Skip to main content
CVE-2026-33683 MEDIUM This Month

WWBN AVideo versions up to and including 26.0 contain a stored cross-site scripting (XSS) vulnerability in the user profile "about" field caused by improper sanitization order of operations. Any registered user can inject arbitrary JavaScript that executes when other users visit their channel page, allowing attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A patch is available via commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, and the vulnerability has been formally disclosed through GitHub Security Advisory GHSA-ghx5-7jjg-q2j7.

XSS Avideo
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4056 MEDIUM This Month

The User Registration & Membership plugin for WordPress contains an insufficient capability check vulnerability in its Content Access Rules REST API endpoints, allowing authenticated contributors and above to bypass intended administrative restrictions. Versions 5.0.1 through 5.1.4 are affected, enabling attackers to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access. The vulnerability has a CVSS score of 5.4 with low attack complexity and low privilege requirements, making it readily exploitable by any authenticated user with contributor-level access or higher.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-46878 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-46879 MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-10731 MEDIUM This Month

The ReviewX WordPress plugin for WooCommerce contains an unauthenticated sensitive information exposure vulnerability in the allReminderSettings function that allows attackers to obtain authentication tokens and bypass admin restrictions. Affected versions up to 2.2.12 expose critical customer data including order details, names, emails, addresses, phone numbers, and user information. With a CVSS score of 5.3 and network-based attack vector requiring no authentication or user interaction, this vulnerability poses a moderate but immediate risk to any WordPress installation using the plugin.

WordPress Information Disclosure Authentication Bypass Google
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23485 MEDIUM PATCH This Month

Blinko, an AI-powered card note-taking application, contains a path traversal vulnerability in the filePath parameter that allows unauthenticated remote attackers to enumerate file existence on the server through differential error responses. Versions prior to 1.8.4 are affected, and an attacker can leverage this vulnerability to discover sensitive files and directories without authentication or user interaction. The vulnerability has been patched in version 1.8.4, and exploit code or proof-of-concept demonstrations are available via the GitHub security advisory.

Path Traversal Blinko
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-33685 MEDIUM This Month

WWBN AVideo versions up to 26.0 expose advertising analytics data through an unauthenticated JSON API endpoint that lacks access controls, allowing attackers to retrieve sensitive information including video titles, user identifiers, channel names, and ad campaign performance metrics. While the HTML and CSV export functions properly enforce admin authentication, the JSON variant was left unprotected, enabling unauthorized data disclosure with no authentication required. A patch is available in commit daca4ffb1ce19643eecaa044362c41ac2ce45dde.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23488 MEDIUM PATCH This Month

Blinko, an AI-powered card note-taking application, contains an authentication bypass vulnerability in its comment management endpoints that allows unauthenticated attackers to create and view comments on any note, including private notes that have not been publicly shared. Versions prior to 1.8.4 are vulnerable, and a patch has been released and is available via the official GitHub repository. The vulnerability has a CVSS 4.0 score of 6.9 with a network attack vector requiring no privileges or user interaction, making it trivial to exploit.

Authentication Bypass Blinko
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33688 MEDIUM This Month

WWBN AVideo versions up to and including 26.0 contain an information disclosure vulnerability in the password recovery endpoint (objects/userRecoverPass.php) that allows unauthenticated attackers to enumerate valid usernames and determine account status (active, inactive, or banned) without solving any captcha. The vulnerability exists because user existence and account status validation occurs before captcha verification, enabling attackers to distinguish three different JSON error responses at scale. No evidence of active exploitation in the wild has been reported, but a patch is available in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13997 MEDIUM This Month

King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.

WordPress Information Disclosure Google Elementor
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-10734 MEDIUM This Month

The ReviewX - WooCommerce Product Reviews plugin for WordPress contains a Sensitive Information Exposure vulnerability in the syncedData function that allows unauthenticated attackers to extract sensitive user data including names, emails, phone numbers, and addresses from affected sites. All versions up to and including 2.2.12 are vulnerable, affecting any WordPress installation running this popular review plugin. The vulnerability has a CVSS score of 5.3 (Medium) with low attack complexity and no authentication required, making it relatively straightforward to exploit.

WordPress Information Disclosure Google
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33173 MEDIUM PATCH This Month

Rails Active Storage's DirectUploadsController accepts and persists arbitrary client-supplied metadata on blob objects, allowing attackers to manipulate internal flags like 'identified' and 'analyzed' that should only be set by the server. This affects Ruby on Rails versions across multiple release branches (7.2.x, 8.0.x, and 8.1.x prior to the patched versions 7.2.3.1, 8.0.4.1, and 8.1.2.1), and while not currently listed in the KEV catalog, patches are available from the vendor indicating acknowledgment of the issue's validity.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33169 MEDIUM PATCH This Month

A regular expression denial of service (ReDoS) vulnerability exists in Rails ActiveSupport's NumberToDelimitedConverter, which uses gsub! with an inefficient regex pattern to insert thousands delimiters into numeric strings. An attacker can craft excessively long digit strings that cause quadratic time complexity, leading to CPU exhaustion and denial of service. Patches are available from the Rails project for versions 7.2.3.1, 8.0.4.1, and 8.1.2.1, and the vulnerability is tagged as a denial of service issue affecting the activesupport gem.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33690 MEDIUM This Month

WWBN AVideo versions up to and including 26.0 contain an IP address spoofing vulnerability in the getRealIpAddr() function that trusts user-controlled HTTP headers to determine client IP addresses. This allows attackers to bypass IP-based access controls and audit logging mechanisms by forging headers such as X-Forwarded-For or X-Real-IP without authentication or user interaction. The vulnerability carries a CVSS score of 5.3 (medium severity) with low attack complexity, and a patch is available via commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c, though no public exploit code or KEV designation has been confirmed at this time.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1940 MEDIUM PATCH This Month

A security vulnerability in An incomplete fix for CVE-2024-47778 (CVSS 5.1) that allows an out-of-bounds read. Remediation should follow standard vulnerability management procedures.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-32879 MEDIUM PATCH This Month

A logic flaw in New API's universal secure verification flow allows authenticated users with registered passkeys to bypass WebAuthn assertion completion, effectively circumventing step-up authentication for privileged actions. This affects New API versions 0.10.0 and later, enabling authenticated attackers with passkey enrollment to access sensitive functionality without completing proper cryptographic verification. No patched versions are currently available, making this an unresolved authentication bypass affecting all current deployments.

Authentication Bypass Suse
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2024-51224 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-51225 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-51223 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-51222 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-32012 MEDIUM PATCH This Month

OpenClaw before version 2026.2.25 fails to implement durable replay state validation for Nextcloud Talk webhook events, allowing attackers to capture and replay previously valid signed webhook requests to cause duplicate processing. This affects all versions of OpenClaw prior to the patched release, and an attacker with network access can exploit this vulnerability without authentication or user interaction to trigger integrity and availability impacts such as duplicate message processing or resource exhaustion.

Information Disclosure Nextcloud
NVD GitHub
CVSS 3.1
4.8
CVE-2026-32904 MEDIUM PATCH This Month

OpenClaw before version 2026.2.26 contains an authorization bypass vulnerability in group allowlist policy evaluation that improperly accepts sender identities from DM pairing-store approvals. Attackers with low privileges can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized access to restricted groups. The vulnerability carries a moderate CVSS score of 4.6 with user interaction required, and patches are available from the vendor.

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
4.6
CVE-2026-3225 MEDIUM This Month

The LearnPress WordPress LMS Plugin contains a missing capability check vulnerability in the delete_question_answer() function that allows authenticated attackers with Subscriber-level privileges to delete quiz answer options without authorization. Affected versions include 4.3.2.8 and earlier; the vulnerability was patched in version 4.3.3. While the CVSS score is moderate (4.3), the attack requires only low-privilege authentication and no user interaction, making it practical for any authenticated site user to exploit.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4066 MEDIUM This Month

The Smart Custom Fields WordPress plugin contains an authorization bypass vulnerability in the relational_posts_search() AJAX function that allows authenticated contributors and above to access private and draft posts from other authors. Affected versions through 5.0.6 fail to perform per-post capability checks, instead relying only on a generic edit_posts check, enabling unauthorized information disclosure of sensitive post content. With a CVSS score of 4.3 and low attack complexity requiring only network access and contributor-level credentials, this vulnerability poses a moderate risk to multi-author WordPress installations.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-33290 MEDIUM This Month

WPGraphQL prior to version 2.10.0 allows authenticated low-privileged users to bypass comment moderation controls and self-approve their own comments without possessing the moderate_comments capability. The vulnerability exploits owner-based authorization logic in the updateComment mutation, enabling non-moderator users to transition comment status to APPROVE, HOLD, SPAM, or TRASH states directly. A proof-of-concept demonstrating this authorization bypass in WPGraphQL 2.9.1 has been published, and while the EPSS score of 0.03% indicates low statistical likelihood of exploitation, the attack vector is network-based with low complexity and requires only low-level user privileges (including custom roles with zero capabilities).

WordPress PHP Docker Node.js Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4628 MEDIUM This Month

Keycloak's User-Managed Access endpoint fails to properly enforce access control on PUT operations, permitting authenticated attackers to modify protected resources despite the allowRemoteResourceManagement restriction being disabled. This access control bypass affects data integrity and impacts any organization using Keycloak for identity and access management. The vulnerability requires valid credentials to exploit and currently has no available patch.

Authentication Bypass Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy