Skip to main content
CVE-2026-4163 HIGH POC PATCH This Week

Critical command injection vulnerability in Wavlink WL-WN579A3 wireless router firmware version 220323, allowing unauthenticated remote attackers to execute arbitrary commands via the SetName/GuestWifi functions in /cgi-bin/wireless.cgi. A public proof-of-concept exploit is available, and while a vendor patch exists, the vulnerability has not yet been added to CISA's KEV catalog despite its high severity (CVSS 9.8).

Command Injection Wl Wn579a3
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.2%
CVE-2025-54920 HIGH PATCH This Week

This issue affects Apache Spark: before 3.5.7 and 4.0.1.

Command Injection RCE Deserialization Apache Red Hat
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-32774 MEDIUM PATCH This Month

A cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts (CVSS 6.4) that allows attackers. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

XSS Vulnogram
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4179 MEDIUM This Month

The STM32 USB device driver in Zephyr contains a logic error that can trigger an infinite loop, allowing a local attacker with user-level privileges to cause a denial of service by halting system responsiveness. No patch is currently available for this medium-severity defect that affects the USB subsystem's operational stability.

Denial Of Service Zephyr
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1870 MEDIUM This Month

The Thim Kit for Elementor plugin for WordPress versions up to 1.3.7 allows unauthenticated attackers to access private and draft LearnPress course content through an improperly secured REST API endpoint that accepts arbitrary post status parameters. The vulnerability stems from missing input validation on the 'thim-ekit/archive-course/get-courses' endpoint, enabling information disclosure to any remote attacker without authentication or user interaction. No patch is currently available for this medium-severity flaw affecting WordPress installations using the vulnerable plugin.

WordPress Authentication Bypass Elementor
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1948 MEDIUM This Month

The NEX-Forms Ultimate Forms Plugin for WordPress contains a missing capability check vulnerability in the deactivate_license() function, allowing authenticated attackers with Subscriber-level privileges to deactivate the plugin license without proper authorization. This authorization bypass affects all versions up to and including 9.1.9 and has a CVSS score of 4.3 (Low severity), indicating limited direct impact but meaningful privilege escalation concerns for multi-user WordPress installations.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0849 LOW Monitor

Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.

Buffer Overflow Zephyr
NVD GitHub VulDB
CVSS 3.1
3.8
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy