when the contaminated pages are viewed. An attacker with valid credentials can exploit this to steal session tokens, credentials, or perform actions on behalf of affected users. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27244 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the affected pages. A low-privileged user can exploit this to perform actions in the context of other users' browsers, potentially compromising session integrity and enabling credential theft or data exfiltration. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27242 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when victims view affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No patch is currently available.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27241 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low-level privileges and user interaction to exploit, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available for this medium-severity issue.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27240 MEDIUM This Month

Stored XSS in Adobe Experience Manager versions 6.5.23 and earlier enables low-privileged attackers to embed malicious scripts in form fields that execute when legitimate users view the affected pages. An attacker with basic authentication can inject JavaScript that runs in victims' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27239 MEDIUM This Month

Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with login credentials can compromise victim browsers and potentially steal sensitive information or perform unauthorized actions within the application context. No patch is currently available for this vulnerability.

Adobe XSS Experience Manager
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy