Skip to main content
CVE-2026-32360 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Rich Showcase for Google Reviews widget (richplugins plugin) affecting versions through 6.9.4.3, where improper input neutralization during web page generation allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers. An attacker with administrative or plugin configuration access can store XSS payloads that will be executed for any user viewing the affected widget, potentially leading to session hijacking, credential theft, or defacement. While the CVSS score of 5.9 indicates moderate severity and requires user interaction and high privileges to exploit, the stored nature of this vulnerability means the payload persists and affects multiple users passively.

XSS Google
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-32351 MEDIUM This Month

Stored XSS in blubrry PowerPress Podcasting through version 11.15.13 permits authenticated administrators with high privileges to inject malicious scripts that persist in web pages and execute in other users' browsers. An attacker with admin credentials can inject arbitrary JavaScript to steal session tokens, modify content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

XSS Powerpress Podcasting
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-2879 MEDIUM This Month

The GetGenie plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in its REST API endpoint that allows authenticated attackers with Author-level privileges to arbitrarily modify or overwrite posts owned by any user, including administrators. The vulnerability exists in versions up to and including 4.3.2 due to missing validation on user-controlled post IDs before calling wp_update_post(), enabling attackers to change post types and reassign authorship. While not currently listed in CISA's Known Exploited Vulnerabilities catalog, the low attack complexity (network-based, low privilege requirement) and demonstrated proof-of-concept availability make this a moderate-priority issue for WordPress administrators managing multi-author sites.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32612 MEDIUM PATCH This Month

Statamic CMS versions prior to 6.6.2 contain a stored cross-site scripting (XSS) vulnerability in the control panel color mode preference functionality that allows authenticated users to inject malicious JavaScript code. When a higher-privileged administrator impersonates or accesses the account of an authenticated user who has injected malicious code, the JavaScript executes in the administrator's browser session with their elevated privileges. This vulnerability is network-accessible and requires low privileges but user interaction from the victim, resulting in a CVSS score of 5.4 with potential for session hijacking, data theft, or further privilege escalation depending on the administrator's role and permissions.

XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2023-40693 MEDIUM PATCH This Month

This is a Stored or Reflected Cross-Site Scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI. An attacker with valid credentials can craft malicious payloads that execute in the context of other users' sessions, potentially leading to credential theft, session hijacking, or unauthorized actions within a trusted environment. With a CVSS score of 5.4 and requiring low attack complexity plus user interaction (clicking a malicious link), this vulnerability poses a moderate risk primarily in environments where user trust is high and credentials are valuable.

XSS IBM
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14504 MEDIUM PATCH This Month

This is a stored cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript into the Web UI, potentially compromising session security and enabling credential theft. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple minor version ranges, and while not yet listed as actively exploited in known vulnerability databases, the authentication requirement and UI-based attack surface present a moderate real-world risk for enterprises running these B2B integration platforms.

XSS IBM
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0835 MEDIUM PATCH This Month

This is a stored or reflected cross-site scripting (XSS) vulnerability in IBM Sterling B2B Integrator and IBM Sterling File Gateway that allows authenticated users to inject arbitrary JavaScript code into the Web UI, potentially compromising credentials and session integrity. The vulnerability affects versions 6.1.0.0 through 6.2.2.0 across multiple release lines. While the CVSS score of 5.4 is moderate and exploitation requires authenticated access, the ability to alter UI functionality and exfiltrate credentials within a trusted session poses a real insider threat risk.

XSS IBM
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32423 MEDIUM This Month

Authenticated users with insufficient access control restrictions in Admin and Site Enhancements (ASE) versions 8.4.0 and earlier can bypass authorization checks to read and modify sensitive data. The vulnerability stems from improperly configured access control levels that fail to enforce proper privilege boundaries. An attacker with valid credentials can exploit this to gain unauthorized access to protected functionality without elevated permissions.

Authentication Bypass Admin And Site Enhancements Ase
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32417 MEDIUM PATCH This Month

Pochipp versions below 1.18.9 contain an authorization bypass vulnerability that allows authenticated users to access resources or perform actions beyond their assigned permissions due to improper access control validation. An attacker with valid credentials could exploit this to view sensitive data or modify system configuration they should not have access to. No patch is currently available.

Authentication Bypass Pochipp
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32416 MEDIUM This Month

bPlugins PDF Poster through version 2.4.0 contains an authorization bypass vulnerability that allows authenticated users to modify or disrupt PDF operations due to improperly configured access controls. An attacker with valid credentials could exploit this flaw to manipulate data integrity or cause service disruption without proper authorization checks.

Authentication Bypass Pdf Poster
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32412 MEDIUM This Month

A Server-Side Request Forgery (SSRF) vulnerability exists in Gift Up! Gift Cards for WordPress and WooCommerce plugin versions up to 3.1.7, allowing unauthenticated attackers to make arbitrary HTTP requests from the vulnerable server. This could enable attackers to access internal services, scan internal networks, or exfiltrate sensitive data from systems accessible only to the server. The vulnerability has a CVSS score of 5.4 (Medium) with network-based attack vector and low impact on confidentiality and integrity.

SSRF WordPress
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32391 MEDIUM PATCH This Month

SmartFix by linethemes contains a missing authorization vulnerability (CWE-862) that allows authenticated users to access or modify resources they should not have permission to access due to incorrectly configured access control security levels. Affected versions are SmartFix prior to 1.2.4. An attacker with low-privilege credentials can exploit this network-accessible vulnerability without user interaction to gain unauthorized access to sensitive data or perform unauthorized modifications.

Authentication Bypass Smartfix
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32390 MEDIUM PATCH This Month

Nanosoft versions prior to 1.3.2 contain an access control flaw that allows authenticated users to modify data and degrade system availability through improperly configured authorization checks. An attacker with valid credentials can exploit this vulnerability to perform unauthorized actions beyond their assigned privilege level. No patch is currently available for this vulnerability.

Authentication Bypass Nanosoft
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32388 MEDIUM This Month

Insufficient access control in Linethemes GLB through version 1.2.2 allows authenticated users to bypass security restrictions and gain unauthorized access to restricted resources. An attacker with valid credentials could exploit misconfigured access controls to view or modify sensitive data they should not have permission to access. No patch is currently available for this vulnerability.

Authentication Bypass Glb
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32385 MEDIUM This Month

RegistrationMagic through version 6.0.7.6 contains a missing authorization vulnerability that allows authenticated users to modify data and cause service disruptions through improperly configured access controls. An attacker with valid credentials can bypass intended permission restrictions to perform unauthorized actions on form submissions and registration data. No patch is currently available for this vulnerability.

Authentication Bypass Registrationmagic
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32373 MEDIUM This Month

Cozy Vision SMS Alert Order Notifications through version 3.9.0 contains an authorization bypass that allows authenticated users to modify data and degrade service availability through improperly configured access controls. An attacker with valid credentials can exploit this vulnerability to perform unauthorized actions intended for higher-privileged users. No patch is currently available for this vulnerability.

Authentication Bypass Sms Alert Order Notifications
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32331 MEDIUM This Month

Improper access control in Textmetrics up to version 3.6.4 allows authenticated users to modify data they should not have permission to access. An attacker with valid credentials can exploit misconfigured security levels to perform unauthorized modifications. No patch is currently available for this vulnerability.

Authentication Bypass Textmetrics
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32709 MEDIUM This Month

An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on flight controller filesystems without authentication or privilege requirements. Affected versions are prior to 1.17.0-rc2, impacting both NuttX-based flight controllers and POSIX targets (Linux companion computers and SITL simulation environments). Attackers with network access to MAVLink communication channels can exploit this vulnerability to compromise flight controller integrity, extract sensitive configuration data, or inject malicious firmware.

Path Traversal Px4 Autopilot
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32420 MEDIUM This Month

GamiPress versions 7.6.6 and earlier contain a Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through maliciously crafted requests. An attacker can exploit this to modify plugin settings, create or delete gamification elements, or alter user data without the target user's knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but has no authentication requirement for the attack itself, making it a moderate-risk issue suitable for opportunistic exploitation against WordPress administrators.

CSRF Gamipress
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32328 MEDIUM PATCH This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in shufflehound's Lemmony application versions prior to 1.7.1, allowing unauthenticated attackers to perform unauthorized actions on behalf of legitimate users through crafted web requests. An attacker can exploit this vulnerability to cause integrity and availability impact by forcing a victim's browser to make unwanted requests to the Lemmony application. The attack requires user interaction (clicking a malicious link) but has a low attack complexity and network accessibility, making it a practical threat in multi-user web environments.

CSRF Lemmony
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32702 MEDIUM This Month

Cleanuparr versions 2.7.0 through 2.8.0 contain a timing-based username enumeration vulnerability in the /api/auth/login endpoint that allows unauthenticated remote attackers to discover valid usernames by analyzing response time differences. The flaw stems from password verification logic that performs expensive cryptographic hashing only after validating username existence, creating a measurable timing side-channel. This vulnerability is fixed in version 2.8.1 and presents a moderate information disclosure risk with a CVSS score of 6.9, though exploitation requires no special privileges or user interaction.

Information Disclosure Cleanuparr
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-2888 MEDIUM This Month

The Formidable Forms WordPress plugin versions up to 6.28 contain an authorization bypass vulnerability in the Stripe payment integration that allows unauthenticated attackers to manipulate PaymentIntent amounts before payment completion. An attacker can exploit the publicly exposed nonce in the `frm_strp_amount` AJAX handler to overwrite POST data and recalculate dynamic pricing fields, enabling payment of reduced amounts for goods or services. While the CVSS score is moderate at 5.3, the vulnerability has direct financial impact on e-commerce deployments and poses a meaningful risk to sites using dynamic pricing with Formidable Forms and Stripe.

Authentication Bypass WordPress CSRF
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13212 MEDIUM PATCH This Month

IBM Aspera Console versions 3.3.0 through 3.4.8 contain an improper rate-limiting vulnerability in the email service that allows authenticated users to trigger a denial of service condition. An attacker with valid credentials can abuse the email functionality by sending requests at excessive frequencies, exhausting service resources and rendering the email feature unavailable to legitimate users. This vulnerability requires authentication and does not provide confidentiality or integrity impact, resulting in a moderate CVSS score of 5.3.

Denial Of Service IBM Aspera Console
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-29775 MEDIUM PATCH This Month

FreeRDP versions prior to 3.24.0 contain a client-side heap out-of-bounds read/write vulnerability in the bitmap cache subsystem caused by an off-by-one boundary check error. A malicious RDP server can exploit this by sending a specially crafted CACHE_BITMAP_ORDER (Rev1) packet with cacheId equal to maxCells, allowing access to memory one element past the allocated array boundary. This vulnerability affects FreeRDP clients connecting to untrusted or compromised servers and could lead to information disclosure or denial of service, though the CVSS score of 5.3 and lack of confidentiality impact suggest limited real-world severity.

Memory Corruption Buffer Overflow Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-29774 MEDIUM PATCH This Month

A client-side heap buffer overflow vulnerability exists in FreeRDP's AVC420/AVC444 YUV-to-RGB color space conversion code due to missing horizontal bounds validation of H.264 metablock region coordinates. FreeRDP versions prior to 3.24.0 are affected, allowing a malicious RDP server to trigger out-of-bounds memory writes via specially crafted WIRE_TO_SURFACE_PDU_1 packets with oversized regionRects left coordinates, resulting in denial of service through heap corruption. The vulnerability requires no user interaction or authentication and has a CVSS score of 5.3 with EPSS risk classification indicating moderate exploitation likelihood; no public exploit code is known to exist at this time.

Buffer Overflow Memory Corruption Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13726 MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an information disclosure vulnerability where detailed technical error messages are returned to remote attackers without authentication, exposing sensitive system information that can be leveraged for reconnaissance and follow-up attacks. With a CVSS score of 5.3 and low attack complexity requiring no privileges, this vulnerability poses a moderate risk as an information gathering vector in multi-stage attack campaigns, though direct exploitation impact is limited to confidentiality.

Information Disclosure IBM Sterling Partner Engagement Manager
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32322 MEDIUM PATCH This Month

The soroban-sdk Rust SDK contains a cryptographic comparison vulnerability in Fr (scalar field) types for BN254 and BLS12-381 curves that fails to reduce unreduced field elements modulo the field modulus r before equality comparison. This allows attackers to supply crafted Fr values that are mathematically equal but compare as unequal when unreduced, potentially bypassing security-critical authorization or validation logic in smart contracts. The vulnerability affects versions prior to 22.0.11, 23.5.3, and 25.3.0; with a CVSS score of 5.3 (Medium), it poses moderate risk primarily to contract integrity rather than confidentiality.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13460 MEDIUM PATCH This Month

IBM Aspera Console versions 3.3.0 through 3.4.8 contain a username enumeration vulnerability caused by observable response discrepancies in authentication mechanisms. An unauthenticated remote attacker can exploit this to enumerate valid usernames through response analysis, enabling reconnaissance for subsequent targeted attacks. With a CVSS score of 5.3 and low attack complexity, this is a low-to-moderate severity information disclosure issue suitable for standard patch management cycles rather than emergency response.

IBM Information Disclosure Aspera Console
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32405 MEDIUM This Month

WoodMart versions 8.3.9 and earlier expose sensitive embedded system information to unauthorized parties through improper access controls, allowing remote attackers to retrieve confidential data without authentication. The vulnerability carries medium severity with a 5.3 CVSS score and currently lacks an available patch, affecting deployments of the affected WoodMart versions.

Information Disclosure Woodmart
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32372 MEDIUM This Month

The RadiusTheme ShopBuilder plugin for WordPress (versions up to 3.2.4) improperly exposes sensitive system information through its Elementor WooCommerce integration, allowing unauthenticated attackers to retrieve embedded sensitive data. This information disclosure has a low confidentiality impact with no authentication or user interaction required. No patch is currently available for affected installations.

WordPress Information Disclosure Elementor
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32354 MEDIUM PATCH This Month

WpEvently versions prior to 5.1.9 inadvertently expose sensitive information in transmitted data, allowing unauthenticated remote attackers to retrieve embedded secrets without user interaction. This information disclosure vulnerability affects the mage-eventpress plugin and could enable attackers to obtain credentials or other confidential data. No patch is currently available.

Information Disclosure Wpevently
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23942 MEDIUM PATCH This Month

The Erlang OTP ssh_sftpd module contains a path traversal vulnerability in the is_within_root/2 function that uses string prefix matching instead of proper path component validation to verify if accessed paths are within the configured root directory. An authenticated SFTP user can exploit this to access sibling directories sharing a common name prefix with the root directory (for example, if root is /home/user1, accessing /home/user10 or /home/user1_backup would succeed when it should fail). This vulnerability affects OTP versions 17.0 through 28.4.1 with corresponding SSH versions 3.0.1 through 5.5.1, with no confirmed active exploitation in the wild (KEV status not indicated as actively exploited) but with a moderate CVSS score of 5.3 reflecting the requirement for prior authentication.

Path Traversal Otp
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-13723 MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authentication bypass vulnerability that allows unauthenticated attackers to extract sensitive user information by leveraging expired access tokens over the network without requiring special privileges or user interaction. The vulnerability has a CVSS score of 5.3 with low attack complexity, meaning exploitation is straightforward and requires no special conditions, though the impact is limited to confidentiality breaches with no integrity or availability compromise.

Information Disclosure IBM Sterling Partner Engagement Manager
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32543 MEDIUM This Month

A Missing Authorization vulnerability exists in CyberChimps Responsive Blocks responsive-block-editor-addons plugin through version 2.2.0, where incorrectly configured access control allows unauthenticated attackers to perform unauthorized actions. The vulnerability has a CVSS score of 5.3 with a network attack vector and no privileges required, meaning remote attackers can exploit this without authentication to modify content or settings. While the integrity impact is limited (CWE-862: Missing Authorization), the lack of authentication requirements and the plugin's wide deployment in WordPress environments present a moderate real-world risk.

Authentication Bypass Responsive Blocks
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32487 MEDIUM This Month

The Lawyer Landing Page plugin through version 1.2.7 contains an authorization bypass vulnerability that allows unauthenticated attackers to modify data due to improper access control configuration. This network-accessible vulnerability could enable attackers to alter content or settings without proper authentication credentials. A patch is not currently available for affected installations.

Authentication Bypass Lawyer Landing Page
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32486 MEDIUM This Month

Improper access control in wptravelengine Travel Booking versions up to 1.3.9 permits unauthenticated attackers to modify data through incorrectly configured authorization checks. An attacker can exploit this vulnerability to tamper with travel booking information without requiring valid credentials or user interaction. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass Travel Booking
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32457 MEDIUM This Month

Improper access control in Wombat Plugins Advanced Product Fields for WooCommerce through version 1.6.18 allows unauthenticated attackers to modify product addon data due to misconfigured authorization checks. This affects WooCommerce stores using the vulnerable plugin, enabling attackers to alter product information without proper permissions. No patch is currently available.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32453 MEDIUM PATCH This Month

This is a missing authorization vulnerability in ThemeFusion Avada Core (versions prior to 5.15.0) that allows unauthenticated attackers to modify data through incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 with network attack vector and no privilege requirements, meaning any remote attacker can exploit it without authentication. While the integrity impact is limited (data modification rather than disclosure or system compromise), the lack of authentication requirements and network accessibility make this a practical security concern for websites using vulnerable Avada versions.

Authentication Bypass Avada Core
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32452 MEDIUM PATCH This Month

This vulnerability is a missing authorization flaw in ThemeFusion Fusion Builder that allows unauthenticated attackers to exploit incorrectly configured access controls to modify content or settings. The issue affects Fusion Builder versions prior to 3.15.0, and the network-accessible nature combined with no authentication requirement means any remote attacker can exploit it without special privileges. While the CVSS score of 5.3 indicates moderate severity with integrity impact but no confidentiality or availability loss, the lack of authentication requirement elevates real-world risk for WordPress sites using affected versions.

Authentication Bypass Fusion Builder
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32440 MEDIUM PATCH This Month

Inadequate access control in WP Food plugin versions below 2.7.1 allows unauthenticated remote attackers to modify data without proper authorization checks. This vulnerability affects WordPress installations using the vulnerable WP Food plugin and could enable attackers to alter plugin functionality or data integrity. No patch is currently available for this issue.

Authentication Bypass Wp Food
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32439 MEDIUM This Month

WebGeniusLab BigHearts contains a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data due to incorrectly configured access control security levels. All versions of BigHearts through 3.1.14 are affected, enabling an attacker to bypass authorization checks and perform unauthorized data modification without requiring authentication or user interaction. With a CVSS score of 5.3 and network-accessible attack surface, this vulnerability poses a moderate integrity risk requiring prompt patching.

Authentication Bypass Bighearts
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32438 MEDIUM This Month

Improper access control in VW School Education through version 1.4.6 allows unauthenticated remote attackers to modify data by exploiting misconfigured security levels. The vulnerability enables integrity compromise without requiring authentication or user interaction, affecting educational institutions using affected versions.

Authentication Bypass Vw School Education
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32437 MEDIUM This Month

Improper access control in VW Portfolio up to version 1.3.3 enables unauthenticated attackers to modify data through incorrectly configured security levels. The vulnerability allows integrity compromise without requiring authentication or user interaction, affecting all instances of the affected software versions. No patch is currently available.

Authentication Bypass Vw Portfolio
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32436 MEDIUM This Month

Improper access control in VW Photography through version 1.3.8 permits unauthenticated attackers to modify application data due to missing authorization checks on sensitive functions. An attacker can exploit this vulnerability over the network without user interaction to alter content or settings, though confidentiality and availability are not impacted. No patch is currently available for this vulnerability.

Authentication Bypass Vw Photography
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32435 MEDIUM This Month

VW Pet Shop through version 1.4.7 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this to alter information within the application without requiring authentication or user interaction. Currently, no patch is available for this vulnerability.

Authentication Bypass Vw Pet Shop
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32434 MEDIUM This Month

VW Fitness through version 4.3.4 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. An attacker can exploit this to perform unauthorized actions without requiring authentication or user interaction. No patch is currently available for affected installations.

Authentication Bypass Vw Fitness
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32432 MEDIUM This Month

WP Time Slots Booking Form through version 1.2.42 contains a missing authorization vulnerability that allows unauthenticated attackers to modify booking data through improperly configured access controls. An attacker can exploit this to alter time slot reservations and other critical booking information without authentication. No patch is currently available for this vulnerability.

Authentication Bypass Wp Time Slots Booking Form
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32428 MEDIUM This Month

Popup Like Box versions 3.7.7 and earlier contain an authorization bypass vulnerability that allows unauthenticated attackers to modify content through improperly configured access controls. The vulnerability affects the ays-facebook-popup-likebox plugin and requires no user interaction to exploit. While no patch is currently available, the impact is limited to integrity violations without affecting confidentiality or availability.

Authentication Bypass Popup Like Box
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32427 MEDIUM This Month

VW Education Lite versions 2.2.0 and earlier contain a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to modify data through incorrectly configured access control security levels. An attacker with network access can exploit this vulnerability without requiring authentication or user interaction to perform unauthorized modifications, resulting in integrity compromise but not confidentiality or availability impact. The CVSS 5.3 medium score reflects the network-accessible nature and lack of authentication requirements, though the integrity-only impact limits the overall severity.

Authentication Bypass Vw Education Lite
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32425 MEDIUM This Month

Payment Gateway Pix For GiveWP versions 2.2.3 and earlier contain a missing authorization vulnerability that allows unauthenticated remote attackers to modify data through improper access control. An attacker can exploit this flaw to manipulate payment gateway functionality without proper authentication or user interaction. No patch is currently available for this vulnerability affecting GiveWP payment processing installations.

Authentication Bypass Payment Gateway Pix For Givewp
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy