Skip to main content
CVE-2026-2673 MEDIUM POC PATCH CISA This Month

OpenSSL and Microsoft products using the 'DEFAULT' keyword in TLS 1.3 key exchange group configurations may negotiate weaker cryptographic groups than intended, allowing network-based attackers to potentially downgrade the security of encrypted connections without authentication or user interaction. This affects servers that combine default group lists with custom configurations, particularly impacting hybrid post-quantum key exchange implementations where clients defer group selection. A patch is available to remediate this high-severity confidentiality risk.

OpenSSL Information Disclosure Microsoft
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
Threat
4.8
CVE-2026-32704 MEDIUM POC PATCH This Month

CVE-2026-32704 is a security vulnerability (CVSS 6.5). Risk factors: public PoC available.

Authentication Bypass Docker Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32630 MEDIUM POC PATCH This Month

The file-type library's ZIP file type detection functions fail to limit decompression output for known-size inputs, allowing attackers to craft small compressed ZIP files that expand to hundreds of megabytes in memory during processing. Applications processing untrusted file uploads are vulnerable to denial-of-service attacks that cause excessive memory consumption and potential crashes. Public exploit code exists for this vulnerability, though a patch is available.

Denial Of Service Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23943 MEDIUM PATCH This Month

A remote code execution vulnerability (CVSS 6.9) that allows denial of service. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Microsoft Denial Of Service SSH
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-15515 MEDIUM This Month

The EasyShare module contains an authentication bypass vulnerability in a specific feature that allows data leakage when certain conditions are met on a local network. The vulnerability affects users of products implementing the EasyShare module and requires user interaction to exploit, but can result in high-impact confidentiality breach. While the CVSS score of 6.9 indicates medium-high severity, the attack vector is limited to adjacent networks (AV:A) and requires user participation (UI:P), suggesting real-world exploitation may be less prevalent than the numeric score implies.

Authentication Bypass Easyshare
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-31864 MEDIUM PATCH This Month

JumpServer contains a Server-Side Template Injection (SSTI) vulnerability in its Applet and VirtualApp upload functionality that allows authenticated administrators to execute arbitrary code within the JumpServer Core container. The vulnerability affects JumpServer versions vulnerable to unsafe Jinja2 template rendering of user-uploaded YAML manifest files. While requiring high privilege level (Application Applet Management or Virtual Application Management permissions), successful exploitation results in complete container compromise with high confidentiality, integrity, and availability impact.

Ssti RCE Jumpserver
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-32705 MEDIUM PATCH This Month

PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that allows a malicious BST device to trigger a buffer overflow by reporting an oversized dev_name_len parameter without bounds checking. An attacker with physical access to inject a malicious BST device can crash the autopilot task or potentially achieve arbitrary code execution, impacting drone flight safety and control systems. No active KEV exploitation data or public POC is currently documented, but the vulnerability is patched in version 1.17.0-rc2.

RCE Stack Overflow Buffer Overflow Px4 Autopilot
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-4105 MEDIUM PATCH This Month

High severity vulnerability in systemd. A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This al...

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 +1
NVD VulDB GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-22216 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notific...

PHP Information Disclosure Wpdiscuz
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31949 MEDIUM PATCH This Month

LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.

Node.js Denial Of Service AI / ML Librechat
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31884 MEDIUM PATCH This Month

A denial of service vulnerability in FreeRDP (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

Denial Of Service Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31885 MEDIUM PATCH This Month

FreeRDP versions prior to 3.24.0 contain an out-of-bounds read vulnerability in MS-ADPCM and IMA-ADPCM audio decoders that allows unauthenticated remote attackers to read sensitive information from process memory. The vulnerability affects all FreeRDP installations using these audio codecs; an attacker can trigger the flaw by providing specially crafted audio data during RDP session establishment, potentially disclosing confidential data such as credentials or session tokens without requiring privileges or interaction beyond basic RDP connection initiation.

Buffer Overflow Information Disclosure Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32460 MEDIUM This Month

Stored cross-site scripting in Ultimate Addons for Contact Form 7 through version 3.5.36 allows authenticated attackers with improper access controls to inject malicious scripts that execute in other users' browsers. An attacker can exploit this vulnerability to steal session tokens, modify form data, or perform actions on behalf of victims. No patch is currently available for this vulnerability.

XSS Ultimate Addons For Contact Form 7
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32455 MEDIUM This Month

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 MDTF (Meta Data Filter and Taxonomy Filter) WordPress plugin affecting versions up to and including 1.3.5. An authenticated attacker with low privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. The vulnerability requires user interaction (UI:R) and is classified as moderate severity (CVSS 6.5), though its exploitability depends on plugin popularity and whether public proof-of-concept code becomes available.

XSS Mdtf
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32454 MEDIUM PATCH This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Avada Core plugin versions prior to 5.15.0, allowing authenticated users with low privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected WordPress installations. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is currently low, though the vulnerability is documented and patched.

XSS Avada Core
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32450 MEDIUM This Month

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the RealMag777 Active Products Tables for WooCommerce plugin (versions up to 1.0.7), allowing authenticated users with low privileges to inject malicious scripts that execute in other users' browsers. The vulnerability has a moderate CVSS score of 6.5 but carries a low exploitation probability (EPSS 0.03%, percentile 8%), indicating minimal real-world active exploitation risk despite the technical severity.

WordPress XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32449 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Themify Event Post WordPress plugin (versions up to 1.3.4) that allows authenticated users with low privileges to inject malicious scripts into web pages, which are then executed in the browsers of other site visitors. An attacker with login credentials can craft malicious input that persists in the database and affects all users viewing affected pages, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk.

XSS Themify Event Post
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32448 MEDIUM This Month

A cross-site scripting vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.

WordPress XSS
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32431 MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Brainstorm Force Astra Bulk Edit WordPress plugin through version 1.2.10, allowing authenticated attackers to inject malicious scripts that execute in the context of other users' browsers. An attacker with low-privilege account access (e.g., contributor or editor role) can craft malicious input that, when processed by the bulk edit functionality, results in arbitrary JavaScript execution affecting site administrators and other users. The vulnerability requires user interaction (UI:R) but can affect multiple users across the site due to its stored/DOM-based nature, making it a persistent attack vector for privilege escalation or data exfiltration.

XSS Astra Bulk Edit
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32430 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in PowerPack Addons for Elementor (powerpack-lite-for-elementor) versions up to 2.9.9, allowing authenticated attackers with limited privileges to inject malicious scripts that persist in the application and execute in other users' browsers. While the CVSS score is moderate (6.5) and EPSS exploitation probability is low (0.03%, percentile 8%), the vulnerability requires user interaction (UI:R) and authenticated access (PR:L), reducing real-world exploitability. No evidence of active exploitation (KEV status) or public proof-of-concept has been identified at this time.

XSS Powerpack Addons For Elementor Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32429 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in Magical Addons For Elementor, a WordPress plugin for the Elementor page builder, affecting versions up to and including 1.4.1. An authenticated attacker with low privileges can inject malicious JavaScript code that persists in the application and executes in the browsers of other users, potentially leading to session hijacking, credential theft, or defacement. This is a post-authentication vulnerability with user interaction required, making it moderately exploitable in real-world WordPress environments where multiple users collaborate on page design.

XSS Magical Addons For Elementor Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32424 MEDIUM This Month

BoldGrid Sprout Clients contains a Stored Cross-Site Scripting (XSS) vulnerability in web page generation that allows authenticated users to inject and execute arbitrary JavaScript. The vulnerability affects Sprout Clients version 3.2.2 and earlier, enabling attackers with login credentials to compromise other users viewing affected pages. While the CVSS score of 6.5 indicates medium severity with network accessibility and low attack complexity, the stored nature of the XSS and requirement for user interaction (UI:R) limits immediate widespread automated exploitation.

XSS Sprout Clients
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32411 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Simpma Embed Calendly plugin (versions up to and including 4.4) that allows authenticated attackers to inject malicious scripts into web pages. An attacker with login privileges can craft malicious input that persists in the application and executes in the browsers of other users who view the affected content, potentially compromising session tokens, credentials, or sensitive data. While this vulnerability requires prior authentication (lowering immediate exposure), the stored nature means the payload affects multiple victims and persists across sessions.

XSS Embed Calendly
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32403 MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Toocheke Companion browser extension versions through 1.194, allowing authenticated attackers to inject malicious scripts that execute in the context of a user's web session. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, enabling session hijacking, credential theft, or malware distribution. While no active KEV exploitation or public proof-of-concept has been disclosed for this CVE, the CVSS 6.5 score reflects moderate severity due to the requirement for user interaction and authenticated access.

XSS Toocheke Companion
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32361 MEDIUM This Month

Editorial Calendar through version 3.9.0 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through improper input sanitization during web page generation. An attacker with user privileges can exploit this to execute arbitrary JavaScript in the context of other users' browsers, potentially leading to credential theft or unauthorized actions. No patch is currently available for this vulnerability.

XSS Editorial Calendar
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32359 MEDIUM This Month

Stored XSS in bPlugins Icon List Block through version 1.2.3 allows authenticated attackers to inject malicious scripts that execute in other users' browsers. An attacker with user-level access can craft malicious input that persists in the application and compromises the confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.

XSS Icon List Block
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32356 MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in robosoft Robo Gallery through version 5.1.2, allowing authenticated attackers to inject malicious scripts into web pages generated by the application. An attacker with login credentials can craft malicious input that executes arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), which moderates but does not eliminate the threat.

XSS Robo Gallery
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32352 MEDIUM This Month

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Elementor Website Builder through version 3.35.5, allowing authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. An attacker can exploit this via a crafted page or element to steal session cookies, redirect users, or perform actions on their behalf. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), but carries a moderate CVSS score of 6.5 with cross-site impact (S:C), indicating meaningful business risk despite not being unauthenticated.

XSS Elementor Website Builder Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31918 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in immonex Kickstart through version 1.13.0, allowing authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users who view the affected content. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, resulting in arbitrary JavaScript execution with access to session cookies, user data, and the ability to perform actions on behalf of victims. While no KEV or widespread exploitation data is available for this CVE, the vulnerability is exploitable with low attack complexity and requires only user interaction (UI click), making it a moderate-to-high priority for organizations running immonex Kickstart.

XSS Immonex Kickstart
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31883 MEDIUM PATCH This Month

Size_t integer underflow vulnerability in FreeRDP's IMA-ADPCM and MS-ADPCM audio decoders that triggers a heap buffer overflow write via the RDPSND audio channel. All FreeRDP versions prior to 3.24.0 are affected. An unauthenticated remote attacker can exploit this vulnerability over the network without user interaction to cause information disclosure and data corruption, though not denial of service based on the CVSS impact ratings.

Buffer Overflow Integer Overflow Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30955 MEDIUM PATCH This Month

Denial-of-service vulnerability in Gokapi, a file-sharing server, wherein an authenticated attacker can send unbounded request bodies to an API endpoint without size restrictions, causing out-of-memory (OOM) conditions that crash the service and deny access to all users. The vulnerability requires valid authentication credentials but no special privileges, and is classified as high-severity (CVSS 6.5) due to guaranteed availability impact. Patch availability exists in version 2.2.4 and later.

Denial Of Service Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-36368 MEDIUM PATCH This Month

SQL injection vulnerability in IBM Sterling B2B Integrator and Sterling File Gateway that allows authenticated administrative users to execute arbitrary SQL commands against the backend database. An attacker with admin privileges can view, add, modify, or delete sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 6.5 (Medium) due to high impact on confidentiality and integrity; no active exploitation in the wild or public POC has been reported at this time.

IBM SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32398 MEDIUM This Month

TeraWallet for WooCommerce versions up to 1.5.15 contain a race condition in concurrent transaction handling that allows authenticated attackers to manipulate wallet integrity and perform unauthorized financial operations. An attacker with user-level access can exploit improper synchronization during simultaneous requests to bypass transaction controls and modify account balances. No patch is currently available for this vulnerability.

WordPress Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32451 MEDIUM PATCH This Month

Fusion Builder, a WordPress plugin by ThemeFusion, contains a missing authorization vulnerability (CWE-862) that allows authenticated attackers with low privileges to bypass access controls and perform unauthorized actions. Versions prior to 3.15.0 are affected, and attackers can exploit incorrectly configured access control to read, modify, or delete sensitive data. The CVSS 6.3 score reflects moderate severity with network accessibility and low attack complexity, though no public evidence of active KEV inclusion or widespread exploitation has been documented at this time.

Authentication Bypass Fusion Builder
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32598 MEDIUM PATCH This Month

OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.

Kubernetes Docker Information Disclosure Oneuptime
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32443 MEDIUM This Month

A Cross-Site Request Forgery (CSRF) vulnerability exists in Josh Kohlbach's Product Feed PRO for WooCommerce plugin affecting versions up to 13.5.2, allowing unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators through malicious web requests. While the CVSS score is 6.5 (Medium), the EPSS score of 0.01% (1st percentile) indicates minimal real-world exploitation probability, suggesting this is a low-priority vulnerability despite the integrity impact. No KEV status or active exploitation evidence is documented.

WordPress CSRF
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3986 MEDIUM This Month

Medium severity vulnerability in WordPress plugin. The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` field in `fhtml` field types. This makes it possible for authenticated attackers, with Contributor-le...

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2257 MEDIUM This Month

Medium severity vulnerability in WordPress plugin. The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to S...

XSS Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-32357 MEDIUM This Month

Simple Blog Card versions 2.37 and earlier contain a Server-Side Request Forgery vulnerability that allows authenticated attackers to make arbitrary requests from the affected server. An attacker with login credentials can leverage this to access internal resources, interact with backend services, or potentially exfiltrate sensitive data. No patch is currently available for this vulnerability.

SSRF Simple Blog Card
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-32353 MEDIUM This Month

MailerPress through version 1.4.2 contains a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to make arbitrary network requests from the affected server. An attacker with valid credentials could exploit this to access internal services, scan the network, or interact with backend systems. No patch is currently available for this vulnerability.

SSRF Mailerpress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-57849 MEDIUM This Month

Medium severity vulnerability in systemd. A container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the a...

Privilege Escalation Red Hat Fuse 7
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-8766 MEDIUM This Month

Medium severity vulnerability in systemd. A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd f...

Privilege Escalation Red Hat Openshift Data Foundation 4
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-60012 MEDIUM PATCH This Month

Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.

Apache Authentication Bypass AI / ML Apache Livy
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-66249 MEDIUM PATCH This Month

Apache Livy versions 0.3.0 through 0.8.x contain a path traversal vulnerability (CWE-22) that allows authenticated attackers to bypass directory restrictions and access files outside intended whitelist boundaries. The vulnerability only manifests when the 'livy.file.local-dir-whitelist' configuration parameter is set to a non-default value, enabling attackers with valid credentials to read, write, or execute arbitrary files on the server. With a CVSS score of 6.3 (moderate severity) reflecting the requirement for authenticated access and limited impact scope, this vulnerability warrants prioritization for organizations using Livy in multi-tenant or untrusted user environments.

Path Traversal Apache Apache Livy
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-2491 MEDIUM This Month

Socomec DIRIS A-40 power monitoring devices contain an authentication bypass vulnerability in their HTTP API that allows network-adjacent attackers to gain unauthorized access without credentials. The vulnerability affects all versions of the DIRIS A-40 product due to lack of authentication enforcement on the web API listening on TCP port 80, enabling attackers to read sensitive data, modify configurations, and potentially disrupt power monitoring operations. This is a moderate-severity flaw (CVSS 6.3) with low attack complexity that poses real risk in industrial/operational technology environments where these devices are deployed.

Authentication Bypass Diris A 40
NVD
CVSS 3.0
6.3
EPSS
0.0%
CVE-2026-32745 MEDIUM PATCH This Month

JetBrains Datalore versions before 2026.1 contain a session hijacking vulnerability (CVE-2026-32745) caused by missing secure attribute configuration on session cookies, allowing attackers on the same network to intercept and reuse session tokens. The vulnerability affects all Datalore versions prior to 2026.1 and requires adjacent network access combined with user interaction; while the CVSS score is moderate (6.3), the impact is high for confidentiality and enables unauthorized account access.

Information Disclosure Datalore
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-22183 MEDIUM PATCH This Month

Medium severity vulnerability in wpDiscuz (WordPress plugin). wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function...

PHP XSS Wpdiscuz
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13702 MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0-6.2.3.5 and 6.2.4.0-6.2.4.2 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can alter application functionality and potentially exfiltrate sensitive data (including credentials) from trusted user sessions. A patch is available from IBM; exploitation requires user interaction (UI:R) but no elevated privileges.

XSS IBM
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-32462 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.

XSS Master Addons For Elementor Elementor
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-32419 MEDIUM This Month

The List category posts WordPress plugin (versions through 0.93.1) contains a DOM-based cross-site scripting (XSS) vulnerability that allows authenticated attackers with high privileges to inject malicious scripts into web pages viewed by other users. An attacker can exploit this through improper input neutralization during web page generation, potentially leading to session hijacking, credential theft, or defacement. With a CVSS score of 5.9 and requiring high privileges plus user interaction, this represents a moderate-severity risk primarily to WordPress sites using this specific plugin.

XSS List Category Posts
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy