626 CVEs tracked today. 58 Critical, 249 High, 206 Medium, 10 Low.
-
CVE-2026-33701
CRITICAL
CVSS 9.3
A deserialization vulnerability in OpenTelemetry Java instrumentation versions prior to 2.26.1 allows remote code execution when the RMI instrumentation endpoint processes untrusted data without serialization filters. The vulnerability affects applications using the OpenTelemetry Java agent with network-reachable RMI/JMX endpoints and gadget-chain-compatible libraries on the classpath. This was responsibly disclosed in coordination with Datadog, and a patch is available in version 2.26.1.
RCE
Java
Deserialization
-
CVE-2026-33696
CRITICAL
CVSS 9.4
A prototype pollution vulnerability in the XML and GSuiteAdmin nodes of n8n workflow automation platform allows authenticated users with workflow creation or modification permissions to achieve remote code execution. Versions prior to 2.14.1, 2.13.3, and 1.123.27 are affected. The CVSS score of 9.4 (Critical) reflects network-based exploitation with low complexity requiring only low-level authentication, though no current KEV listing or public POC availability is indicated in the provided intelligence.
Prototype Pollution
RCE
-
CVE-2026-33670
CRITICAL
CVSS 9.8
SiYuan, a note-taking application written in Go, contains an unauthenticated directory traversal vulnerability in its /api/file/readDir endpoint. The vulnerability allows remote attackers without authentication to enumerate the entire directory structure of notebooks, configuration folders, plugins, and resource directories, which can be chained with file reading vulnerabilities for arbitrary document access. A working Python proof-of-concept exploit is publicly available, demonstrating recursive directory enumeration of data/ and conf/ directories.
Path Traversal
Python
-
CVE-2026-33669
CRITICAL
CVSS 9.8
An unauthenticated information disclosure vulnerability exists in SiYuan note-taking application that allows remote attackers to read the content of all documents, including encrypted or access-restricted files, through two API endpoints (/api/file/readDir and /api/block/getChildBlocks). A working proof-of-concept Python exploit has been published demonstrating complete document enumeration and content retrieval. With a CVSS score of 9.8 (Critical) indicating network-based exploitation requiring no privileges or user interaction, this represents a severe confidentiality breach for all published SiYuan instances.
Information Disclosure
Python
Buffer Overflow
-
CVE-2026-33660
CRITICAL
CVSS 9.4
An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit the Merge node's 'Combine by SQL' mode to read arbitrary local files on the n8n host and achieve remote code execution. n8n versions prior to 2.14.1, 2.13.3, and 1.123.26 are affected. The vulnerability carries a CVSS 4.0 score of 9.4 (Critical) due to insufficient sandbox restrictions in the AlaSQL component, allowing SQL injection-style attacks against the host system. No public proof-of-concept or active exploitation (KEV) status has been reported at this time.
RCE
Code Injection
-
CVE-2026-32573
CRITICAL
CVSS 9.1
A Code Injection vulnerability (CWE-94) exists in Nelio AB Testing WordPress plugin through version 8.2.7 that allows attackers to execute arbitrary code on affected installations. The vulnerability affects the Nelio Software product across all versions up to and including 8.2.7, potentially enabling remote code execution (RCE). This is a critical severity issue as it permits unauthenticated or low-privilege attackers to gain complete control over WordPress sites running the vulnerable plugin.
Code Injection
RCE
-
CVE-2026-32539
CRITICAL
CVSS 9.3
A blind SQL injection vulnerability exists in the PublishPress Revisions WordPress plugin through version 3.7.23, allowing attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects all installations of PublishPress Revisions up to and including version 3.7.23, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. No CVSS score or EPSS data is currently available, and KEV status is unknown, though the vulnerability has been documented by Patchstack security researchers with a public reference available.
SQLi
-
CVE-2026-32536
CRITICAL
CVSS 9.9
The halfdata Green Downloads plugin for WordPress contains an unrestricted file upload vulnerability (CWE-434) that permits attackers to upload malicious files to affected systems. This vulnerability affects Green Downloads versions up to and including 2.08, as confirmed by Patchstack and ENISA. An unauthenticated or low-privileged attacker can exploit this to upload dangerous file types, potentially leading to remote code execution, website defacement, or malware distribution.
File Upload
-
CVE-2026-32525
CRITICAL
CVSS 9.9
A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.
Code Injection
RCE
-
CVE-2026-32524
CRITICAL
CVSS 9.1
An unrestricted file upload vulnerability (CWE-434) exists in Jordy Meow's Photo Engine WordPress plugin versions up to and including 6.4.9, allowing attackers to upload malicious web shells to compromised servers. The vulnerability affects the wplr-sync component and permits arbitrary file uploads with dangerous types, potentially leading to remote code execution. No CVSS score, EPSS probability, or KEV status information is currently available, but the ability to upload executable web shells represents a critical exploitation path.
File Upload
-
CVE-2026-32523
CRITICAL
CVSS 9.9
WPJAM Basic, a WordPress plugin, contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files without proper validation. All versions through 6.9.2 are affected, potentially enabling remote code execution or other attacks depending on server configuration. While CVSS and EPSS scores are unavailable, the nature of arbitrary file upload vulnerabilities in WordPress plugins typically carries high real-world risk due to ease of exploitation and severe impact.
File Upload
-
CVE-2026-32520
CRITICAL
CVSS 9.8
RewardsWP, a WordPress plugin by Andrew Munro/AffiliateWP, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows authenticated or unauthenticated attackers to escalate their privileges within the plugin and potentially the WordPress installation. Affected versions are RewardsWP up to and including 1.0.4. This vulnerability enables privilege escalation attacks, allowing attackers with limited access to gain elevated permissions and control over reward or affiliate functionality.
Privilege Escalation
-
CVE-2026-32519
CRITICAL
CVSS 9.0
Bit SMTP version 1.2.2 and earlier contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. The vulnerability affects the Bit SMTP WordPress plugin and permits attackers to elevate their privileges beyond their intended authorization level. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15882, indicating formal recognition of the security issue.
Privilege Escalation
-
CVE-2026-32512
CRITICAL
CVSS 9.8
A PHP object injection vulnerability exists in the Edge-Themes Pelicula video production and movie theme due to insecure deserialization of untrusted data, classified as CWE-502. The vulnerability affects Pelicula versions prior to 1.10, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. No CVSS score or EPSS data has been published, and no confirmed KEV or active exploitation in the wild has been reported, but the nature of object injection vulnerabilities typically enables high-impact attacks when paired with accessible gadget chains in the WordPress ecosystem.
Deserialization
-
CVE-2026-32502
CRITICAL
CVSS 9.8
A deserialization of untrusted data vulnerability exists in Select-Themes Borgholm marketing agency theme (WordPress) that allows object injection attacks. The vulnerability affects Borgholm versions prior to 1.6, and attackers can exploit this to inject malicious PHP objects that execute arbitrary code within the WordPress environment. While no CVSS score or EPSS data is currently available, the CWE-502 classification indicates this is a critical deserialization flaw with high exploitation potential; no active KEV or public POC status is documented, but the vulnerability was reported through Patchstack with full advisory details available.
Deserialization
-
CVE-2026-32499
CRITICAL
CVSS 9.3
A blind SQL injection vulnerability exists in QuantumCloud ChatBot plugin affecting versions up to and including 7.7.9, allowing attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability impacts all installations of the ChatBot plugin across the affected version range, potentially enabling unauthorized data extraction, manipulation, or deletion depending on database permissions. While no CVSS score or EPSS data is currently available, the blind SQL injection classification indicates a high-risk condition requiring immediate patching.
SQLi
-
CVE-2026-32482
CRITICAL
CVSS 9.9
An unrestricted file upload vulnerability exists in the deothemes Ona WordPress theme that allows attackers to upload web shells to affected servers. All versions of Ona prior to 1.24 are vulnerable, enabling remote code execution through malicious file uploads. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and represents a critical risk for any WordPress installation using the affected theme versions.
File Upload
-
CVE-2026-31920
CRITICAL
CVSS 9.3
A blind SQL injection vulnerability exists in the Product Rearrange for WooCommerce plugin (versions up to 1.2.2) that allows attackers to execute arbitrary SQL commands against the WooCommerce database without direct output visibility. This affects WordPress installations using the Devteam HaywoodTech product-rearrange-woocommerce plugin, enabling attackers to extract sensitive data, modify database records, or potentially escalate privileges. While no CVSS score or EPSS data is currently published, the vulnerability's classification as blind SQL injection combined with its presence in a publicly available WordPress plugin suggests moderate to high real-world risk of exploitation.
SQLi
WordPress
-
CVE-2026-28858
CRITICAL
CVSS 9.8
Insufficient bounds checking in Apple iOS and iPadOS 26.4 allows unauthenticated remote attackers to trigger buffer overflow conditions that corrupt kernel memory or cause system crashes without user interaction. This critical vulnerability affects all devices running the affected OS versions and has no available patch. An attacker can exploit this flaw over the network to achieve denial of service or potentially escalate privileges through kernel memory corruption.
Apple
Buffer Overflow
iOS
-
CVE-2026-28827
CRITICAL
CVSS 9.3
Improper path validation in macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) allows sandboxed applications to escape their sandbox restrictions through directory path traversal. A local attacker with the ability to run malicious apps can exploit this weakness to execute code outside sandbox boundaries with full system privileges. No patch is currently available for this critical vulnerability.
Apple
Path Traversal
macOS
-
CVE-2026-27095
CRITICAL
CVSS 9.8
A deserialization of untrusted data vulnerability (CWE-502) exists in the magepeopleteam Bus Ticket Booking with Seat Reservation WordPress plugin through version 5.6.0, allowing object injection attacks. An attacker can inject malicious serialized PHP objects into the application, potentially leading to remote code execution or other critical impacts depending on available gadget chains in the WordPress environment. No CVSS score or EPSS data is currently available, and KEV status is unknown, but the vulnerability affects all installations running the vulnerable plugin versions.
Deserialization
-
CVE-2026-27084
CRITICAL
CVSS 9.8
A PHP Object Injection vulnerability exists in the ThemeREX Buisson WordPress theme through version 1.1.11, stemming from unsafe deserialization of untrusted data (CWE-502). This flaw allows attackers to inject malicious serialized objects that can lead to arbitrary code execution or other object manipulation attacks depending on available gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, the public disclosure via Patchstack indicates active awareness in the security community.
Deserialization
-
CVE-2026-27083
CRITICAL
CVSS 9.8
A PHP Object Injection vulnerability exists in the ThemeREX Work & Travel Company WordPress theme through version 1.2, stemming from unsafe deserialization of untrusted data (CWE-502). An attacker can exploit this vulnerability to inject malicious objects into the application, potentially leading to remote code execution or arbitrary object manipulation depending on the gadget chains available in the WordPress environment. No CVSS score, EPSS data, or KEV status is currently available, and the vulnerability was identified and reported by Patchstack, though active exploitation status remains unclear.
Deserialization
-
CVE-2026-27082
CRITICAL
CVSS 9.8
A PHP Object Injection vulnerability exists in ThemeREX Love Story WordPress theme through version 1.3.12, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects that can lead to remote code execution or other object-oriented attack chains. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has been reported by Patchstack; no CVSS score or EPSS data is currently available, and KEV status is unknown.
Deserialization
-
CVE-2026-27071
CRITICAL
CVSS 9.1
A missing authorization vulnerability exists in Arraytics WPCafe WordPress plugin versions up to 3.0.7, where incorrectly configured access control allows attackers to bypass authentication and authorization checks. This broken access control flaw (CWE-862) enables unauthorized users to perform actions they should not have permission to execute, potentially leading to unauthorized data access, modification, or plugin functionality abuse. The vulnerability affects all installations of WPCafe through version 3.0.7 and is tracked under ENISA EUVD ID EUVD-2026-15773 with confirmation from Patchstack vulnerability research.
Authentication Bypass
-
CVE-2026-27051
CRITICAL
CVSS 9.8
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in uxper Golo theme versions up to and including 1.7.0, enabling privilege escalation attacks. This WordPress theme vulnerability allows attackers to elevate their privileges within the application, potentially gaining unauthorized administrative access. The vulnerability was reported by Patchstack and affects all versions from an unspecified baseline through 1.7.0; no CVSS score, EPSS data, or active KEV status information is currently available.
Privilege Escalation
-
CVE-2026-27049
CRITICAL
CVSS 9.8
Unauthenticated attackers can bypass authentication controls in NooTheme Jobica Core through an alternate access path, affecting versions up to 1.4.2. This critical vulnerability (CVSS 9.8) enables attackers to gain unauthorized access without credentials or user interaction. No patch is currently available.
Authentication Bypass
-
CVE-2026-27044
CRITICAL
CVSS 9.9
Total Poll Lite, a WordPress plugin, contains an improper code injection vulnerability (CWE-94) that allows remote code inclusion and execution. All versions up to and including 4.12.0 are affected. An attacker can exploit this vulnerability to achieve remote code execution (RCE) on WordPress installations running the vulnerable plugin, potentially gaining full control of the affected web application.
Code Injection
RCE
-
CVE-2026-26833
CRITICAL
CVSS 9.8
Thumbler through version 1.1.2 contains an OS command injection vulnerability in the thumbnail() function where user-supplied input from the input, output, time, or size parameters is directly concatenated into shell commands executed via Node.js child_process.exec() without sanitization or escaping. This allows unauthenticated attackers to execute arbitrary operating system commands with the privileges of the application process. A proof-of-concept has been documented in public repositories, making this vulnerability immediately actionable for exploitation.
Code Injection
RCE
Command Injection
-
CVE-2026-26832
CRITICAL
CVSS 9.8
The node-tesseract-ocr npm package versions through 2.2.1 contains a critical OS command injection vulnerability in the recognize() function where file path parameters are concatenated into shell commands without sanitization before being passed to child_process.exec(). Attackers can achieve complete remote code execution with no authentication required. A proof-of-concept exploit exists at the GitHub repository linked in references (zebbernCVE/CVE-2026-26832), indicating active research into this vulnerability.
Node.js
Command Injection
-
CVE-2026-26831
CRITICAL
CVSS 9.8
The textract library through version 2.5.0 contains an OS command injection vulnerability in its file extraction modules that allows attackers to execute arbitrary operating system commands by crafting malicious filenames. The vulnerability affects multiple extractors (doc.js, rtf.js, dxf.js, images.js, and util.js) where user-supplied file paths are passed directly to child_process.exec() without adequate sanitization. An attacker can exploit this by uploading or referencing files with specially crafted names containing shell metacharacters, leading to complete system compromise with the privileges of the process running textract.
Code Injection
RCE
Command Injection
-
CVE-2026-26830
CRITICAL
CVSS 9.8
The pdf-image npm package through version 2.0.0 contains an OS command injection vulnerability in the pdfFilePath parameter. Attackers can exploit this remotely without authentication by injecting malicious commands through file path inputs that are passed unsafely to shell commands via child_process.exec(). A proof-of-concept exploit is publicly available on GitHub (zebbernCVE/CVE-2026-26830), significantly increasing exploitation risk.
Node.js
Command Injection
RCE
Code Injection
-
CVE-2026-25447
CRITICAL
CVSS 9.1
A Code Injection vulnerability (CWE-94) exists in the Jonathan Daggerhart Widget Wrangler WordPress plugin through version 2.3.9, allowing unauthenticated attackers to execute arbitrary code on affected installations. This Remote Code Execution (RCE) vulnerability enables complete server compromise and data exfiltration. Active exploitation has been documented by Patchstack, indicating this is a practical, real-world threat requiring immediate patching.
Code Injection
RCE
-
CVE-2026-25429
CRITICAL
CVSS 9.8
A PHP Object Injection vulnerability exists in the Nexa Blocks WordPress plugin (versions up to and including 1.1.1) due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary PHP objects and potentially achieve remote code execution. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and affects all installations of the affected plugin versions. While no CVSS score or EPSS data are currently available, the nature of object injection vulnerabilities combined with PHP's magic methods provides significant exploitation potential for code execution or privilege escalation.
Deserialization
-
CVE-2026-25413
CRITICAL
CVSS 9.9
WPBookit Pro through version 1.6.18 contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files to affected WordPress installations. This arbitrary file upload flaw enables remote code execution and complete site compromise without requiring authentication or special privileges. The vulnerability affects all versions of the iqonicdesign WPBookit Pro plugin up to and including 1.6.18, making it a critical risk for WordPress administrators using this booking plugin.
File Upload
-
CVE-2026-25377
CRITICAL
CVSS 9.3
A SQL injection vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting all versions through 3.0, that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability stems from improper neutralization of special SQL characters in user-supplied input, classified under CWE-89 (SQL Injection). While no CVSS score or EPSS metric is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15695, indicating active awareness in vulnerability tracking systems.
SQLi
-
CVE-2026-25371
CRITICAL
CVSS 9.3
A blind SQL injection vulnerability exists in King-Theme's Lumise Product Designer WordPress plugin, allowing unauthenticated attackers to extract sensitive data through time-based or boolean-based SQL inference techniques without direct query result visibility. The vulnerability affects all versions of Lumise Product Designer prior to 2.0.9. Attackers can exploit this to bypass authentication, enumerate database schemas, or extract user credentials and plugin configuration data.
SQLi
-
CVE-2026-25366
CRITICAL
CVSS 9.9
A Code Injection vulnerability exists in the Themeisle Woody ad snippets plugin (insert-php) through version 2.7.1 that allows unauthenticated attackers to execute arbitrary PHP code on affected WordPress installations. The vulnerability stems from improper control of code generation, classified as CWE-94, enabling remote code execution (RCE). Patchstack has documented this issue, and affected installations should be patched immediately as the attack vector appears to be network-accessible with low complexity.
PHP
Code Injection
RCE
-
CVE-2026-25345
CRITICAL
CVSS 9.9
A improper input validation vulnerability in GalleryCreator SimpLy Gallery plugin (versions up to 3.3.2) allows attackers to access functionality that should be restricted by access control lists (ACLs), potentially leading to information disclosure and arbitrary code execution. The vulnerability affects WordPress installations using the simply-gallery-block plugin and stems from insufficient validation of quantity inputs combined with inadequate authorization checks. While CVSS scoring is unavailable, the reported nature of the vulnerability suggests elevated risk due to the potential for unauthorized functionality access and code execution capabilities.
Information Disclosure
-
CVE-2026-25340
CRITICAL
CVSS 9.3
A blind SQL injection vulnerability exists in the NooTheme Jobmonster WordPress theme that allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability affects Jobmonster versions prior to 4.8.4, and while no active exploitation in the wild has been confirmed via KEV status, the vulnerability was disclosed by Patchstack with sufficient technical detail to enable exploitation. This is a critical web application flaw that could lead to complete database compromise, including extraction of sensitive user data, credentials, and job postings.
SQLi
-
CVE-2026-25035
CRITICAL
CVSS 9.8
Contest Gallery through version 28.1.2.2 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to abuse alternate authentication paths and gain unauthorized access to the application. With a CVSS score of 9.8 and no patch currently available, this critical vulnerability poses an immediate risk to all affected installations.
Authentication Bypass
-
CVE-2026-25032
CRITICAL
CVSS 9.8
A deserialization of untrusted data vulnerability exists in the park_of_ideas Ricky theme (all versions prior to 2.31) that allows object injection attacks. An attacker can inject malicious serialized PHP objects to achieve arbitrary code execution or data manipulation. While no CVSS score or EPSS data is currently available and KEV status is unknown, the CWE-502 classification indicates a critical deserialization flaw that typically requires network access but no authentication.
Deserialization
-
CVE-2026-25031
CRITICAL
CVSS 9.8
A PHP Object Injection vulnerability exists in the Tasty Daily WordPress theme (park_of_ideas) through version 1.27, caused by unsafe deserialization of untrusted data (CWE-502). This vulnerability allows attackers to inject arbitrary PHP objects, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published, the vulnerability affects an active WordPress theme distribution and has been documented by Patchstack security researchers.
Deserialization
-
CVE-2026-25030
CRITICAL
CVSS 9.8
A PHP Object Injection vulnerability exists in the park_of_ideas Goldish theme due to insecure deserialization of untrusted data, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. The vulnerability affects Goldish versions prior to 3.47. While no CVSS score or EPSS data is publicly available, the CWE-502 classification indicates a serious deserialization flaw that could be exploited if untrusted data is processed without validation.
Deserialization
-
CVE-2026-25029
CRITICAL
CVSS 9.8
A deserialization of untrusted data vulnerability exists in the park_of_ideas KIDZ theme that permits object injection attacks. All versions of KIDZ through 5.24 are affected, as confirmed via CPE cpe:2.3:a:park_of_ideas:kidz:*:*:*:*:*:*:*:*. An attacker can inject malicious serialized PHP objects to achieve arbitrary code execution or other unintended actions on affected WordPress installations running this theme.
Deserialization
-
CVE-2026-24993
CRITICAL
CVSS 9.3
A blind SQL injection vulnerability exists in WPFactory's Advanced WooCommerce Product Sales Reporting plugin (versions through 4.1.3) that allows attackers to execute arbitrary SQL commands against the underlying database. This WordPress plugin is widely deployed on e-commerce sites using WooCommerce, and the blind SQL injection technique enables attackers to extract sensitive data without requiring direct error message feedback. While no CVSS score, EPSS value, or KEV status has been assigned at this time, the vulnerability is classified as CWE-89 (SQL Injection) and has been documented by Patchstack, indicating active research and potential proof-of-concept availability.
WordPress
SQLi
-
CVE-2026-24989
CRITICAL
CVSS 9.8
A PHP object injection vulnerability exists in FantasticPlugins SUMO Affiliates Pro due to unsafe deserialization of untrusted data (CWE-502). This allows attackers to inject malicious serialized objects, potentially achieving remote code execution or other arbitrary actions depending on available gadget chains in the WordPress environment. All versions before 11.4.0 are affected, and a patch has been made available by the vendor.
Deserialization
-
CVE-2026-24971
CRITICAL
CVSS 9.8
Elated-Themes Search & Go contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. All versions up to and including version 2.8 are affected. An attacker can exploit this flaw to escalate privileges within the WordPress environment, gaining unauthorized administrative or elevated capabilities. While CVSS and EPSS scores are not available, the vulnerability has been documented by security researcher Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15582, indicating it has received third-party security scrutiny.
Privilege Escalation
-
CVE-2026-24968
CRITICAL
CVSS 9.8
This is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Xagio SEO WordPress plugin that allows privilege escalation. The vulnerability affects Xagio SEO versions up to and including 7.1.0.30. An attacker can exploit this flaw to elevate their privileges within the affected WordPress installation, potentially gaining administrative access or performing unauthorized actions. No CVSS score, EPSS data, or KEV status information is currently available, and the vulnerability has not been confirmed as actively exploited in the wild.
Privilege Escalation
-
CVE-2026-24378
CRITICAL
CVSS 9.8
This is a PHP Object Injection vulnerability in the Metagauss EventPrime WordPress plugin (eventprime-event-calendar-management) caused by unsafe deserialization of untrusted data. All versions up to and including 4.2.8.0 are affected, allowing attackers to inject malicious serialized objects that can lead to remote code execution or arbitrary actions depending on available PHP gadget chains. The vulnerability has been publicly disclosed and documented by Patchstack; exploitation likelihood and real-world impact depend on the presence of exploitable gadget chains in the target WordPress environment.
Deserialization
-
CVE-2026-22507
CRITICAL
CVSS 9.8
A PHP Object Injection vulnerability exists in AncoraThemes Beelove WordPress theme through version 1.2.6, allowing attackers to inject and deserialize untrusted objects. This insecure deserialization flaw (CWE-502) enables object injection attacks that could lead to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15515, indicating it is tracked in official vulnerability databases.
Deserialization
-
CVE-2026-22500
CRITICAL
CVSS 9.8
A PHP object injection vulnerability exists in the Axiom Themes m2 | Construction and Tools Store theme through version 1.1.2, stemming from unsafe deserialization of untrusted data (CWE-502). This allows remote attackers to inject malicious serialized objects that can lead to arbitrary code execution or privilege escalation depending on available gadget chains in the WordPress environment. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability was reported by Patchstack and affects all installations running the vulnerable theme version.
Deserialization
-
CVE-2026-22484
CRITICAL
CVSS 9.3
A SQL Injection vulnerability exists in Pebas Lisfinity Core, a WordPress plugin, affecting versions up to and including 1.5.0. This improper neutralization of special elements in SQL commands (CWE-89) allows attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion of the underlying database. The vulnerability has been documented by Patchstack and assigned EUVD-2026-15489, though no CVSS score, EPSS data, or confirmed active exploitation status is currently available in the provided intelligence.
SQLi
-
CVE-2026-20688
CRITICAL
CVSS 9.3
Sandbox escape vulnerability in Apple iOS, iPadOS, macOS, and visionOS allows local attackers to break out of application sandboxes through improper path validation, potentially enabling unauthorized access to system resources and data. An attacker with local access could leverage this flaw to execute arbitrary operations outside application boundaries and bypass security restrictions. No patch is currently available for this critical vulnerability affecting multiple Apple platforms.
Apple
Path Traversal
macOS
iOS
-
CVE-2025-70888
CRITICAL
CVSS 9.8
A privilege escalation vulnerability exists in osslsigncode (mtrojnar) versions 2.10 and earlier within the osslsigncode.c component, allowing remote attackers to escalate privileges. The vulnerability affects users of the osslsigncode code signing utility. While CVSS scoring is not yet available, referenced GitHub issues and pull requests suggest this is an authenticated or context-dependent issue that has been identified and likely patched.
Privilege Escalation
Redhat
Suse
-
CVE-2025-59707
CRITICAL
CVSS 9.8
N2W versions before 4.3.2 and 4.4.x before 4.4.1 contain a spoofing vulnerability that enables remote code execution and account credential theft. The vulnerability allows attackers to impersonate legitimate entities, potentially leading to arbitrary code execution on affected systems and unauthorized access to sensitive credentials. No CVSS score, EPSS data, or active KEV designation is currently available, limiting immediate risk quantification.
RCE
Authentication Bypass
-
CVE-2025-59706
CRITICAL
CVSS 9.8
N2W versions prior to 4.3.2 and 4.4.0 prior to 4.4.1 contain improper validation of API request parameters that enables unauthenticated remote code execution. An attacker can craft malicious API requests to bypass input validation and achieve arbitrary code execution on affected systems. This vulnerability affects cloud backup and disaster recovery infrastructure and poses critical risk to data protection environments.
RCE
Authentication Bypass
-
CVE-2025-32991
CRITICAL
CVSS 9.0
N2WS Backup & Recovery before version 4.4.0 contains a remote code execution vulnerability in its RESTful API that requires a two-step attack chain to exploit. An unauthenticated attacker can execute arbitrary code on affected systems, potentially compromising backup and disaster recovery infrastructure. This vulnerability affects the N2WS product line and should be treated as critical given the RCE classification and the security-sensitive nature of backup systems.
RCE
Race Condition
-
CVE-2026-34056
HIGH
CVSS 7.7
Low-privilege authenticated users in OpenEMR versions up to and including 8.0.0.3 can view and download Ensora eRx error logs due to missing authorization checks, exposing sensitive healthcare system information. This broken access control vulnerability (CVSS 7.7) affects network-accessible installations and has a 3% EPSS exploitation probability (8th percentile), with no public exploit identified at time of analysis. No vendor-released patch identified at time of analysis according to the CVE disclosure.
Information Disclosure
Openemr
-
CVE-2026-33918
HIGH
CVSS 7.6
Improper access control in OpenEMR versions prior to 8.0.0.3 allows any authenticated user to download and permanently delete electronic claim batch files containing protected health information (PHI) via the billing file-download endpoint, regardless of whether they have billing privileges. The vulnerability has a 7.6 CVSS score with low attack complexity and requires only low-level authentication. EPSS exploitation probability is 0.03% (8th percentile), indicating low observed targeting in real-world exploitation at time of analysis, and no public exploit has been identified.
Openemr
PHP
Privilege Escalation
Information Disclosure
-
CVE-2026-33917
HIGH
CVSS 8.8
SQL injection in OpenEMR versions prior to 8.0.0.3 enables authenticated attackers to execute arbitrary SQL commands through the CAMOS form's ajax_save functionality, potentially leading to complete database compromise including extraction of sensitive health records, data modification, and service disruption. The vulnerability requires low-privilege authentication (PR:L) with no user interaction (UI:N) and is network-exploitable (AV:N), though EPSS assigns only 0.03% (8th percentile) exploitation probability and no public exploit identified at time of analysis. Vendor-released patch available in version 8.0.0.3.
Openemr
SQLi
PHP
-
CVE-2026-33914
HIGH
CVSS 7.2
A blind SQL injection vulnerability exists in the PostCalendar module of OpenEMR, a widely-used open source electronic health records system. Versions prior to 8.0.0.3 are affected, allowing authenticated administrators to execute arbitrary SQL commands through the categoriesUpdate function's dels parameter. The vulnerability requires high privileges (PR:H) but is network-accessible and has no attack complexity, enabling attackers to extract sensitive patient data, modify health records, or disrupt medical operations.
SQLi
-
CVE-2026-33913
HIGH
CVSS 7.7
OpenEMR versions prior to 8.0.0.3 contain an XML External Entity (XXE) injection vulnerability in the Carecoordination module that allows authenticated users to read arbitrary files from the server. Attackers can exploit this by uploading a maliciously crafted CCDA document containing XXE payloads to access sensitive server files such as /etc/passwd. A patch is available in version 8.0.0.3, and this vulnerability has a CVSS score of 7.7 with high confidentiality impact.
XXE
-
CVE-2026-33910
HIGH
CVSS 7.2
OpenEMR versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability stems from insufficient input validation and can lead to complete compromise of confidentiality, integrity, and availability of the healthcare database. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept is currently available.
SQLi
-
CVE-2026-33722
HIGH
CVSS 7.3
Authenticated users in n8n versions prior to 1.123.23 and 2.6.4 can bypass external secrets permission checks to retrieve plaintext secret values from configured vaults by referencing secrets by name in credentials, even without list permissions. This allows unauthorized access to sensitive vault-stored credentials without requiring admin or owner privileges, provided the attacker knows or can guess the target secret name. Public exploit code exists for this vulnerability.
Authentication Bypass
Hashicorp
-
CVE-2026-33718
HIGH
CVSS 7.6
A Command Injection vulnerability in OpenHands allows authenticated users to execute arbitrary commands in the agent sandbox by injecting shell metacharacters into the path parameter of the /api/conversations/{conversation_id}/git/diff API endpoint. The vulnerability affects OpenHands installations exposing this endpoint, with a CVSS score of 7.6. A patch is available via PR #13051, and while no EPSS or KEV data indicates active exploitation, the vulnerability is easily exploitable by any authenticated user.
Python
Docker
Command Injection
-
CVE-2026-33713
HIGH
CVSS 8.7
SQL injection in n8n's Data Table Get node allows authenticated users with workflow modification permissions to execute arbitrary SQL queries against PostgreSQL backends, enabling data modification and deletion. Public exploit code exists for this vulnerability. Affected versions prior to 1.123.26, 2.13.3, and 2.14.1 should be upgraded immediately, or workflow creation/editing permissions should be restricted to trusted users only.
SQLi
PostgreSQL
-
CVE-2026-33687
HIGH
CVSS 8.8
The code16/sharp Laravel admin panel package contains a critical file upload vulnerability that allows authenticated users to bypass all file type restrictions by manipulating client-controlled validation rules. Affected versions prior to 9.20.0 accept a user-supplied validation_rule parameter that is passed directly to Laravel's validator, enabling attackers to upload arbitrary files including PHP webshells. With a CVSS score of 8.8, this vulnerability can lead to Remote Code Execution when the storage disk is publicly accessible, though default configurations provide some protection against direct execution.
PHP
File Upload
RCE
-
CVE-2026-33686
HIGH
CVSS 8.8
Authenticated attackers can bypass file path restrictions in PHP's code16/sharp package by injecting path separators into file extensions, enabling arbitrary file writes outside intended directories. The vulnerability stems from incomplete input sanitization in the FileUtil class where extensions are extracted but never validated before being passed to storage functions. A patch is available to address this high-severity path traversal issue affecting all users of the vulnerable package.
Path Traversal
PHP
-
CVE-2026-33673
HIGH
CVSS 7.6
PrestaShop contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the back-office (BO) administration panel. An attacker with limited back-office access or who has exploited a separate vulnerability to inject data into the database can exploit unprotected template variables to execute arbitrary JavaScript in administrators' browsers. The CVSS score of 7.7 reflects high attack complexity and the requirement for high privileges, though no evidence of active exploitation (KEV) or public proof-of-concept is currently available.
XSS
Microsoft
-
CVE-2026-33671
HIGH
CVSS 7.5
picomatch, a widely-used Node.js glob pattern matching library, contains a Regular Expression Denial of Service (ReDoS) vulnerability when processing crafted extglob patterns such as '+(a|aa)' or nested patterns like '+(+(a))'. The vulnerability affects picomatch versions prior to 4.0.4, 3.0.2, and 2.3.2 (tracked via CPE pkg:npm/picomatch) and allows unauthenticated remote attackers to cause multi-second event-loop blocking with relatively short inputs, resulting in application-wide denial of service. Patches are available from the vendor, and while no KEV listing or EPSS score is provided in the data, the CVSS score of 7.5 (High) reflects the network-accessible, low-complexity attack vector requiring no privileges or user interaction.
Denial Of Service
Node.js
-
CVE-2026-33665
HIGH
CVSS 8.8
Authenticated n8n users can hijack administrator accounts when LDAP authentication is enabled by manipulating their LDAP email attribute to match a target account's email address, gaining full access that persists even after reverting the email change. This authentication bypass (CWE-287) affects n8n versions prior to 2.4.0 and 1.121.0 where LDAP is configured, and public exploit code exists. The vulnerability requires LDAP to be actively enabled and the attacker to control their own LDAP email attribute, creating a critical account takeover risk for administrators.
Authentication Bypass
-
CVE-2026-33663
HIGH
CVSS 8.5
n8n workflow automation platform Community Edition contains an authorization bypass vulnerability allowing authenticated users with member-level privileges to steal plaintext credentials from other users. The flaw chains name-based credential resolution that doesn't enforce ownership with a permissions bypass affecting generic HTTP credential types (httpBasicAuth, httpHeaderAuth, httpQueryAuth). Attackers can decrypt and exfiltrate credentials without authorization, though native integration credentials remain unaffected.
Authentication Bypass
PostgreSQL
-
CVE-2026-33661
HIGH
CVSS 8.6
The yansongda/pay PHP library contains an authentication bypass vulnerability that allows attackers to forge WeChat Pay payment notifications by including a 'Host: localhost' header in HTTP requests. The verify_wechat_sign() function unconditionally skips RSA signature verification when it detects localhost as the hostname, enabling attackers to send fake payment success callbacks that applications may process as legitimate transactions. A proof-of-concept exploit exists demonstrating the attack, though the vendor notes most production environments with properly configured reverse proxies, WAFs, or CDNs will reject forged Host headers, significantly reducing real-world exploitability.
Nginx
PHP
Authentication Bypass
-
CVE-2026-33348
HIGH
CVSS 8.7
A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's Eye Exam form functionality that allows authenticated users with the 'Notes - my encounters' role to inject malicious JavaScript payloads through form answers. OpenEMR versions prior to 8.0.0.3 are affected. Attackers can execute arbitrary JavaScript in the browsers of other authenticated users when they view the compromised encounter pages or visit history, potentially leading to session hijacking, credential theft, or unauthorized actions within the EHR system.
XSS
-
CVE-2026-33287
HIGH
CVSS 7.5
LiquidJS template engine version 10.24.0 and earlier contains a denial-of-service vulnerability in the replace_first filter that enables 625,000:1 memory amplification by exploiting JavaScript's $& backreference pattern. The memoryLimit security control is bypassed because only input strings are charged while exponentially amplified outputs (up to 312.5 MB from 1 byte input) remain unaccounted. Demonstrated proof-of-concept shows 20 concurrent requests cause complete service unavailability for 29 seconds with legitimate user requests delayed by 10.9 seconds. A patch is available via GitHub commit 35d523026345d80458df24c72e653db78b5d061d.
Node.js
Denial Of Service
-
CVE-2026-33285
HIGH
CVSS 7.5
LiquidJS versions 10.24.x and earlier contain a memory limit bypass vulnerability that allows unauthenticated attackers to crash Node.js processes through a single malicious template. By exploiting reverse range expressions to drive the memory counter negative, attackers can allocate unlimited memory and trigger a V8 Fatal error that terminates the entire process, causing complete denial of service. A detailed proof-of-concept exploit is publicly available demonstrating the full attack chain from bypass to process crash.
Node.js
Denial Of Service
Kubernetes
Docker
-
CVE-2026-33253
HIGH
CVSS 8.4
A remote code execution vulnerability (CVSS 8.4). High severity vulnerability requiring prompt remediation.
RCE
Microsoft
Windows
-
CVE-2026-33183
HIGH
CVSS 8.0
Saloon versions prior to v4 contain a path traversal vulnerability in fixture name handling that allows attackers to read or write files outside the configured fixture directory. Users with MockResponse fixtures derived from untrusted input (such as request parameters or configuration values) are affected, as attackers can use path traversal sequences like ../ or absolute paths to access arbitrary files on the system with the privileges of the running process. The vulnerability has been patched in Saloon v4 with input validation and defense-in-depth path verification.
Path Traversal
Information Disclosure
Buffer Overflow
-
CVE-2026-32546
HIGH
CVSS 7.5
StellarWP Restrict Content plugin versions 3.2.22 and earlier contain an authorization bypass that allows unauthenticated attackers to modify access control settings through improper validation of security levels. An attacker can leverage this vulnerability to escalate privileges or grant unauthorized content access to restricted resources. No patch is currently available.
Authentication Bypass
-
CVE-2026-32545
HIGH
CVSS 7.1
Taboola Pixel versions up to and including 1.1.4 contain a Reflected Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages during generation. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, causing the injected code to execute in the victim's browser with their session privileges. This vulnerability affects the Taboola Pixel WordPress plugin and has been identified by Patchstack; no CVSS score or EPSS data is currently available, but the reflected XSS classification and WordPress plugin distribution suggest moderate to high real-world risk given the plugin's widespread usage.
XSS
-
CVE-2026-32544
HIGH
CVSS 7.1
A Stored Cross-Site Scripting (XSS) vulnerability exists in the OOPSpam Anti-Spam WordPress plugin through version 1.2.62, allowing attackers to inject and persist malicious JavaScript code that executes in the browsers of authenticated users and administrators. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling attackers to compromise user sessions, steal credentials, or perform actions on behalf of affected users. No CVSS score, EPSS probability, or active exploitation data (KEV status) are currently available, but the Stored XSS classification and WordPress plugin distribution indicate moderate to high real-world risk given the plugin's accessibility and widespread WordPress ecosystem deployment.
XSS
-
CVE-2026-32542
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Fusion Builder, a WordPress page builder plugin, affecting all versions prior to 3.15.0. An unauthenticated attacker can inject malicious JavaScript into web pages through improper input sanitization, allowing them to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No CVSS score, EPSS data, or public proof-of-concept have been officially published, but the vulnerability has been documented by Patchstack and assigned EUVD-2026-15919; patch availability is confirmed via the vendor advisory.
XSS
-
CVE-2026-32540
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Bookly, a WordPress appointment booking plugin, affecting versions up to and including 26.7. Attackers can inject malicious scripts into web requests that execute in the victim's browser when the vulnerable page is rendered, allowing session hijacking, credential theft, or malware distribution. While no CVSS score or EPSS data is currently available, the vulnerability has been formally tracked by ENISA (EUVD-2026-15915) and reported via Patchstack, indicating active awareness in the security community.
XSS
-
CVE-2026-32538
HIGH
CVSS 7.5
The SMTP Mailer plugin for WordPress (versions up to 1.1.24) contains an Insertion of Sensitive Information Into Sent Data vulnerability that allows attackers to retrieve embedded sensitive data through the plugin's email transmission functionality. This information disclosure flaw affects all installations of the affected SMTP Mailer versions and could expose credentials, configuration data, or other sensitive information transmitted via the plugin's SMTP implementation. No CVSS score or EPSS data is currently available, and no indication of active exploitation or public proof-of-concept has been documented at this time.
Information Disclosure
-
CVE-2026-32537
HIGH
CVSS 7.5
A Local File Inclusion (LFI) vulnerability exists in the nK Visual Portfolio, Photo Gallery & Post Grid WordPress plugin through version 3.5.1, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. An attacker with network access can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other local files stored on the web server. While CVSS and EPSS scores are not publicly available, the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require) and affects all installations of this plugin running version 3.5.1 or earlier.
PHP
Lfi
Information Disclosure
-
CVE-2026-32534
HIGH
CVSS 8.5
JoomSky JS Help Desk contains a blind SQL injection vulnerability in versions through 3.0.3 that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects the JS Help Desk plugin (identified via CPE cpe:2.3:a:joomsky:js_help_desk) and was reported by Patchstack. While no CVSS score or EPSS data is currently available, the blind SQL injection classification (CWE-89) indicates a serious data exfiltration and potential privilege escalation risk; however, the lack of CVE metadata and KEV designation suggests this may be a newer or less widely exploited vulnerability pending full disclosure and vendor patch release.
SQLi
-
CVE-2026-32532
HIGH
CVSS 7.1
A Stored Cross-Site Scripting (XSS) vulnerability exists in ThemeHunk's Contact Form & Lead Form Elementor Builder plugin for WordPress, affecting all versions through 2.0.1. An attacker can inject malicious scripts into form fields that are stored in the database and executed in the browsers of administrators or other users who view the submitted data, potentially leading to account takeover, data theft, or malware distribution. No CVSS score or EPSS data is currently available, and active exploitation status is unknown; however, the vulnerability is confirmed by Patchstack and tracked under ENISA EUVD-2026-15903.
XSS
-
CVE-2026-32531
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in Gavias Kunco WordPress theme versions prior to 1.4.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure attacks where sensitive files such as configuration files, source code, or system files could be exposed to unauthenticated or low-privileged attackers. No CVSS score or EPSS data is currently available, but the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement), a critical class of PHP-based remote/local file inclusion flaws.
PHP
Information Disclosure
Lfi
-
CVE-2026-32530
HIGH
CVSS 8.8
An Incorrect Privilege Assignment vulnerability exists in WPFunnels Creator LMS plugin (versions up to and including 1.1.18) that allows authenticated or unauthenticated attackers to escalate their privileges within the application. This CWE-266 flaw enables attackers to gain unauthorized administrative or elevated access, potentially compromising the entire LMS installation and user data. While CVSS and EPSS scores are not yet publicly available, the privilege escalation nature and confirmed vulnerability status indicate significant real-world risk, particularly for WordPress installations managing educational content and user accounts.
Privilege Escalation
-
CVE-2026-32529
HIGH
CVSS 7.1
A reflected Cross-Site Scripting (XSS) vulnerability exists in the don-themes Molla WordPress theme through version 1.5.18, allowing attackers to inject malicious scripts into web pages viewed by victims. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of affected users' browsers. An attacker can craft a malicious URL containing XSS payload and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation in the wild has been confirmed via KEV status, and CVSS/EPSS scores are not available, but the vulnerability is documented by Patchstack with a confirmed patch available in version 1.5.19 or later.
XSS
-
CVE-2026-32528
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in don-themes Riode WordPress theme versions prior to 1.6.29, allowing attackers to inject malicious JavaScript code that executes in users' browsers when they click on crafted links. This CWE-79 vulnerability affects the Riode multi-purpose WooCommerce theme and enables attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No CVSS score, EPSS data, or formal KEV status is currently available, but the vulnerability was reported by Patchstack with a confirmed patch available in version 1.6.29 and later.
XSS
-
CVE-2026-32526
HIGH
CVSS 7.1
A Stored Cross-Site Scripting (XSS) vulnerability exists in VillaTheme's Abandoned Cart Recovery for WooCommerce plugin affecting versions up to and including 1.1.10. The vulnerability allows attackers to inject malicious JavaScript code that persists in the application and executes in the browsers of administrators and customers when vulnerable pages are viewed. An attacker with appropriate access can compromise user sessions, steal sensitive data, or perform unauthorized actions on behalf of legitimate users.
XSS
WordPress
-
CVE-2026-32522
HIGH
CVSS 8.6
A path traversal vulnerability exists in the Vanquish WooCommerce Support Ticket System plugin for WordPress, affecting all versions prior to 18.5, that allows attackers to access files outside the intended directory structure. The vulnerability is classified as CWE-22 (Improper Limitation of Pathname to Restricted Directory) and enables unauthorized file access or manipulation depending on the specific implementation context. While no CVSS score or EPSS data is currently available, and KEV status is unknown, the path traversal class of vulnerability typically carries significant risk in web applications where file operations are involved.
WordPress
Path Traversal
-
CVE-2026-32518
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the imithemes Gaea WordPress theme affecting versions prior to 3.8, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No CVSS score or EPSS data is currently available, and active exploitation status via KEV has not been confirmed, but the XSS classification and public disclosure via Patchstack suggest this represents a moderate to significant risk for WordPress installations using affected Gaea theme versions.
XSS
-
CVE-2026-32517
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Kleor Contact Manager through version 9.1, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects the Contact Manager plugin and can be exploited via reflected XSS attacks where user input is improperly neutralized during web page generation. An attacker can craft a malicious URL containing JavaScript payloads that execute in the victim's browser, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or active KEV status is currently available; however, the confirmed presence of the vulnerability through Patchstack indicates a legitimate security concern requiring immediate attention.
XSS
-
CVE-2026-32516
HIGH
CVSS 8.5
A blind SQL injection vulnerability exists in the Miraculous Core Plugin for WordPress (versions prior to 2.1.2), allowing attackers to execute arbitrary SQL commands against the underlying database without displaying query results directly. This vulnerability affects all installations of the kamleshyadav Miraculous Core Plugin below version 2.1.2, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. While CVSS and EPSS scores are not yet available and KEV status is unknown, the SQL injection classification (CWE-89) and reporting via Patchstack indicate this is a validated vulnerability with a confirmed patch available in version 2.1.2.
SQLi
-
CVE-2026-32515
HIGH
CVSS 7.5
A Missing Authorization vulnerability (CWE-862) exists in the Miraculous theme by kamleshyadav, affecting versions prior to 2.1.2, that allows attackers to bypass access control security levels through incorrectly configured authorization mechanisms. An attacker can exploit this flaw to access restricted functionality or resources that should require proper authentication and authorization checks. While no CVSS score, EPSS data, or KEV status has been publicly assigned, the vulnerability has been documented by Patchstack and carries authentication bypass implications that warrant timely patching.
Authentication Bypass
-
CVE-2026-32513
HIGH
CVSS 8.8
A deserialization of untrusted data vulnerability in the JS Archive List jQuery widget (jquery-archive-list-widget) versions up to 6.1.7 allows remote attackers to inject malicious objects and achieve code execution or information disclosure. The vulnerability affects WordPress installations using the vulnerable plugin versions, and exploitation requires sending crafted serialized PHP objects to the affected endpoint. No CVSS vector or EPSS score has been assigned, and KEV status is unknown, though the vulnerability was reported by Patchstack security researchers.
Deserialization
-
CVE-2026-32505
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the CreativeWS Kiddy WordPress theme through version 2.0.8, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other locally stored data without requiring authentication or special privileges. While no CVSS score or EPSS data is currently available, the vulnerability is actively tracked by multiple security intelligence sources including Patchstack and ENISA, indicating confirmed exploitability.
PHP
Information Disclosure
Lfi
-
CVE-2026-32504
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in CreativeWS VintWood WordPress theme versions up to and including 1.1.8, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or KEV status is currently available, but the issue is documented across multiple security intelligence sources including Patchstack and ENISA.
PHP
Information Disclosure
Lfi
-
CVE-2026-32503
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in CreativeWS Trendustry WordPress theme versions up to 1.1.4, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. This vulnerability can lead to information disclosure by allowing attackers to read sensitive files on the server without requiring authentication or special privileges. While no CVSS or EPSS scores are currently published, the LFI classification and information disclosure impact indicate this represents a significant security risk for affected installations.
PHP
Information Disclosure
Lfi
-
CVE-2026-32501
HIGH
CVSS 7.1
WP Configurator Pro contains a missing authorization vulnerability (CWE-862) that allows attackers to bypass access controls and exploit incorrectly configured security levels within the plugin. All versions of WP Configurator Pro through version 3.7.9 are affected. An attacker can gain unauthorized access to sensitive configuration functions and data by circumventing the broken access control mechanisms, potentially compromising WordPress site integrity and confidentiality.
Authentication Bypass
-
CVE-2026-32500
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in CreativeWS MetaMax theme versions up to and including 1.1.4, allowing attackers to include and execute arbitrary local files through improper handling of PHP include/require statements. An unauthenticated remote attacker can exploit this to disclose sensitive files, read configuration data containing credentials, or potentially achieve remote code execution by including files with executable content. While no CVSS score or EPSS data is currently available, the vulnerability has been confirmed and documented by Patchstack with a direct reference to the affected WordPress theme.
PHP
Information Disclosure
Lfi
-
CVE-2026-32498
HIGH
CVSS 7.5
A missing authorization vulnerability exists in Metagauss RegistrationMagic (custom-registration-form-builder-with-submission-manager) plugin versions up to and including 6.0.7.6, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit broken access control. An attacker can leverage this vulnerability to perform unauthorized actions within the application by circumventing intended authorization checks. The vulnerability is classified as CWE-862 (Missing Authorization) and was reported by Patchstack; while CVSS and EPSS scores are not publicly available, the authentication bypass nature of this flaw indicates significant exploitability potential.
Authentication Bypass
-
CVE-2026-32495
HIGH
CVSS 7.5
A missing authorization vulnerability exists in WP Terms Popup plugin for WordPress (versions through 2.10.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthenticated or low-privileged attackers to access restricted functionality without proper permission checks. This issue was reported by Patchstack and affects all installations of the plugin up to and including version 2.10.0.
Authentication Bypass
-
CVE-2026-32494
HIGH
CVSS 7.1
A Cross-site Scripting (XSS) vulnerability exists in the Ays Pro Image Slider WordPress plugin (versions up to and including 2.7.1) due to improper input neutralization during web page generation, combined with incorrectly configured access control security levels. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session tokens, redirecting users, or performing unauthorized actions on behalf of victims. No CVSS score, EPSS data, or active exploitation signals (KEV status) are currently available, but the vulnerability is confirmed by Patchstack and assigned EUVD-2026-15837.
XSS
-
CVE-2026-32488
HIGH
CVSS 8.1
A privilege escalation vulnerability exists in the wpeverest User Registration WordPress plugin through version 4.4.9 due to incorrect privilege assignment (CWE-266). This flaw allows authenticated or unauthenticated attackers to escalate their privileges within the plugin, potentially gaining administrative access or elevated capabilities. No CVSS score, EPSS data, or KEV status has been published, limiting quantification of real-world exploitation risk, though the vulnerability was reported by Patchstack and affects all installations running version 4.4.9 or earlier.
Privilege Escalation
-
CVE-2026-32485
HIGH
CVSS 7.5
A missing authorization vulnerability exists in weDevs WP User Frontend plugin through version 4.2.8, allowing attackers to bypass access control checks and perform unauthorized actions. The vulnerability stems from incorrectly configured access control security levels (CWE-862: Missing Authorization), enabling attackers with varying privilege levels to access or modify restricted functionality. All installations of WP User Frontend up to and including version 4.2.8 are vulnerable, and immediate patching is strongly recommended.
Authentication Bypass
-
CVE-2026-32484
HIGH
CVSS 8.8
A PHP object injection vulnerability exists in BoldGrid weForms plugin through version 1.6.26 due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary objects and potentially execute remote code or manipulate application state. This affects WordPress installations using the vulnerable weForms plugin versions, and exploitation requires no authentication based on the deserialization attack vector. While no CVSS score or EPSS data is currently available, the CWE-502 classification and object injection capability represent a critical-severity issue typical of deserialization flaws that often lead to remote code execution.
Deserialization
-
CVE-2026-32441
HIGH
CVSS 7.7
A missing authorization vulnerability exists in WebToffee Comments Import & Export for WooCommerce (versions up to 2.4.9) that allows attackers to exploit incorrectly configured access control, potentially enabling unauthorized comment manipulation. The vulnerability is classified as CWE-862 (Missing Authorization), affecting WordPress installations using this plugin. Attackers with low or no privileges may be able to bypass authentication mechanisms to perform unauthorized actions on comment data.
WordPress
Authentication Bypass
-
CVE-2026-31921
HIGH
CVSS 8.2
A missing authorization vulnerability exists in the Devteam HaywoodTech Product Rearrange for WooCommerce plugin (versions up to 1.2.2) that allows attackers to exploit incorrectly configured access control security levels. This broken access control flaw (CWE-862) enables unauthorized users to manipulate product ordering in WooCommerce stores without proper authentication or authorization checks. The vulnerability affects all installations of the plugin through version 1.2.2 and has been documented by Patchstack with EUVD tracking ID EUVD-2026-15819, though CVSS scoring and POC availability status are not publicly detailed.
WordPress
Authentication Bypass
-
CVE-2026-31913
HIGH
CVSS 8.6
Whitebox-Studio Scape versions prior to 1.5.16 contain a path traversal vulnerability allowing unauthenticated remote attackers to cause denial of service by accessing restricted directories and exhausting system resources. The vulnerability requires no user interaction and can be exploited over the network with low complexity, affecting the availability of affected systems. No patch is currently available.
Path Traversal
-
CVE-2026-31788
HIGH
CVSS 8.2
The Xen privcmd driver in the Linux kernel allows unprivileged domain users (domU) to issue arbitrary hypercalls that can bypass Secure Boot protections by modifying kernel memory contents. This vulnerability affects Linux kernel across multiple distributions (particularly Debian with 8 tracked releases) and impacts systems running Xen hypervisor with Secure Boot enabled, where a root process in an unprivileged guest domain could circumvent boot integrity protections. The fix restricts privcmd hypercall access to target a specific domain when running in unprivileged domU contexts, preventing unauthorized memory modification while preserving legitimate device model functionality.
Linux
Information Disclosure
-
CVE-2026-30976
HIGH
CVSS 8.6
Sonarr, a PVR application for Usenet and BitTorrent users, contains an unauthenticated path traversal vulnerability on Windows systems that allows remote attackers to read arbitrary files accessible to the Sonarr process. Affected versions include all 4.x branch releases prior to 4.0.17.2950 (nightly/develop) or 4.0.17.2952 (stable/main). With a CVSS score of 8.6 and network-based unauthenticated access (AV:N/PR:N), this represents a significant confidentiality risk allowing attackers to extract API keys, database credentials, and sensitive system files from Windows installations.
Apple
Microsoft
Path Traversal
-
CVE-2026-30975
HIGH
CVSS 8.1
Sonarr, a PVR application for Usenet and BitTorrent users, contains an authentication bypass vulnerability affecting installations configured with authentication disabled for local addresses. Attackers can exploit this flaw to gain unauthorized access to Sonarr instances when deployed without a properly configured reverse proxy that filters malicious headers. The vulnerability affects versions prior to 4.0.16.2942 (nightly/develop) and 4.0.16.2944 (stable/main), with patches now available from the vendor.
Authentication Bypass
-
CVE-2026-30587
HIGH
CVSS 8.7
Multiple stored cross-site scripting (XSS) vulnerabilities exist in Seafile Server's Seadoc (sdoc) editor that fail to sanitize WebSocket messages related to document structure updates. Authenticated remote attackers can inject malicious JavaScript payloads through the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags, affecting Seafile Server versions 13.0.15, 13.0.16-pro, 12.0.14 and prior. A proof-of-concept has been publicly disclosed on GitHub, and patches are available in versions 13.0.17, 13.0.17-pro, and 12.0.20-pro.
XSS
-
CVE-2026-29187
HIGH
CVSS 8.1
A Blind SQL Injection vulnerability exists in OpenEMR's Patient Search functionality that allows authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys instead of values. OpenEMR versions prior to 8.0.0.3 are affected. With a CVSS score of 8.1 (High), this vulnerability enables high confidentiality and integrity impact, allowing attackers to extract sensitive patient health records and potentially modify database contents, though exploitation requires low-privileged authentication.
PHP
SQLi
-
CVE-2026-28894
HIGH
CVSS 7.5
Remote attackers can trigger denial-of-service conditions against multiple Apple operating systems (iOS, iPadOS, macOS variants) through network requests that bypass insufficient input validation. The vulnerability affects iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.4 and earlier, macOS Sonoma 14.8.4 and earlier, and macOS Tahoe 26.3 and earlier. No patch is currently available for this high-severity vulnerability with a 7.5 CVSS score.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-28891
HIGH
CVSS 8.1
Sandbox escape vulnerability in macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.3 and earlier) allows locally-installed applications to break out of their sandbox restrictions through a race condition. An attacker with the ability to run an application on an affected system could exploit this to gain unauthorized access outside the application's intended security boundaries. No patch is currently available for this HIGH severity vulnerability (CVSS 8.1).
Apple
Race Condition
Information Disclosure
macOS
-
CVE-2026-28876
HIGH
CVSS 7.5
Improper path validation in Apple's operating systems (iOS, iPadOS, macOS, and visionOS) allows applications to bypass directory access restrictions and read sensitive user data without user interaction. An attacker with a malicious app could exploit this parsing weakness to access confidential information across affected Apple devices. No patch is currently available, though Apple has released fixed versions across its product line.
Apple
Authentication Bypass
macOS
iOS
-
CVE-2026-28875
HIGH
CVSS 7.5
iOS and iPadOS devices are vulnerable to denial-of-service attacks due to insufficient buffer bounds checking that allows remote attackers to crash affected systems without authentication. The vulnerability affects iOS 26.4 and earlier versions, requiring network access but no user interaction. No patch is currently available for this HIGH severity issue.
Apple
Buffer Overflow
iOS
-
CVE-2026-28874
HIGH
CVSS 7.5
Unpatched denial-of-service vulnerability in Apple iOS and iPadOS allows unauthenticated remote attackers to crash applications due to insufficient input validation. The vulnerability requires no user interaction and affects all versions prior to 26.4, with no security patch currently available.
Apple
Denial Of Service
iOS
-
CVE-2026-28865
HIGH
CVSS 7.5
Improper state management in Apple's authentication mechanisms across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS allows attackers positioned on a network to intercept and potentially manipulate encrypted traffic. An attacker with privileged network access can exploit this vulnerability to conduct man-in-the-middle attacks without user interaction, compromising the confidentiality of communications. No patch is currently available for this high-severity flaw.
Apple
Authentication Bypass
macOS
iOS
-
CVE-2026-28855
HIGH
CVSS 7.5
A permissions enforcement vulnerability in Apple's operating systems allows applications to bypass access controls and read protected user data without proper authorization. The issue affects iOS and iPadOS versions prior to 26.3, and macOS Tahoe prior to 26.3. An attacker with a malicious app could exploit insufficient permission restrictions to access sensitive user information such as contacts, location data, photos, or other protected resources that should require explicit user consent.
Apple
Authentication Bypass
macOS
iOS
-
CVE-2026-28842
HIGH
CVSS 7.5
A buffer overflow vulnerability in Apple macOS Tahoe prior to version 26.4 enables remote attackers to trigger a denial-of-service condition through memory corruption and application crashes without requiring user interaction or authentication. The flaw stems from insufficient bounds checking and currently lacks a security patch. This vulnerability affects all macOS users running vulnerable versions.
Apple
Buffer Overflow
macOS
-
CVE-2026-28837
HIGH
CVSS 7.5
A logic flaw in macOS Tahoe allows applications to bypass security controls and access sensitive user data without proper authorization. The vulnerability affects macOS versions prior to 26.4 and is addressed through improved input validation and access control checks. While CVSS scoring data is unavailable, Apple has released a patch indicating this is a genuine security concern requiring immediate attention.
Apple
Authentication Bypass
macOS
-
CVE-2026-28832
HIGH
CVSS 8.4
macOS versions prior to Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4 contain an out-of-bounds read vulnerability that allows local applications to access and disclose sensitive kernel memory. An attacker with the ability to run code on an affected system can exploit this memory disclosure to obtain privileged information that may aid in further system compromise. No patch is currently available for this HIGH severity vulnerability.
Buffer Overflow
Apple
Information Disclosure
macOS
-
CVE-2026-28821
HIGH
CVSS 8.4
A validation flaw in macOS entitlement verification allows applications to bypass privilege checks and gain elevated system privileges. The vulnerability affects macOS Sequoia 15.7.4 and earlier, macOS Sonoma 14.8.4 and earlier, and macOS Tahoe 26.3 and earlier. Apple has addressed this issue through improved validation of process entitlements in patched versions (15.7.5, 14.8.5, and 26.4 respectively), but no CVSS score, EPSS data, or KEV inclusion status is currently available, limiting immediate risk quantification.
Apple
Authentication Bypass
macOS
-
CVE-2026-28817
HIGH
CVSS 8.1
Sandboxed processes on Apple macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) can escape sandbox isolation due to a race condition in state handling, allowing local attackers to bypass security restrictions and potentially execute arbitrary operations with elevated privileges. No patch is currently available for affected systems. The vulnerability requires local access and specific timing conditions but carries high impact across confidentiality, integrity, and availability.
Apple
Race Condition
Information Disclosure
macOS
-
CVE-2026-28529
HIGH
CVSS 8.5
cryptodev-linux 1.14 and earlier suffer from a use-after-free vulnerability in the /dev/crypto device driver that enables local privilege escalation through reference count manipulation. Attackers with local access can exploit this memory corruption flaw to gain elevated privileges on affected systems. Public exploit code exists for this vulnerability.
Privilege Escalation
Use After Free
Memory Corruption
-
CVE-2026-27889
HIGH
CVSS 7.5
A critical pre-authentication denial of service vulnerability in nats-server allows an unauthenticated remote attacker to crash the entire server process by sending a single malicious 15-byte WebSocket frame. The vulnerability affects nats-server versions 2.2.0 through 2.11.13 and 2.12.0 through 2.12.4 when WebSocket listeners are enabled. A working proof-of-concept exploit in Go has been publicly disclosed by security researcher Mistz1, demonstrating that a single TCP connection can bring down the entire NATS deployment including all connected clients, JetStream streams, and cluster routes.
Denial Of Service
Integer Overflow
Python
Redhat
Suse
-
CVE-2026-27602
HIGH
CVSS 7.2
Modoboa, an open-source mail server management platform, contains a command injection vulnerability in its subprocess execution handler that allows authenticated Reseller or SuperAdmin users to execute arbitrary operating system commands. A proof-of-concept exploit exists demonstrating how shell metacharacters in domain names can achieve code execution, typically as root in standard deployments. The vulnerability affects modoboa versions up to and including 2.7.0, with patches available in version 2.7.1.
Python
Command Injection
OpenSSL
-
CVE-2026-27496
HIGH
CVSS 7.1
An information disclosure vulnerability exists in n8n workflow automation software when Task Runners are enabled, allowing authenticated users with workflow creation or modification permissions to allocate uninitialized memory buffers through the JavaScript Task Runner. These buffers may contain residual data from the same Node.js process including secrets, tokens, and data from prior requests, leading to sensitive information exposure. This vulnerability requires CVE-2026-27496 has a CVSS 4.0 score of 7.1 with high confidentiality impact and affects npm package installations of n8n.
Node.js
Information Disclosure
-
CVE-2026-27088
HIGH
CVSS 7.1
A reflected cross-site scripting (XSS) vulnerability exists in G5Theme's Darna Framework through version 2.9, allowing attackers to inject malicious scripts that execute in users' browsers when crafted URLs are visited. The vulnerability affects the Darna Framework WordPress plugin and stems from improper input neutralization during web page generation. While no CVSS score or EPSS data is currently published, the CWE-79 classification indicates this is a classic reflected XSS with potential for credential theft, session hijacking, and malware distribution depending on the attack vector's accessibility.
XSS
-
CVE-2026-27087
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in G5Theme's Wolverine Framework through version 1.9, enabling attackers to inject malicious scripts into web pages generated by the framework. This vulnerability affects all installations of Wolverine Framework up to and including version 1.9, allowing attackers to execute arbitrary JavaScript in the context of victim browsers when they visit a maliciously crafted URL. While no CVSS score or EPSS data is currently available, the vulnerability has been reported by Patchstack and assigned ENISA EUVD ID EUVD-2026-15797, indicating it has undergone standardized review.
XSS
-
CVE-2026-27081
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Rosebud WordPress theme through version 1.4, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution by reading sensitive files or including PHP files from the web root. No active exploitation in the wild has been publicly confirmed, but the vulnerability affects all installations of Rosebud up to and including version 1.4.
PHP
Information Disclosure
Lfi
-
CVE-2026-27080
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Deston WordPress theme through version 1.0, allowing attackers to read arbitrary files from the server filesystem via improper control of filename parameters in PHP include/require statements. This vulnerability, classified as CWE-98 (PHP Remote File Inclusion), enables information disclosure attacks where sensitive files such as configuration files, database credentials, or source code could be exposed. The vulnerability affects all versions of Deston up to and including 1.0, and has been documented by Patchstack with an EUVD ID (EUVD-2026-15787), though CVSS scoring and KEV status are not yet available.
PHP
Information Disclosure
Lfi
-
CVE-2026-27079
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Amfissa WordPress theme through version 1.1, allowing attackers to improperly control filenames in PHP include/require statements. This vulnerability enables unauthorized information disclosure by reading arbitrary local files from the affected server. The issue stems from improper input validation on file inclusion parameters and affects all versions of Amfissa up to and including version 1.1.
PHP
Information Disclosure
Lfi
-
CVE-2026-27078
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Emaurri WordPress theme through version 1.0.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file access and PHP configuration. While CVSS and EPSS scores are not available, the attack vector appears to be network-based with low complexity, and the vulnerability has been documented by Patchstack but exploitation status and proof-of-concept availability require verification from primary sources.
PHP
Information Disclosure
Lfi
-
CVE-2026-27077
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes' MultiOffice WordPress theme versions up to and including 1.2, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. No CVSS score, EPSS data, or active exploitation (KEV) status has been assigned to this vulnerability.
PHP
Information Disclosure
Lfi
-
CVE-2026-27076
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes LuxeDrive WordPress theme (version 1.0 and earlier) that allows attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other system files without requiring special privileges or user interaction. While no CVSS score or EPSS data is currently available, the vulnerability class (CWE-98: Improper Control of Filename for Include/Require Statement) indicates a high-severity condition with straightforward exploitation mechanics.
PHP
Information Disclosure
Lfi
-
CVE-2026-27075
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Belfort WordPress theme version 1.0 and earlier, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. While classified as a Remote File Inclusion vulnerability in the CVE description, the actual impact is Local File Inclusion, enabling information disclosure through the reading of sensitive files such as configuration files, database credentials, and source code. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability's nature suggests moderate to high real-world risk given the prevalence of WordPress themes and the ease of exploitation.
PHP
Information Disclosure
Lfi
-
CVE-2026-27073
HIGH
CVSS 7.5
A hard-coded credentials vulnerability exists in the Addi buy-now-pay-later WordPress plugin (versions up to 2.0.4) that enables password recovery exploitation and authentication bypass attacks. Attackers can leverage embedded credentials to gain unauthorized access to user accounts and potentially escalate privileges within the plugin's functionality. This vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and has been reported by Patchstack; no CVSS score, EPSS data, or active KEV status is currently available, though the authentication bypass nature suggests active exploitation risk.
Authentication Bypass
-
CVE-2026-27054
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in PenciDesign's Penci Soledad Data Migrator plugin through version 1.3.1, allowing attackers to inject malicious scripts that execute in users' browsers when they visit a crafted URL. The vulnerability affects all versions up to and including 1.3.1 of the WordPress plugin. An attacker can exploit this to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites, with the attack requiring only that a victim click a malicious link-no special privileges or interaction with the application itself required.
XSS
-
CVE-2026-27048
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in Elated-Themes' The Aisle Core WordPress plugin through version 2.0.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. No CVSS score, EPSS data, or active KEV status is currently available, but the vulnerability has been publicly documented by Patchstack and assigned EUVD-2026-15765.
PHP
Lfi
Information Disclosure
-
CVE-2026-27047
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in Mikado-Themes Curly Core plugin for WordPress through version 2.1.6, allowing improper control of filenames in PHP include/require statements. Attackers can exploit this to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. No CVSS score or EPSS data is currently available, and KEV/active exploitation status is unknown, but the vulnerability has been documented by Patchstack with a public reference URL.
PHP
Information Disclosure
Lfi
-
CVE-2026-27045
HIGH
CVSS 8.8
A PHP object injection vulnerability exists in the sbthemes WooCommerce Infinite Scroll plugin (versions up to and including 1.6.2) due to unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects, potentially leading to remote code execution or arbitrary object instantiation depending on available gadget chains within the WordPress environment. The vulnerability affects all installations of this plugin through version 1.6.2 and has been documented by Patchstack, though CVSS scoring and exploitation metrics are currently unavailable.
WordPress
Deserialization
-
CVE-2026-27040
HIGH
CVSS 8.8
AA-Team WZone versions 14.0.31 and earlier contain a path traversal vulnerability that allows authenticated attackers to access files outside intended directories. An attacker with valid credentials could leverage this flaw to read, modify, or delete sensitive files on the affected system. No patch is currently available for this vulnerability.
Path Traversal
-
CVE-2026-27039
HIGH
CVSS 8.5
A blind SQL injection vulnerability exists in AA-Team's WZone WordPress plugin through version 14.0.31, allowing unauthenticated attackers to extract sensitive database information without direct error-based feedback. The vulnerability affects all versions of WZone up to and including 14.0.31, enabling attackers to manipulate SQL queries through improperly neutralized user input. While no CVSS score or EPSS probability is available in the disclosed data, the blind SQL injection classification and the plugin's wide WordPress ecosystem adoption suggest moderate to high real-world risk, particularly if the vulnerability is easily triggerable and no authentication is required.
SQLi
-
CVE-2026-26306
HIGH
CVSS 8.4
A DLL hijacking vulnerability exists in the installer for OM Workspace (Windows Edition) Ver 2.4 and earlier, allowing local attackers to execute arbitrary code with the privileges of the user running the installer. The vulnerability is reported by JPCERT and affects software from OM Digital Solutions Corporation. With a CVSS score of 7.8 (High), the vulnerability requires local access and user interaction but no special privileges, making it a moderate real-world risk for targeted attacks during software installation.
RCE
Microsoft
Windows
-
CVE-2026-25464
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in TieLabs Jannah WordPress theme through version 7.6.3, stemming from improper control of filename parameters in PHP include/require statements. An attacker can exploit this vulnerability to read arbitrary local files from the affected server, potentially disclosing sensitive configuration files, credentials, or source code. No CVSS score, EPSS data, or active KEV listing is currently available, but the LFI classification and information disclosure impact indicate moderate to high real-world risk depending on server configuration and file permissions.
PHP
Information Disclosure
Lfi
-
CVE-2026-25461
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the purethemes Listeo Core WordPress plugin through version 2.0.21, allowing attackers to inject malicious scripts into web pages viewed by victims. An attacker can craft a malicious URL containing JavaScript payload that executes in the victim's browser when they visit the link, potentially stealing session cookies, credentials, or performing actions on behalf of the user. No CVSS score, EPSS data, or active KEV status is currently published, but the vulnerability is documented by Patchstack with a direct reference to the affected plugin version.
XSS
-
CVE-2026-25458
HIGH
CVSS 8.1
The Select-Themes Moments WordPress theme versions 2.2 and earlier contain a Local File Inclusion (LFI) vulnerability that allows attackers to improperly control filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, source code, or other confidential information. While no CVSS score or EPSS data is currently available and no active KEV listing is confirmed, the vulnerability is catalogued by Patchstack and has been assigned EUVD-2026-15740, indicating documented exploitation potential.
PHP
Information Disclosure
Lfi
-
CVE-2026-25457
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Select-Themes Mixtape WordPress theme through version 2.1, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure and potential remote code execution depending on file accessibility. While no CVSS score or EPSS data is currently available, the LFI classification and PHP nature of the vulnerability indicate moderate to high exploitability with network-based attack vectors.
PHP
Information Disclosure
Lfi
-
CVE-2026-25456
HIGH
CVSS 7.5
A missing authorization vulnerability in the Aarsiv Groups Automated FedEx live/manual rates with shipping labels WordPress plugin (versions up to 5.1.8) allows attackers to exploit incorrectly configured access control security levels to bypass authentication and gain unauthorized access to sensitive shipping and rate functionality. The vulnerability is classified as CWE-862 (Missing Authorization) and represents a broken access control flaw that could allow unauthenticated or low-privileged attackers to manipulate FedEx shipping operations. No CVSS score, EPSS probability, or KEV status has been publicly disclosed, though the vulnerability was reported by Patchstack and tracked in the ENISA EUVD database as EUVD-2026-15736.
Authentication Bypass
-
CVE-2026-25452
HIGH
CVSS 7.1
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WPDO Remoji WordPress plugin through version 2.2, allowing attackers to inject malicious JavaScript code that persists in the database and executes in the browsers of site visitors. This vulnerability affects all installations of Remoji up to and including version 2.2, enabling authenticated or unauthenticated attackers (depending on plugin configuration) to compromise website visitors' sessions, steal credentials, or redirect users to malicious sites. While CVSS and EPSS scores are not publicly available, the vulnerability's classification as Stored XSS and reporting through Patchstack indicate moderate-to-high real-world severity.
XSS
-
CVE-2026-25435
HIGH
CVSS 7.1
A Stored Cross-Site Scripting (XSS) vulnerability exists in the wpdevart Booking Calendar and Appointment Booking System WordPress plugin through version 3.2.36, allowing attackers to inject and execute malicious JavaScript code that persists in the application database. An authenticated or unauthenticated attacker can exploit this vulnerability to steal session cookies, perform actions on behalf of legitimate users, or redirect visitors to malicious sites. No CVSS score, EPSS probability, or active exploitation in the wild (KEV status) are currently available, but the vulnerability affects a widely-used booking plugin and likely represents a significant risk given the prevalence of WordPress installations.
XSS
-
CVE-2026-25414
HIGH
CVSS 8.8
WPBookit Pro contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows unauthenticated or low-privileged attackers to escalate their privileges within the WordPress plugin. All versions through 1.6.18 are affected, enabling attackers to gain unauthorized administrative or elevated capabilities. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15721, though CVSS scoring data is currently unavailable.
Privilege Escalation
-
CVE-2026-25406
HIGH
CVSS 8.8
Themeum Tutor LMS Pro versions 3.9.4 and earlier contain an authentication bypass vulnerability (CWE-288) that allows attackers to abuse alternate authentication paths or channels to gain unauthorized access. This affects WordPress installations running the vulnerable plugin, potentially allowing attackers to bypass login mechanisms and gain administrative or user access without valid credentials. No CVSS score, EPSS data, or KEV status is currently available, though the vulnerability was reported by Patchstack and assigned EUVD ID EUVD-2026-15717.
Authentication Bypass
-
CVE-2026-25401
HIGH
CVSS 7.5
A missing authorization vulnerability exists in Arni Cinco WPCargo Track & Trace WordPress plugin through version 8.0.2, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit sensitive functionality. This broken access control flaw (CWE-862) affects all installations of the plugin up to and including version 8.0.2, enabling unauthenticated or low-privileged attackers to access resources or perform actions they should not be permitted to execute. The vulnerability was reported by Patchstack and has been tracked under ENISA EUVD ID EUVD-2026-15715.
Authentication Bypass
-
CVE-2026-25400
HIGH
CVSS 8.8
Apicona, a WordPress theme by thememount, contains a PHP object injection vulnerability stemming from unsafe deserialization of untrusted data (CWE-502). All versions through 24.1.0 are affected. An attacker can exploit this to inject arbitrary objects into the application, potentially leading to remote code execution or other malicious object manipulation depending on available gadget chains within the PHP environment.
Deserialization
-
CVE-2026-25397
HIGH
CVSS 7.5
Path traversal in Snowray Software's File Uploader for WooCommerce plugin (versions up to 1.0.4) enables unauthenticated remote attackers to access arbitrary files on affected WordPress installations through directory traversal sequences. Successful exploitation could result in disclosure of sensitive data, modification of website content, or service disruption. No patch is currently available, requiring administrators to disable or remove the vulnerable plugin.
Path Traversal
WordPress
-
CVE-2026-25396
HIGH
CVSS 7.5
A Missing Authorization vulnerability (CWE-862) exists in CoderPress Commerce Coinbase For WooCommerce plugin versions up to and including 1.6.6, allowing attackers to bypass access control mechanisms and perform unauthorized actions through incorrectly configured security levels. An attacker can exploit this broken access control to manipulate commerce functions or access restricted administrative features without proper authentication. No CVSS score, EPSS data, or active KEV status is currently available, but the vulnerability was reported by Patchstack and assigned EUVD ID EUVD-2026-15707.
WordPress
Authentication Bypass
-
CVE-2026-25383
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through version 3.6.16, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, enabling session hijacking, credential theft, or unauthorized actions within the clinic management system. No CVSS score, EPSS probability, or KEV status are available, though the vulnerability was publicly disclosed by Patchstack and is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).
XSS
-
CVE-2026-25382
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in jwsthemes IdealAuto WordPress theme versions prior to 3.8.6, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, and other system files. This vulnerability has been documented by Patchstack and tracked under EUVD-2026-15701; no CVSS score is currently assigned, though the tags indicate it enables information disclosure through PHP-based file inclusion.
PHP
Information Disclosure
Lfi
-
CVE-2026-25381
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the JWSThemes LoveDate WordPress theme through version 3.8.5, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability affects all versions of LoveDate prior to 3.8.6, and an attacker can exploit this to disclose sensitive information such as configuration files, database credentials, and other system files without requiring authentication or special privileges.
PHP
Information Disclosure
Lfi
-
CVE-2026-25380
HIGH
CVSS 8.1
A PHP Local File Inclusion (LFI) vulnerability exists in jwsthemes Feedy theme versions prior to 2.1.5, stemming from improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement) and was reported by Patchstack, affecting WordPress installations using the vulnerable Feedy theme.
PHP
Information Disclosure
Lfi
-
CVE-2026-25379
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in jwsthemes StreamVid WordPress theme versions prior to 6.8.6, where improper control of filename parameters in PHP include/require statements allows attackers to read arbitrary files from the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA tracking ID EUVD-2026-15696. While no CVSS score or EPSS data is currently published, the LFI classification indicates potential for sensitive information disclosure including configuration files, source code, and credentials.
PHP
Information Disclosure
Lfi
-
CVE-2026-25376
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting versions up to and including 3.0. An attacker can inject malicious scripts into user-controlled input that is reflected back in the web page without proper sanitization, allowing them to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites. No CVSS score, EPSS probability, or active KEV designation is available; however, the vulnerability is confirmed via Patchstack and carries a European vulnerability database entry (EUVD-2026-15694).
XSS
-
CVE-2026-25373
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the ProgressionStudios Vayvo WordPress theme (versions prior to 6.8) that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing unsanitized input and trick users into clicking it, causing arbitrary JavaScript to execute in the victim's browser within the context of the Vayvo-powered site. No CVSS score, EPSS probability, or KEV confirmation is currently available, but the reflected XSS classification and Patchstack reporting indicate this is a known, credible vulnerability with patch availability.
XSS
-
CVE-2026-25361
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WpEvently WordPress plugin (mage-eventpress) affecting versions up to and including 5.1.4, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. No CVSS score or EPSS data is currently available, but the Patchstack reporting and EUVD tracking indicate this is a documented and confirmed vulnerability requiring prompt patching.
XSS
-
CVE-2026-25360
HIGH
CVSS 8.8
A deserialization of untrusted data vulnerability exists in the Rascals Vex theme (CWE-502) that allows attackers to perform PHP object injection attacks. The vulnerability affects Vex versions prior to 1.2.9, as confirmed by Patchstack reporting and ENISA EUVD-2026-15684. An attacker exploiting this flaw can inject malicious serialized objects to achieve arbitrary code execution or other malicious outcomes depending on available PHP magic methods in the application environment.
Deserialization
-
CVE-2026-25359
HIGH
CVSS 8.8
A deserialization of untrusted data vulnerability exists in Pendulum (a PHP datetime library) versions prior to 3.1.5, allowing attackers to perform object injection attacks. The vulnerability affects the rascals Pendulum library through unvalidated deserialization of user-supplied data. An attacker can exploit this to instantiate arbitrary PHP objects, potentially leading to remote code execution or other malicious outcomes depending on the application's gadget chain availability.
Deserialization
-
CVE-2026-25358
HIGH
CVSS 8.8
A PHP Object Injection vulnerability exists in the Rascals Meloo WordPress theme due to unsafe deserialization of untrusted data, classified under CWE-502 (Deserialization of Untrusted Data). This vulnerability affects Meloo versions prior to 2.8.2 and allows attackers to inject malicious objects that could lead to remote code execution or other security compromises. While no CVSS score, EPSS probability, or KEV status has been publicly assigned, the vulnerability was reported by Patchstack and has been assigned ENISA EUVD tracking ID EUVD-2026-15679, indicating active monitoring by European vulnerability databases.
Deserialization
-
CVE-2026-25357
HIGH
CVSS 8.1
Ultimate Membership Pro through version 13.7 contains an authentication bypass vulnerability that allows attackers to access the application via alternate authentication channels without valid credentials. An unauthenticated remote attacker can exploit this vulnerability by manipulating the authentication mechanism, potentially gaining unauthorized access to user accounts and sensitive membership data. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-25356
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Skygroup Yobazar WordPress theme due to improper neutralization of user input during web page generation. This vulnerability affects Yobazar versions prior to 1.6.7 and allows attackers to inject malicious scripts that execute in the browsers of users who visit crafted URLs. The vulnerability has been reported by Patchstack and is classified as CWE-79; while no CVSS score or EPSS data is currently available, the reflected XSS vector typically enables session hijacking, credential theft, and malware distribution.
XSS
-
CVE-2026-25354
HIGH
CVSS 7.1
A reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Reebox WordPress theme due to improper neutralization of user input during web page generation. This vulnerability affects Reebox versions prior to 1.4.8, allowing attackers to inject malicious scripts that execute in the context of a victim's browser when they click a crafted link. While CVSS and EPSS scores are not publicly available, the CWE-79 classification and Patchstack reporting indicate this is a confirmed, real vulnerability with active disclosure through the EUVD database (EUVD-2026-15671).
XSS
-
CVE-2026-25353
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Nooni theme affecting versions prior to 1.5.1, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, classified as CWE-79. Attackers can craft malicious URLs containing JavaScript payloads that execute in the context of a victim's browser when the link is visited, potentially leading to session hijacking, credential theft, or malware distribution.
XSS
-
CVE-2026-25352
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup MyDecor WordPress theme affecting versions prior to 1.5.9. An unauthenticated attacker can inject malicious JavaScript code through unvalidated user input parameters in web requests, which is then reflected back to victims in the HTTP response without proper sanitization or encoding. This allows attackers to execute arbitrary JavaScript in a victim's browser within the context of the affected website, potentially leading to session hijacking, credential theft, or malware distribution.
XSS
-
CVE-2026-25351
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup MyMedi WordPress theme that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects MyMedi versions prior to 1.7.7, and an attacker can leverage reflected XSS to steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim. No active exploitation in the wild has been confirmed, but the vulnerability was publicly disclosed via Patchstack with technical details available.
XSS
-
CVE-2026-25350
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Miti theme for WordPress, allowing attackers to inject malicious scripts into web pages viewed by users. This vulnerability affects Miti versions prior to 1.5.3, and an attacker can craft malicious URLs to execute arbitrary JavaScript in the context of a victim's browser session, potentially stealing credentials, session tokens, or performing actions on behalf of the user. No CVSS score, EPSS metric, or KEV status information is currently available, but the vulnerability has been documented by Patchstack with a patch available in version 1.5.3.
XSS
-
CVE-2026-25349
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Loobek theme (CWE-79: Improper Neutralization of Input During Web Page Generation) that allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects Loobek versions prior to 1.5.2, as documented by Patchstack and tracked under ENISA EUVD ID EUVD-2026-15664. An attacker can craft a malicious URL containing unescaped input that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser context, potentially leading to session hijacking, credential theft, or malware distribution.
XSS
-
CVE-2026-25347
HIGH
CVSS 7.1
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Acato WP REST Cache WordPress plugin through version 2026.1.0, allowing attackers to inject and persist malicious JavaScript code that executes in the browsers of site administrators and users. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects all installations of WP REST Cache up to and including version 2026.1.0. An attacker with appropriate access could inject stored XSS payloads that compromise administrator sessions, steal credentials, or modify site content.
XSS
-
CVE-2026-25346
HIGH
CVSS 7.1
A Cross-Site Scripting (XSS) vulnerability exists in AYS Pro FAQ Builder plugin versions up to and including 1.8.2, allowing attackers to inject malicious scripts through improperly neutralized input during web page generation. The vulnerability stems from incorrectly configured access control security levels, enabling unauthenticated or low-privileged attackers to execute arbitrary JavaScript in the context of affected WordPress sites. While CVSS and EPSS scores are not publicly available, the vulnerability was reported by Patchstack and assigned ENISA EUVD ID EUVD-2026-15661, indicating formal recognition across European vulnerability databases.
XSS
-
CVE-2026-25342
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the kutethemes Boutique WordPress theme versions prior to 2.4.6, allowing attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing unsanitized input that, when clicked by a victim, executes arbitrary JavaScript in the victim's browser within the context of the affected website. This vulnerability enables session hijacking, credential theft, malware distribution, and defacement of affected e-commerce sites running vulnerable versions of the Boutique theme.
XSS
-
CVE-2026-25341
HIGH
CVSS 7.1
RSFirewall!, a security plugin for Joomla, contains a Stored Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects RSFirewall! versions up to and including 1.1.45, enabling authenticated or unauthenticated attackers (depending on configuration) to store persistent XSS payloads that execute in the browsers of administrators and site visitors. No CVSS score, EPSS data, or KEV status is currently available, but the Patchstack report indicates active awareness of this vulnerability in the security community.
XSS
-
CVE-2026-25334
HIGH
CVSS 8.1
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in the Salon Booking System Pro WordPress plugin versions prior to 10.30.12, allowing attackers to escalate privileges and potentially achieve account takeover. The vulnerability affects all versions of the salon-booking-plugin-pro from an unspecified baseline through version 10.30.11. This privilege escalation can be exploited by unauthenticated or low-privileged attackers to gain unauthorized administrative access to the booking system.
Privilege Escalation
-
CVE-2026-25317
HIGH
CVSS 7.5
A missing authorization vulnerability exists in the Print Invoice & Delivery Notes for WooCommerce plugin (tychesoftwares) through version 5.9.0, allowing attackers to exploit incorrectly configured access control to bypass authentication mechanisms and gain unauthorized access to sensitive functionality. The vulnerability is classified as a broken access control issue (CWE-862) affecting all versions up to and including 5.9.0. Attackers can leverage this flaw to access restricted operations without proper authorization, potentially exfiltrating invoice and delivery note data or manipulating order information.
WordPress
Authentication Bypass
-
CVE-2026-25309
HIGH
CVSS 7.5
A missing authorization vulnerability in PublishPress Authors plugin versions up to 4.10.1 allows attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication mechanisms. This vulnerability affects WordPress installations using the PublishPress Authors plugin and could enable unauthorized users to perform actions they should not be permitted to execute. The vulnerability is classified as an authentication bypass issue with CWE-862 (Missing Authorization), though specific CVSS scoring and exploitation data are not yet published.
Authentication Bypass
-
CVE-2026-25306
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 8theme XStore Core WordPress plugin (et-core-plugin) that allows attackers to inject malicious scripts into web pages viewed by victims. The vulnerability affects XStore Core versions up to and including 5.6.4, enabling reflected XSS attacks where unsanitized user input is echoed back in HTTP responses without proper neutralization. An attacker can craft malicious URLs containing JavaScript payloads that execute in a victim's browser when clicked, potentially stealing session tokens, credentials, or performing actions on behalf of the user.
XSS
-
CVE-2026-25304
HIGH
CVSS 7.1
A reflected Cross-site Scripting (XSS) vulnerability exists in the Skygroup Jaroti WordPress theme through version 1.4.7, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of victim browsers. Affected users should upgrade to Jaroti version 1.4.8 or later to remediate the vulnerability; no CVSS score or EPSS data is currently available, and no KEV or POC confirmation has been documented in accessible threat intelligence sources.
XSS
-
CVE-2026-25033
HIGH
CVSS 7.1
A reflected cross-site scripting (XSS) vulnerability exists in the uixthemes Motta Addons WordPress plugin through version 1.6.0, allowing attackers to inject malicious JavaScript into web pages viewed by other users. The vulnerability affects all versions of Motta Addons prior to 1.6.1 and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). While no CVSS score, EPSS score, or KEV status is currently available, this is a confirmed vulnerability reported by Patchstack with a clear patch version available, making it a practical security concern for WordPress site administrators using affected versions.
XSS
-
CVE-2026-25026
HIGH
CVSS 7.5
A missing authorization vulnerability exists in RadiusTheme Team plugin (versions up to 5.0.11) that allows attackers to exploit incorrectly configured access control security levels. This broken access control issue (CWE-862) enables unauthorized users to access or manipulate resources they should not have permission to access. The vulnerability affects the WordPress plugin tlp-team and has been documented by Patchstack as an authentication bypass vector, though no CVSS score, EPSS probability, or KEV status is currently available to assess active exploitation.
Authentication Bypass
-
CVE-2026-25025
HIGH
CVSS 7.1
VikRestaurants plugin versions up to and including 1.5.2 contain a Reflected Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript code into web pages viewed by users. The vulnerability affects the e4jvikwp VikRestaurants product, a restaurant management and booking plugin primarily used in WordPress environments. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, resulting in credential theft, session hijacking, or defacement of the restaurant website.
XSS
-
CVE-2026-25018
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the stmcan NaturaLife Extensions WordPress plugin through version 2.1, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No CVSS score, EPSS data, or KEV status have been published for this CVE, but the Patchstack report indicates active awareness in the security community.
XSS
-
CVE-2026-25017
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the NaturaLife Extensions WordPress plugin (versions up to 2.1) due to improper control of filenames in PHP include/require statements. This vulnerability allows unauthenticated attackers to read arbitrary files from the affected server, potentially leading to sensitive information disclosure such as configuration files, database credentials, and application source code. No CVSS score, EPSS data, or active KEV status is available, but the vulnerability is confirmed by Patchstack and tracked under EUVD-2026-15617.
PHP
Information Disclosure
Lfi
-
CVE-2026-25013
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WHMCSdes Phox Hosting plugin (versions up to and including 2.0.8) that allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of a victim's browser session. While no CVSS score, EPSS probability, or active KEV status was provided in available intelligence, the reflected XSS classification indicates moderate-to-high real-world risk depending on deployment context and user interaction requirements.
XSS
-
CVE-2026-25007
HIGH
CVSS 8.5
A blind SQL injection vulnerability exists in ElementInvader Addons for Elementor, a WordPress plugin, affecting all versions through 1.4.2. An attacker can exploit this CWE-89 vulnerability to extract sensitive data from the underlying database without authentication, leveraging the plugin's improper neutralization of special SQL elements. No CVSS score, EPSS metric, or active KEV designation is currently available, but the blind SQL injection vector indicates meaningful exploitability risk requiring immediate patching.
SQLi
-
CVE-2026-25002
HIGH
CVSS 7.5
This vulnerability is an authentication bypass in the ThimPress LearnPress Sepay Payment plugin for WordPress that allows attackers to abuse authentication mechanisms through alternate paths or channels. The vulnerability affects LearnPress Sepay Payment versions up to and including 4.0.0. An attacker exploiting this flaw could bypass normal authentication controls to gain unauthorized access to the learning platform, potentially accessing student accounts, course content, or administrative functions without valid credentials.
Authentication Bypass
-
CVE-2026-25001
HIGH
CVSS 8.5
The Post Snippets WordPress plugin versions up to and including 4.0.12 contain an improper code generation vulnerability (CWE-94) that enables remote code injection and execution. An attacker can exploit this flaw to execute arbitrary code on affected WordPress installations, potentially leading to complete site compromise. The vulnerability has been publicly documented by Patchstack with available references, and the attack vector appears to be network-based without requiring high privileges.
RCE
Code Injection
-
CVE-2026-24983
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in UpSolution Core plugin versions through 8.41, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the UpSolution Core WordPress plugin (CPE: cpe:2.3:a:upsolution:upsolution_core), enabling attackers to steal session tokens, perform actions on behalf of users, or redirect users to malicious sites through crafted URLs. No CVSS score, EPSS probability, or KEV status is currently available, though Patchstack has confirmed and documented this as a reflected XSS vulnerability.
XSS
-
CVE-2026-24981
HIGH
CVSS 8.8
A PHP Object Injection vulnerability exists in NooTheme Visionary Core plugin versions up to and including 1.4.9, stemming from unsafe deserialization of untrusted data. An attacker can inject malicious serialized objects to achieve arbitrary code execution or other critical impacts depending on available magic methods in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability is documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15602.
Deserialization
-
CVE-2026-24980
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme Visionary Core WordPress plugin through version 1.4.9, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. This vulnerability, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), affects all installations of the plugin up to and including version 1.4.9. An attacker can craft a malicious link to steal session cookies, perform unauthorized actions on behalf of logged-in users, or redirect users to phishing sites, with the attack vector being network-based and requiring no authentication.
XSS
-
CVE-2026-24979
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme Jobica Core plugin through version 1.4.1, allowing attackers to inject malicious scripts into web pages viewed by users. This vulnerability affects the WordPress plugin ecosystem and could enable attackers to steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users. No CVSS score or EPSS data is currently available, and the vulnerability has not been formally added to the CISA Known Exploited Vulnerabilities (KEV) catalog, though active exploitation potential exists given the Reflected XSS attack vector's simplicity.
XSS
-
CVE-2026-24978
HIGH
CVSS 8.8
A PHP Object Injection vulnerability exists in NooTheme Jobica Core plugin through version 1.4.1, stemming from unsafe deserialization of untrusted data. This affects WordPress installations using the vulnerable Jobica Core plugin, allowing attackers to inject malicious serialized objects that can lead to arbitrary code execution or information disclosure depending on available gadget chains. The vulnerability has been identified by Patchstack but lacks public CVSS scoring and KEV confirmation at this time.
Deserialization
-
CVE-2026-24977
HIGH
CVSS 8.5
A blind SQL injection vulnerability exists in NooTheme's Organici Library WordPress plugin through version 2.1.2, allowing unauthenticated attackers to extract sensitive data from the underlying database without direct error feedback. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements in SQL Commands) and has been documented by Patchstack as a critical WordPress plugin security issue. While no CVSS score, EPSS probability, or public proof-of-concept availability has been confirmed in available sources, the blind SQL injection attack vector and broad plugin distribution make this a medium-to-high priority for WordPress administrators managing affected installations.
SQLi
-
CVE-2026-24976
HIGH
CVSS 8.8
A PHP Object Injection vulnerability exists in NooTheme's Organici Library plugin through version 2.1.2, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject arbitrary PHP objects into the application, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No active exploitation in the wild (KEV status) or published proof-of-concept has been confirmed from available sources, but the vulnerability was reported by Patchstack and assigned EUVD-2026-15592, indicating it is tracked in official vulnerability databases.
Deserialization
-
CVE-2026-24975
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme's Organici Library plugin for WordPress, affecting versions up to and including 2.1.2. The vulnerability allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users through crafted URLs or form inputs, potentially stealing session cookies, credentials, or performing actions on behalf of victims. While no CVSS score or EPSS data is publicly available, the reflected XSS classification (CWE-79) combined with the lack of apparent access restrictions suggests moderate to high real-world risk, particularly in WordPress environments where plugin vulnerabilities are frequently exploited.
XSS
-
CVE-2026-24974
HIGH
CVSS 8.8
A PHP Object Injection vulnerability exists in NooTheme CitiLights WordPress theme through version 3.7.1, stemming from unsafe deserialization of untrusted data (CWE-502). This allows attackers to inject arbitrary PHP objects, potentially leading to remote code execution or other malicious operations depending on available gadget chains in the WordPress environment. The vulnerability was reported by Patchstack and affects all versions up to and including 3.7.1; no CVSS score, EPSS data, or KEV status is currently available, though the nature of object injection vulnerabilities typically permits unauthenticated exploitation.
Deserialization
-
CVE-2026-24973
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in NooTheme CitiLights WordPress theme versions up to and including 3.7.1, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in victims' browsers. An attacker can craft malicious URLs containing JavaScript payloads and trick users into clicking them, potentially leading to session hijacking, credential theft, or malware distribution.
XSS
-
CVE-2026-24970
HIGH
CVSS 7.7
A path traversal vulnerability exists in designingmedia Energox theme affecting versions up to and including 1.2, allowing attackers to access files outside intended directories through improper pathname validation. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has been reported by Patchstack. While CVSS and EPSS scores are not available and KEV status is unknown, the vulnerability represents a classic file access control weakness that could enable unauthorized file disclosure or deletion depending on application context.
Path Traversal
-
CVE-2026-24969
HIGH
CVSS 7.7
A path traversal vulnerability in designingmedia Instant VA (a WordPress theme) allows attackers to access and manipulate files outside the intended restricted directory through improper pathname validation. This vulnerability affects Instant VA versions up to and including 1.0.1, enabling potential arbitrary file deletion or unauthorized file access depending on server permissions. While no CVSS or EPSS scoring has been assigned and KEV status is unknown, the vulnerability has been documented by Patchstack with a functional reference to the Instant VA theme, indicating active research and potential proof-of-concept availability.
Path Traversal
-
CVE-2026-24750
HIGH
CVSS 7.6
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attackers to inject malicious scripts when modifying forms. Kiteworks Secure Data Forms versions prior to 9.2.1 are affected, enabling attackers with low-level privileges to execute arbitrary JavaScript in victims' browsers. There is no indication this vulnerability is actively exploited (not in CISA KEV), and no public proof-of-concept has been identified in available intelligence.
XSS
-
CVE-2026-24391
HIGH
CVSS 7.1
A reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeMakers Car Dealer WordPress theme affecting versions up to and including 1.6.7. The vulnerability allows attackers to inject malicious scripts that execute in the browsers of users who click specially crafted links, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status is currently available, and the vulnerability has not been reported as actively exploited in public threat intelligence.
XSS
-
CVE-2026-24382
HIGH
CVSS 7.5
A missing authorization vulnerability in the WordPress News Magazine X theme (versions up to 1.2.50) allows attackers to bypass access control mechanisms and exploit incorrectly configured security levels. This broken access control issue, classified under CWE-862, enables unauthorized users to access restricted functionality or resources that should require proper authentication or authorization. The vulnerability affects all installations of News Magazine X theme through version 1.2.50, and remediation requires immediate theme updates to patched versions.
Authentication Bypass
-
CVE-2026-24373
HIGH
CVSS 8.1
RegistrationMagic, a WordPress plugin for custom registration forms, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation through improper access controls. Versions up to and including 6.0.7.1 are affected, enabling attackers to escalate privileges and potentially take over user accounts. While CVSS and EPSS scores are not publicly available, the vulnerability has been documented by Patchstack and assigned ENISA tracking ID EUVD-2026-15569, indicating active vulnerability research and disclosure.
Privilege Escalation
-
CVE-2026-24372
HIGH
CVSS 7.5
An authentication bypass vulnerability exists in WP Swings Subscriptions for WooCommerce plugin versions up to and including 1.8.10, allowing attackers to manipulate input data to spoof authentication credentials and bypass access controls. This vulnerability affects WordPress installations using the affected plugin and could allow unauthenticated attackers to gain unauthorized access to subscription management functionality. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned EUVD-2026-15568, indicating active tracking by European vulnerability databases.
WordPress
Authentication Bypass
-
CVE-2026-24369
HIGH
CVSS 7.1
The Grid WordPress plugin versions prior to 2.8.0 contain a missing authorization vulnerability (CWE-862) that allows attackers to exploit incorrectly configured access control security levels. This broken access control flaw enables unauthorized users to bypass authentication mechanisms and access functionality or data they should not have permission to reach. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15563, indicating active tracking by vulnerability databases.
Authentication Bypass
-
CVE-2026-24363
HIGH
CVSS 7.5
A missing authorization vulnerability exists in the loopus WP Cost Estimation & Payment Forms Builder WordPress plugin (versions prior to 10.3.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized users to access or manipulate form data and cost estimation functionality that should be restricted. While no CVSS score or EPSS data is currently available, the authentication bypass nature of this vulnerability and its inclusion in vulnerability databases like ENISA EUVD-2026-15559 suggests moderate-to-high real-world exploitability.
Authentication Bypass
-
CVE-2026-24359
HIGH
CVSS 8.8
An authentication bypass vulnerability exists in Dokan (Dokan, Inc.) dokan-lite plugin versions through 4.2.4 that allows attackers to abuse authentication mechanisms via an alternate path or channel, potentially gaining unauthorized access without valid credentials. This issue affects the popular WordPress e-commerce plugin used by multivendor marketplace sites. The vulnerability has been identified by Patchstack and tracked under EUVD-2026-15555, though CVSS scoring and active exploitation data are not yet available.
Authentication Bypass
-
CVE-2026-23979
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Softwebmedia Gyan Elements WordPress plugin through version 2.2.1, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. This vulnerability affects all versions up to and including 2.2.1, enabling attackers to steal session tokens, perform unauthorized actions, or harvest sensitive user data. While no CVSS score or EPSS data is currently published, the nature of reflected XSS combined with WordPress plugin distribution suggests moderate-to-high real-world exploitation potential, particularly if users remain on vulnerable versions.
XSS
-
CVE-2026-23977
HIGH
CVSS 7.5
A missing authorization vulnerability exists in WPFactory's Helpdesk Support Ticket System for WooCommerce plugin (versions up to 2.1.2) that allows attackers to exploit incorrectly configured access control security levels to bypass authentication mechanisms. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized access to sensitive helpdesk support ticket functionality through broken access control. This affects WordPress installations using the vulnerable plugin, potentially exposing customer support interactions and sensitive information handled through the ticketing system.
WordPress
Authentication Bypass
-
CVE-2026-23973
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the uxper Golo theme that allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects Golo versions prior to 1.7.5 and can be exploited by crafting malicious URLs that execute arbitrary JavaScript in the context of a victim's browser. An attacker can steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites without requiring authentication or special privileges.
XSS
-
CVE-2026-23971
HIGH
CVSS 8.1
A PHP object injection vulnerability exists in the xtemos WoodMart WordPress theme through version 8.3.8, stemming from insecure deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects that can be instantiated during deserialization, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. The vulnerability affects all versions of WoodMart up to and including 8.3.8, with no CVSS score or EPSS data currently published, though the underlying deserialization flaw (CWE-502) is a known vector for critical remote exploitation.
Deserialization
-
CVE-2026-23807
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WP Telegram Widget and Join Link WordPress plugin (versions up to 2.2.13) that allows attackers to inject malicious JavaScript code into web pages viewed by other users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects all installations of this plugin running the vulnerable versions. An attacker can craft a malicious URL containing JavaScript payloads that, when clicked by a victim, executes arbitrary code in the victim's browser within the context of the WordPress site, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status has been published, but Patchstack has documented this vulnerability with a public reference.
XSS
-
CVE-2026-23806
HIGH
CVSS 7.5
A missing authorization vulnerability exists in BlueGlass Interactive AG's Jobs for WordPress plugin (versions up to 2.8) that allows attackers to bypass access control mechanisms through incorrectly configured security levels. This vulnerability (CWE-862: Missing Authorization) could permit unauthenticated or low-privileged attackers to access job posting functionality intended to be restricted to authorized users. While no CVSS score, EPSS data, or confirmed public exploit has been published, the straightforward nature of authorization bypass flaws and the plugin's widespread WordPress deployment make this a moderate-to-high priority for administrators managing job posting systems.
WordPress
Authentication Bypass
-
CVE-2026-23514
HIGH
CVSS 8.8
An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to access unauthorized content within the private data network. With a CVSS score of 8.8 (High), an attacker with low-level authenticated access can potentially access, modify, or delete sensitive data they should not have permissions to view. No public proof-of-concept or active exploitation (KEV listing) has been reported at this time.
Authentication Bypass
-
CVE-2026-23395
HIGH
CVSS 8.8
A buffer overflow vulnerability exists in the Linux kernel's Bluetooth L2CAP implementation where the code fails to properly validate command identifiers when accepting L2CAP_ECRED_CONN_REQ requests, allowing multiple pending requests with identical identifiers to exceed the L2CAP_ECRED_MAX_CID limit of 5 channels and trigger a buffer overflow. All Linux kernel versions containing the vulnerable L2CAP Bluetooth code are affected. An attacker with local Bluetooth access or remote capability could trigger this vulnerability to cause a kernel crash or potentially execute arbitrary code with kernel privileges, though exploitation requires interaction with the Bluetooth subsystem.
Linux
Buffer Overflow
Redhat
-
CVE-2026-23393
HIGH
CVSS 7.8
A race condition exists in the Linux kernel's bridge CFM (Connectivity Fault Management) peer MEP (Maintenance End Point) deletion code where a delayed work queue can be rescheduled between the cancellation check and memory freeing, leading to use-after-free on freed memory. This affects all Linux kernel versions with the vulnerable bridge CFM implementation. An attacker with local access to trigger peer MEP deletion while CFM frame reception occurs could cause a kernel use-after-free condition potentially leading to information disclosure or denial of service.
Linux
Information Disclosure
Redhat
-
CVE-2026-23392
HIGH
CVSS 7.8
A use-after-free vulnerability exists in the Linux kernel's netfilter nf_tables flowtable implementation during error handling in the hook registration path. When hook registration fails (due to reaching maximum hook limits or hardware offload setup failures), the flowtable is not properly synchronized with RCU grace periods before being released, allowing concurrent packet processing or control plane operations (nfnetlink_hook) to access freed memory. This vulnerability affects all Linux kernel versions with the vulnerable nf_tables code and was discovered via KASAN reports during hook dumping operations; while not currently listed in known exploited vulnerabilities (KEV) databases, the use-after-free nature presents a real risk for denial of service or information disclosure in environments utilizing netfilter flowtables.
Linux
Information Disclosure
Redhat
-
CVE-2026-23391
HIGH
CVSS 7.8
A use-after-free vulnerability exists in the Linux kernel's netfilter xt_CT module where pending enqueued packets maintain references to template objects that can be freed when helper modules are removed or timeout policies are deleted via nfnetlink_cttimeout. An attacker with the ability to unload kernel modules or manipulate netfilter timeout policies could trigger a kernel crash or information disclosure by causing the kernel to access freed memory when processing queued packets. While no CVSS score, EPSS probability, or KEV status has been assigned, the availability of six distinct kernel patch commits across stable branches indicates active remediation and acknowledgment of the vulnerability as a real kernel stability issue.
Information Disclosure
Linux
Redhat
-
CVE-2026-23383
HIGH
CVSS 7.8
This vulnerability affects the Linux kernel's ARM64 BPF JIT compiler, where insufficient alignment requirements (4 bytes instead of 8 bytes) for the JIT buffer cause the bpf_plt structure's u64 target field to be misaligned. This misalignment creates two critical issues: UBSAN generates warnings for undefined behavior, and more dangerously, concurrent updates to the target field via WRITE_ONCE() in bpf_arch_text_poke() can result in torn 64-bit reads on ARM64 systems, causing the JIT to jump to corrupted addresses. Linux kernel versions using ARM64 BPF JIT are affected, and while there is no public exploit code available, this represents a memory corruption vulnerability that could lead to privilege escalation or denial of service. Multiple stable kernel patches are available addressing this issue.
Information Disclosure
Linux
Redhat
-
CVE-2026-23378
HIGH
CVSS 7.8
A buffer overflow vulnerability exists in the Linux kernel's IFE (Intermediate Functional Element) traffic control action module where metadata list replacement incorrectly appends new metadata instead of replacing old entries, causing unbounded metadata accumulation. This affects all Linux kernel versions with the vulnerable IFE scheduling code (cpe:2.3:a:linux:linux). An attacker with the ability to modify traffic control rules can trigger an out-of-bounds write via the ife_tlv_meta_encode function, potentially achieving kernel memory corruption and denial of service. The vulnerability is not listed as actively exploited in public KEV databases, but patches are available across multiple stable kernel branches.
Linux
Buffer Overflow
Redhat
-
CVE-2026-23372
HIGH
CVSS 7.8
A race condition exists in the Linux kernel's NFC rawsock implementation where the tx_work function can execute concurrently with socket teardown, leading to use-after-free vulnerabilities when accessing NCI device structures. This affects all Linux kernel versions with the vulnerable NFC rawsock code path, particularly impacting systems where processes are forcefully terminated (e.g., via SIGKILL). An attacker with local access to trigger socket teardown race conditions could cause kernel memory corruption, information disclosure, or denial of service.
Linux
Information Disclosure
Redhat
-
CVE-2026-23364
HIGH
CVSS 7.4
The Linux kernel's ksmbd (SMB server implementation) component uses the non-constant-time memcmp() function to compare Message Authentication Codes (MACs) instead of the cryptographically-secure crypto_memneq() function, enabling timing-based attacks to leak authentication credentials. All Linux kernel versions with ksmbd are affected, allowing attackers to potentially forge authentication by measuring response time differences during MAC validation. While no public exploit code is confirmed, multiple stable kernel branches have received patches addressing this vulnerability, indicating kernel maintainers treated this as a legitimate information disclosure risk.
Linux
Information Disclosure
Redhat
-
CVE-2026-23351
HIGH
CVSS 7.8
A use-after-free vulnerability exists in the Linux kernel's netfilter nft_set_pipapo (Pipelined Packet Processing) set type garbage collection mechanism. The vulnerability allows local attackers to trigger denial of service through soft lockup warnings and RCU stall reports by creating a large number of expired elements that trigger prolonged, non-preemptible garbage collection operations. The affected product is the Linux kernel across all versions, with patches available in the stable series via multiple commit references.
Linux
Denial Of Service
Redhat
-
CVE-2026-23350
HIGH
CVSS 7.8
A resource management vulnerability exists in the Linux kernel's DRM/XE (Intel Graphics Execution Manager) queue initialization code where the finalization function is not called when execution queue creation fails, leaving the queue registered in the GuC (GPU Unified Compute) list and potentially causing invalid memory references. This affects all Linux kernel versions containing the vulnerable DRM/XE driver code. The vulnerability could lead to memory corruption or system instability when an exec queue creation failure occurs, though exploitation would require local kernel code execution capability or ability to trigger queue creation failures.
Linux
Information Disclosure
Redhat
-
CVE-2026-23340
HIGH
CVSS 7.8
A use-after-free (UAF) vulnerability exists in the Linux kernel's network queue discipline (qdisc) subsystem when shrinking the number of transmit queues on network interfaces. The vulnerability occurs because qdisc_reset_all_tx_gt() can reset and free skb buffers concurrently with the lockless dequeue path (qdisc_run_begin/end), allowing freed memory to be accessed during packet dequeuing. All Linux kernels with lockless qdisc support are affected, and the vulnerability has been demonstrated via a practical reproduction case involving virtio-net devices under heavy traffic while changing queue pair counts. Multiple stable kernel patches are available addressing the issue.
Linux
Information Disclosure
Redhat
-
CVE-2026-23336
HIGH
CVSS 7.8
A use-after-free vulnerability exists in the Linux kernel's cfg80211 WiFi subsystem where the rfkill_block work queue is not properly cancelled during wireless device (wiphy) unregistration, allowing a worker thread to access freed memory. This affects all Linux kernel versions in the cfg80211 module (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and while no CVSS score or EPSS data is available, the vulnerability can trigger a kernel crash or information disclosure when a WiFi device is removed while rfkill operations are pending.
Linux
Information Disclosure
Redhat
-
CVE-2026-23317
HIGH
CVSS 7.8
A logic error in the Linux kernel's drm/vmwgfx driver causes the vmw_translate_ptr functions to return success when pointer lookups actually fail, because the error handling was not updated when the underlying lookup function's return mechanism changed from returning a pointer to returning an error code with pointer as an out parameter. This allows uninitialized pointer dereferences and out-of-bounds memory access when the functions incorrectly report success, potentially enabling information disclosure or privilege escalation via the VMware graphics driver.
Linux
Information Disclosure
Redhat
-
CVE-2026-23306
HIGH
CVSS 7.8
A use-after-free vulnerability exists in the Linux kernel's pm8001 SCSI driver where the pm8001_queue_command() function incorrectly returns -ENODEV after already freeing a SAS task, causing the upper-layer libsas driver to attempt a second free operation. This affects all Linux kernel versions with the vulnerable pm8001 driver code, and while not remotely exploitable by default, it can lead to kernel memory corruption and denial of service on systems using PM8001-compatible SCSI controllers. No CVSS score, EPSS data, or active KEV status is currently available, but multiple stable kernel patches have been released across multiple branches.
Linux
Information Disclosure
Redhat
-
CVE-2026-23294
HIGH
CVSS 7.0
This vulnerability is a race condition in the Linux kernel's BPF devmap subsystem that occurs on PREEMPT_RT kernels, where per-CPU bulk queue structures can be accessed concurrently by multiple preemptible tasks on the same CPU. An attacker or unprivileged local process can trigger use-after-free, double-free, or memory corruption conditions by crafting specific XDP (eXpress Data Path) redirect operations that cause concurrent access to shared queue structures, potentially leading to kernel crashes, information disclosure, or privilege escalation. The vulnerability affects all Linux kernel versions with the vulnerable devmap code path and has been patched upstream, though CVSS and EPSS scores are not yet assigned and no public exploit or KEV status is currently documented.
Linux
Information Disclosure
Redhat
-
CVE-2026-23288
HIGH
CVSS 7.8
An out-of-bounds memory write vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) where a memset() operation clears a command header before validating sufficient space is available in the command slot, potentially leading to memory corruption. The vulnerability affects Linux kernel versions across multiple releases where the amdxdna driver is present and enabled. An attacker with local access and appropriate capabilities to interact with the amdxdna device could trigger this memory corruption to achieve denial of service or potentially escalate privileges.
Buffer Overflow
Linux
Redhat
-
CVE-2026-23280
HIGH
CVSS 7.8
A size calculation overflow vulnerability exists in the Linux kernel's accel/amdxdna driver that can result in undersized buffer allocations and potential memory corruption. The vulnerability affects Linux kernel versions across multiple branches where the AMD XDNA accelerator driver is compiled. An attacker with local access could exploit this to trigger memory corruption, potentially leading to denial of service or privilege escalation, though exploitation complexity and attack surface requirements remain moderate.
Linux
Buffer Overflow
Redhat
-
CVE-2026-22524
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the themepassion Legacy Admin WordPress plugin affecting versions up to and including 9.5, which allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling arbitrary JavaScript execution in victims' browsers. An attacker can craft a malicious URL containing unfiltered input and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution.
XSS
-
CVE-2026-22523
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Ultra WordPress Admin plugin (themepassion) through version 11.7, allowing attackers to inject malicious scripts into web pages viewed by administrators and users. The vulnerability stems from improper neutralization of user input during web page generation, classified under CWE-79. An attacker can craft a malicious URL containing JavaScript payloads that execute in the context of an authenticated user's browser session, potentially leading to session hijacking, credential theft, or unauthorized administrative actions without requiring authentication themselves.
XSS
WordPress
-
CVE-2026-22520
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the G5Theme Handmade Framework WordPress plugin through version 3.9, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation, classified under CWE-79. Attackers can craft malicious URLs containing JavaScript payloads that execute in victims' browsers when clicked, potentially leading to session hijacking, credential theft, or malware distribution.
XSS
-
CVE-2026-22516
HIGH
CVSS 8.1
AncoraThemes Wizor's investment theme for WordPress versions through 2.12 contains a Local File Inclusion (LFI) vulnerability that allows attackers to include and execute arbitrary local files on the server through improper handling of filename parameters in PHP include/require statements. This vulnerability enables information disclosure and potential remote code execution depending on server configuration and available files. While no CVSS score or EPSS data has been assigned, the vulnerability is tracked in the ENISA EUVD database (EUVD-2026-15532) and was reported by Patchstack, indicating active security research and likely proof-of-concept availability.
PHP
Information Disclosure
Lfi
-
CVE-2026-22515
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in AncoraThemes VegaDays WordPress theme through version 1.2.0, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, and other confidential data. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as an information disclosure issue with a straightforward exploitation path typical of LFI vulnerabilities in WordPress themes.
PHP
Information Disclosure
Lfi
-
CVE-2026-22514
HIGH
CVSS 8.1
This is a Local File Inclusion (LFI) vulnerability in AncoraThemes Unica WordPress theme versions up to and including 1.4.1, where improper control of filenames in PHP include/require statements allows attackers to read arbitrary local files from the affected server. An unauthenticated remote attacker can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other sensitive data stored on the server. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD tracking ID EUVD-2026-15528.
PHP
Information Disclosure
Lfi
-
CVE-2026-22513
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Triompher WordPress theme versions up to and including 1.1.0, caused by improper control of filename parameters in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the server, leading to information disclosure of sensitive data such as configuration files, database credentials, and other system files. No CVSS score, EPSS data, or known exploitation in the wild (KEV status) has been published, but the vulnerability is confirmed and documented by Patchstack with an available reference.
PHP
Information Disclosure
Lfi
-
CVE-2026-22512
HIGH
CVSS 8.1
A security vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
PHP
Information Disclosure
Lfi
-
CVE-2026-22511
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes NeoBeat WordPress theme through version 1.2, allowing attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability enables information disclosure attacks where an attacker can access sensitive files such as configuration files, database credentials, and source code without requiring authentication or special privileges. This is a CWE-98 vulnerability that transforms what was initially reported as PHP Remote File Inclusion (RFI) into a confirmed Local File Inclusion attack vector.
PHP
Information Disclosure
Lfi
-
CVE-2026-22510
HIGH
CVSS 8.1
AncoraThemes Melody melodyschool theme versions up to 1.6.3 contain a PHP object injection vulnerability stemming from unsafe deserialization of untrusted data (CWE-502). This flaw allows attackers to inject malicious serialized objects that can lead to arbitrary code execution or other critical impacts depending on available PHP gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published and KEV status is unknown, the vulnerability affects a WordPress theme distributed through the Patchstack vulnerability database, indicating active tracking by the security community.
Deserialization
-
CVE-2026-22509
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gioia WordPress theme through version 1.4, allowing improper control of filenames in PHP include/require statements. Attackers can leverage this vulnerability to read sensitive local files from the affected web server, potentially disclosing configuration files, database credentials, or other confidential information. The vulnerability affects all installations of Gioia version 1.4 and earlier, with no CVSS or EPSS scoring data currently available, though the CWE-98 classification and LFI nature suggest moderate to high practical risk.
PHP
Information Disclosure
Lfi
-
CVE-2026-22508
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Dentalux WordPress theme through version 3.3, allowing attackers to include and execute arbitrary local files on the server. This vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or execute malicious code without requiring authentication. While no CVSS score or EPSS probability is currently available, the LFI classification and information disclosure tags indicate this poses a significant risk for unauthorized file access and potential remote code execution.
PHP
Information Disclosure
Lfi
-
CVE-2026-22506
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Amoli WordPress theme version 1.0 and earlier, stemming from improper control of filenames in PHP include/require statements. An attacker can exploit this weakness to read arbitrary files from the affected server, potentially disclosing sensitive configuration files, database credentials, or other confidential information. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been documented by Patchstack with ENISA EUVD identifier EUVD-2026-15514.
PHP
Information Disclosure
Lfi
-
CVE-2026-22505
HIGH
CVSS 8.1
A PHP object injection vulnerability exists in AncoraThemes Morning Records WordPress theme through version 1.2, arising from unsafe deserialization of untrusted data (CWE-502). This flaw allows attackers to inject malicious objects that can lead to arbitrary code execution or other severe impacts depending on available PHP gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack security researchers, indicating active awareness in the security community.
Deserialization
-
CVE-2026-22504
HIGH
CVSS 8.1
A security vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion (CVSS 8.1). High severity vulnerability requiring prompt remediation.
PHP
Information Disclosure
Lfi
-
CVE-2026-22503
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Nelson WordPress theme through version 1.2.0, allowing attackers to read arbitrary files from the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling information disclosure attacks without authentication. While no CVSS score or EPSS data is currently available, the LFI classification and public disclosure via Patchstack indicate this is a genuine security concern affecting WordPress installations using vulnerable Nelson theme versions.
PHP
Information Disclosure
Lfi
-
CVE-2026-22502
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in AncoraThemes Mr. Cobbler WordPress theme through version 1.1.9, stemming from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to disclose sensitive local files from the affected server by manipulating include parameters. While no CVSS score or EPSS data is currently available and KEV status is unknown, the vulnerability is classified as high-severity due to its information disclosure impact and the ease with which LFI vulnerabilities are typically exploited.
PHP
Information Disclosure
Lfi
-
CVE-2026-22499
HIGH
CVSS 8.1
This vulnerability is a Local File Inclusion (LFI) flaw in the Elated-Themes Lella WordPress theme that allows improper control of filename parameters in PHP include/require statements, enabling attackers to read arbitrary files from the affected server. The vulnerability affects Lella theme versions through 1.2, and while CVSS and EPSS scores are not available, the nature of LFI vulnerabilities typically permits information disclosure of sensitive files such as configuration files, database credentials, and source code. No KEV status or public proof-of-concept has been confirmed in this intelligence dataset, but the vulnerability was reported by Patchstack, a reputable WordPress security researcher.
PHP
Information Disclosure
Lfi
-
CVE-2026-22498
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Laurent WordPress theme (versions up to 3.1) due to improper control of filenames in PHP include/require statements, allowing attackers to read arbitrary files from the affected server. This vulnerability, reported by Patchstack and tracked as EUVD-2026-15503, enables information disclosure attacks without requiring authentication or special privileges. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP) and affects all installations of Laurent theme version 3.1 and earlier.
PHP
Information Disclosure
Lfi
-
CVE-2026-22496
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the AncoraThemes Hypnotherapy WordPress theme through version 1.2.10, allowing attackers to read arbitrary files from the affected server by manipulating filename parameters in PHP include/require statements. This vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement) and enables information disclosure attacks. The vulnerability has been documented by Patchstack and assigned EUVD ID EUVD-2026-15502, though no CVSS score or CVSS vector has been formally assigned, and active exploitation status remains unconfirmed in public intelligence.
PHP
Information Disclosure
Lfi
-
CVE-2026-22495
HIGH
CVSS 8.1
AncoraThemes Greenville WordPress theme versions up to and including 1.3.2 contain a Local File Inclusion (LFI) vulnerability resulting from improper control of filenames in PHP include/require statements (CWE-98). An attacker can exploit this vulnerability to read arbitrary files from the affected server, leading to information disclosure of sensitive configuration files, source code, and other locally stored data. No CVSS score, EPSS probability, or KEV status have been assigned at this time, though the vulnerability has been formally documented by Patchstack and assigned an ENISA EUVD ID.
PHP
Information Disclosure
Lfi
-
CVE-2026-22494
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the ThemeREX Good Homes WordPress theme through version 1.3.13, allowing attackers to include and execute arbitrary local files on the affected server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling unauthenticated attackers to disclose sensitive information or achieve remote code execution by accessing system files. No CVSS score, EPSS data, or active KEV designation was reported, but the LFI classification and information disclosure impact indicate this requires prompt patching.
PHP
Lfi
Information Disclosure
-
CVE-2026-22493
HIGH
CVSS 8.1
A Local File Inclusion (LFI) vulnerability exists in the Elated-Themes Gaspard WordPress theme through version 1.3, stemming from improper control of filenames in PHP include/require statements. An unauthenticated attacker can exploit this vulnerability to read arbitrary files from the affected server, potentially disclosing sensitive information such as configuration files, database credentials, or other sensitive data. The vulnerability affects all versions up to and including 1.3, and while no CVSS score or EPSS data is currently published, the LFI classification and information disclosure impact indicate this requires prompt remediation.
PHP
Information Disclosure
Lfi
-
CVE-2026-22491
HIGH
CVSS 7.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WordPress plugin 'My auctions allegro' (free edition) through version 3.6.35, allowing attackers to inject malicious scripts into web pages viewed by victims. An unauthenticated attacker can craft a malicious URL containing JavaScript code that executes in the victim's browser when clicked, potentially stealing session cookies, redirecting users, or performing actions on behalf of the user. No CVSS score, EPSS score, or KEV status has been assigned, and patch availability status is unclear, though the vulnerability was identified and reported by Patchstack security researchers.
XSS
-
CVE-2026-22480
HIGH
CVSS 7.2
The WebToffee Product Feed for WooCommerce plugin contains a PHP object injection vulnerability stemming from insecure deserialization of untrusted data (CWE-502), affecting versions up to and including 2.3.3. An attacker can exploit this vulnerability to inject arbitrary objects into the application, potentially leading to remote code execution or data manipulation depending on available gadget chains in the WordPress/PHP environment. No CVSS score or EPSS data is currently published, and active exploitation status is unknown, but the vulnerability has been documented by Patchstack and assigned an ENISA EUVD ID (EUVD-2026-15487), indicating coordinated disclosure tracking.
WordPress
Deserialization
-
CVE-2026-22448
HIGH
CVSS 7.5
A path traversal vulnerability exists in flexcubed PitchPrint plugin through version 11.1.2, allowing attackers to access files outside of restricted directories. The vulnerability affects the PitchPrint WordPress plugin and enables unauthorized file access through improper pathname validation. No CVSS score or EPSS data is currently available, but the CWE-22 classification and Patchstack reporting indicate this is a genuine path traversal issue requiring immediate attention.
Path Traversal
-
CVE-2026-20701
HIGH
CVSS 7.5
An access control vulnerability in macOS allows applications to connect to network shares without explicit user consent, bypassing the sandbox restrictions designed to prevent unauthorized network access. This affects macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4, where a malicious or compromised application could silently establish connections to network resources. Apple has addressed this issue through additional sandbox restrictions in the specified patch versions; no public exploit code or active exploitation via KEV has been reported, but the nature of the vulnerability suggests moderate real-world risk due to the ease with which local applications could abuse this capability.
Apple
Information Disclosure
macOS
-
CVE-2026-20698
HIGH
CVSS 7.8
This vulnerability is a memory handling flaw in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) that allows a malicious application to trigger unexpected system termination or corrupt kernel memory. The vulnerability affects all versions prior to the version 26.4 releases across Apple's entire ecosystem. An attacker can exploit this by crafting a malicious app that triggers improper memory handling, potentially leading to denial of service or privilege escalation through kernel memory corruption.
Apple
Memory Corruption
Buffer Overflow
macOS
iOS
-
CVE-2026-20687
HIGH
CVSS 7.1
Apple's iOS, iPadOS, macOS, tvOS, and watchOS contain a use-after-free vulnerability that could allow a local attacker to corrupt kernel memory or cause unexpected system crashes. An installed application can trigger this memory corruption flaw through user interaction, potentially leading to denial of service or unauthorized kernel-level modifications. No patch is currently available for this vulnerability (CVSS 7.1).
Apple
Use After Free
Memory Corruption
Denial Of Service
macOS
-
CVE-2026-20639
HIGH
CVSS 7.5
Integer overflow vulnerability in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.2 and earlier) allows remote attackers to trigger heap corruption by processing a specially crafted string without requiring user interaction or privileges. The vulnerability results in denial of service and potential memory corruption but currently lacks a public patch. No active exploitation has been reported.
Apple
Integer Overflow
Buffer Overflow
macOS
-
CVE-2026-20631
HIGH
CVSS 8.8
A logic flaw in macOS Tahoe allows local users to elevate their privileges through improved checks that were insufficient in earlier versions. This vulnerability affects macOS versions prior to 26.4 and enables privilege escalation attacks from standard user accounts to higher privilege levels. Apple has patched this issue in macOS Tahoe 26.4, and no active exploitation or public proof-of-concept code has been reported.
Apple
Information Disclosure
macOS
-
CVE-2026-20622
HIGH
CVSS 7.5
A privacy vulnerability in macOS allows applications to capture a user's screen through improper handling of temporary files. The issue affects macOS Sequoia versions prior to 15.7.4 and macOS Tahoe versions prior to 26.3, enabling unauthorized screen capture by malicious or compromised applications. This vulnerability represents an information disclosure threat where sensitive user data visible on screen could be exfiltrated without user consent or awareness.
Apple
Authentication Bypass
macOS
-
CVE-2026-20125
HIGH
CVSS 7.7
HTTP Server input validation failures in Cisco IOS and IOS XE Release 3E enable authenticated remote attackers to trigger device reloads via malformed requests, causing denial of service. An attacker with valid credentials can exploit improper input handling to exhaust watchdog timers and force unexpected system restarts. No patch is currently available for this vulnerability affecting Cisco and Apple products.
Denial Of Service
Apple
Cisco
-
CVE-2026-20086
HIGH
CVSS 8.6
This is a denial of service vulnerability in Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family caused by improper handling of malformed CAPWAP (Control and Provisioning of Wireless Access Points) packets. The vulnerability affects multiple versions of Cisco IOS XE Software in the 17.14.x through 17.18.x release trains. An unauthenticated remote attacker can exploit this to cause the wireless controller to reload unexpectedly, resulting in complete network disruption with a high severity CVSS score of 8.6.
Cisco
Denial Of Service
Apple
-
CVE-2026-20084
HIGH
CVSS 8.6
Improper BOOTP packet handling in Cisco IOS XE Software on Catalyst 9000 Series Switches allows unauthenticated remote attackers to trigger VLAN leakage and cause device unavailability through resource exhaustion. An attacker can send crafted BOOTP requests to forward packets across VLANs, leading to high CPU utilization that renders the switch unreachable and unable to process traffic. No patch is currently available for this denial-of-service vulnerability.
Cisco
Denial Of Service
Apple
-
CVE-2026-20012
HIGH
CVSS 8.6
A denial of service vulnerability in the Internet Key Exchange (CVSS 8.6). High severity vulnerability requiring prompt remediation.
Cisco
Denial Of Service
Microsoft
Apple
-
CVE-2026-20004
HIGH
CVSS 7.4
Memory exhaustion in Cisco IOS XE and Apple devices via improper TLS resource handling allows adjacent attackers to trigger denial of service by repeatedly initiating failed authentication or manipulating TLS connections. An unauthenticated attacker can exploit this by resetting TLS sessions or abusing EAP authentication mechanisms to deplete device memory without requiring network access from the internet. Successful exploitation renders affected devices unresponsive, with no patch currently available.
Cisco
Denial Of Service
Apple
-
CVE-2026-4824
HIGH
CVSS 7.3
Improper privilege management in Iperius Backup through version 8.7.3 allows local authenticated attackers to escalate privileges via manipulation of the Backup Job Configuration File Handler, with public exploit code available. The vulnerability requires local access and high attack complexity but grants full confidentiality and integrity impacts to affected systems. Upgrade to version 8.7.4 or later to remediate.
Privilege Escalation
-
CVE-2026-4822
HIGH
CVSS 7.3
Iperius Backup 8.7.3 creates temporary files with insecure permissions in the Backup Service component, allowing local authenticated attackers to potentially escalate privileges or access sensitive data. The vulnerability requires local access and high attack complexity, but public exploit code exists. Upgrading to version 8.7.4 resolves the issue.
Information Disclosure
-
CVE-2026-4815
HIGH
CVSS 8.7
Unauthenticated attackers can exploit SQL injection in Support Board v3.7.7's AJAX endpoint to fully compromise the application database through the calls[0][message_ids][] parameter, enabling complete data exfiltration and manipulation. The vulnerability requires only low privileges and network access, with no user interaction needed, making it trivially exploitable in multi-tenant environments. A patch is available and should be applied immediately given the HIGH severity rating and complete database access impact.
SQLi
PHP
-
CVE-2026-4760
HIGH
CVSS 7.7
Panorama Web HMI contains a path traversal vulnerability (CWE-552) that allows unauthenticated remote attackers to read arbitrary server files if their paths are known and accessible to the service account. The vulnerability affects Panorama Suite versions 2022-SP1, 2023, and 2025 installations, requiring specific security updates to remediate. Currently no patch is available for the latest affected versions.
Information Disclosure
Path Traversal
-
CVE-2026-4758
HIGH
CVSS 8.8
Authenticated attackers with Subscriber-level access can delete arbitrary files on WordPress servers running WP Job Portal plugin versions up to 2.4.9, enabling remote code execution by removing critical files like wp-config.php. The vulnerability stems from insufficient file path validation in the removeFileCustom function. EPSS exploitation probability is 0.25% (48th percentile), indicating low predicted real-world exploitation likelihood, though the CVSS score of 8.8 reflects high potential impact when successfully exploited. No public exploit identified at time of analysis.
WordPress
PHP
RCE
Path Traversal
-
CVE-2026-3988
HIGH
CVSS 7.5
GitLab CE/EE contains a denial of service vulnerability in GraphQL request processing due to improper input validation (CWE-407). All versions from 18.5 through 18.8.6, 18.9 through 18.9.2, and 18.10 before 18.10.1 are affected. An unauthenticated attacker can remotely exploit this with low complexity to render GitLab instances unresponsive, and a public proof-of-concept exploit is available via HackerOne report 3597342.
Gitlab
Denial Of Service
-
CVE-2026-3857
HIGH
CVSS 8.1
A Cross-Site Request Forgery (CSRF) vulnerability in GitLab Community Edition and Enterprise Edition allows unauthenticated attackers to execute arbitrary GraphQL mutations on behalf of authenticated users without their consent. All versions from 17.10 before 18.8.7, versions 18.9 before 18.9.3, and versions 18.10 before 18.10.1 are affected. A public proof-of-concept exploit is available via HackerOne report 3584382, significantly increasing the risk of active exploitation.
Gitlab
CSRF
-
CVE-2026-3608
HIGH
CVSS 7.5
Denial of service in Kea DHCP daemons (versions 2.6.0-2.6.4 and 3.0.0-3.0.2) allows unauthenticated remote attackers to crash affected services by sending maliciously crafted messages to API sockets or HA listeners, triggering a stack overflow. Vulnerable Kea installations across Ubuntu, Red Hat, SUSE, and Debian are susceptible to service interruption attacks with no authentication required. A patch is available for affected distributions.
Buffer Overflow
Ubuntu
Redhat
Suse
Debian
-
CVE-2026-3104
HIGH
CVSS 7.5
Memory exhaustion in BIND 9 resolver allows unauthenticated remote attackers to cause denial of service by querying specially crafted domains, affecting versions 9.20.0-9.20.20, 9.21.0-9.21.19, and 9.20.9-S1-9.20.20-S1. The vulnerability stems from improper memory management (CWE-772) and can be triggered without authentication or user interaction. Patches are available for affected Ubuntu, SUSE, and Debian systems.
Information Disclosure
Ubuntu
Suse
Debian
-
CVE-2026-2995
HIGH
CVSS 7.7
Improper HTML sanitization in GitLab EE versions 15.4-18.10.1 allows authenticated users to add email addresses to arbitrary user accounts, potentially enabling account takeover or unauthorized access escalation. Public exploit code exists for this vulnerability, and no patch is currently available. Affected deployments should implement access controls to restrict user modification privileges until updates become available.
Gitlab
XSS
-
CVE-2026-2072
HIGH
CVSS 8.2
A Cross-Site Scripting (XSS) vulnerability exists in the Analytics probe component of Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer. The flaw allows authenticated attackers with low privileges to execute malicious scripts in users' browsers, potentially leading to high confidentiality impact, low integrity impact, and low availability impact due to the changed scope (CVSS 8.2). There is no current indication of active exploitation (not in CISA KEV) or publicly available proof-of-concept code.
XSS
-
CVE-2026-1519
HIGH
CVSS 7.5
BIND resolver servers performing DNSSEC validation can be forced into excessive CPU consumption when encountering a maliciously crafted DNS zone, resulting in denial of service. The vulnerability affects BIND 9 versions from 9.11.0 through current versions across multiple branches (9.16.50, 9.18.46, 9.20.20, 9.21.19) including BIND Supported Preview Edition variants. The CVSS score of 7.5 indicates high availability impact with network-based exploitation requiring no authentication, though no active exploitation (KEV) or proof-of-concept availability has been indicated in the provided data.
Information Disclosure
Ubuntu
Debian
Redhat
Suse
-
CVE-2025-70952
HIGH
CVSS 7.5
pf4j versions prior to commit 20c2f80 contain a Zip Slip path traversal vulnerability in the Unzip.java extract() function that fails to properly validate and normalize zip entry names, allowing attackers to write files outside the intended extraction directory. An attacker can craft a malicious zip file with directory traversal sequences (e.g., ../../../) in entry names to extract arbitrary files to unauthorized locations on the system. This vulnerability affects the pf4j plugin framework, which is widely used in Java applications that dynamically load plugins; a proof-of-concept has been documented on GitHub (weaver4VD gist), indicating functional exploitation is possible.
Path Traversal
-
CVE-2025-70887
HIGH
CVSS 8.8
A privilege escalation vulnerability exists in ralphje Signify versions prior to 0.9.2, affecting the signed_data.py and context.py components. Remote attackers can exploit this flaw to escalate privileges within the application's cryptographic signature verification context. While CVSS and EPSS scores are not currently available, the vulnerability has been patched in version 0.9.2 and related issues have been addressed in the upstream osslsigncode project.
Privilege Escalation
Suse
-
CVE-2025-69358
HIGH
CVSS 7.5
A missing authorization vulnerability exists in the Metagauss EventPrime event calendar management plugin for WordPress, classified as CWE-862 (Missing Authorization), that allows attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability affects EventPrime versions up to and including 4.2.6.0, enabling exploitation through incorrectly configured access control security levels. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2025-209001, suggesting active security community awareness, though KEV status and proof-of-concept availability remain unconfirmed from available intelligence.
Authentication Bypass
-
CVE-2025-69347
HIGH
CVSS 8.5
WPSubscription plugin versions up to 1.8.10 contain an authorization bypass vulnerability allowing attackers to exploit incorrectly configured access control through user-controlled keys, enabling unauthorized access to subscription-related resources and functionality. The vulnerability affects WordPress installations running the affected WPSubscription plugin and could allow unauthenticated or low-privileged attackers to circumvent security controls. No CVSS score, EPSS data, or active KEV designation is currently available, though the vulnerability was reported by Patchstack security researchers and assigned ENISA EUVD ID EUVD-2025-208999.
Authentication Bypass
-
CVE-2025-69096
HIGH
CVSS 7.1
G5Theme Zorka WordPress theme versions up to and including 1.5.7 contain a Reflected Cross-Site Scripting (XSS) vulnerability that fails to properly neutralize user input during web page generation. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, allowing the attacker to execute arbitrary JavaScript in the victim's browser session, potentially stealing session cookies, credentials, or performing actions on behalf of the user. No CVSS score, EPSS probability, or KEV status has been assigned, but the vulnerability is confirmed by Patchstack with a clear attack vector.
XSS
-
CVE-2025-67030
HIGH
CVSS 8.8
A directory traversal vulnerability exists in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642, allowing attackers to escape the intended extraction directory and write arbitrary files to the filesystem, potentially leading to remote code execution. The vulnerability affects any application using vulnerable versions of plexus-utils for archive extraction operations. A proof-of-concept has been publicly disclosed via a GitHub Gist, and the fix has been merged into the project repository.
Path Traversal
RCE
Redhat
-
CVE-2025-40842
HIGH
CVSS 8.5
A Cross-Site Scripting (XSS) vulnerability exists in Ericsson Indoor Connect 8855 versions prior to 2025.Q3, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). An attacker can inject malicious scripts into the web interface, potentially leading to unauthorized disclosure and modification of sensitive information. No CVSS score, EPSS data, or KEV status is currently available, and no public proof-of-concept has been disclosed, though the vulnerability has been formally documented by Ericsson's Product Security Incident Response Team (PSIRT).
Ericsson
XSS
-
CVE-2025-36258
HIGH
CVSS 7.1
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 store user credentials and other sensitive information in plain text, allowing local users to read this data. This is a high-severity information disclosure vulnerability with a CVSS score of 7.1, primarily due to the potential for complete confidentiality breach across security boundaries. A patch is available from IBM, and there is no evidence of active exploitation or public proof-of-concept at this time.
IBM
Information Disclosure
-
CVE-2025-27260
HIGH
CVSS 7.2
Ericsson Indoor Connect 8855 prior to version 2025.Q3 contains an Improper Filtering of Special Elements vulnerability (CWE-790) that allows attackers to bypass input validation controls and achieve unauthorized modification of sensitive information. This vulnerability affects all versions of the Indoor Connect 8855 product line below the 2025.Q3 release. No CVSS score, CVSS vector, EPSS data, or active exploitation status is currently available in public sources, limiting quantitative risk assessment, though the CWE-790 classification suggests the vulnerability involves inadequate sanitization of special characters or metacharacters in user input.
Ericsson
Authentication Bypass
-
CVE-2024-58341
HIGH
CVSS 8.8
OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
SQLi
-
CVE-2024-51348
HIGH
CVSS 8.8
A stack-based buffer overflow vulnerability in the P2P API service in BS Producten Petcam with firmware 33.1.0.0818 allows unauthenticated attackers within network range to overwrite the instruction. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
RCE
Stack Overflow
-
CVE-2024-51347
HIGH
CVSS 7.2
A buffer overflow vulnerability in the dgiot binary in LSC Smart Indoor IP Camera V7.6.32. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Buffer Overflow
-
CVE-2024-51346
HIGH
CVSS 7.7
An issue in Eufy Homebase 2 version 3.3.4.1h allows a local attacker to obtain sensitive information via the cryptographic scheme. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2026-34085
MEDIUM
CVSS 5.9
An off-by-one error in fontconfig before version 2.17.1 allows a one-byte out-of-bounds write in the FcFontCapabilities function within fcfreetype.c during sfnt capability handling. This vulnerability affects all versions of fontconfig prior to 2.17.1 across multiple platforms, potentially enabling local attackers without special privileges to crash the application or execute arbitrary code. A patch is available through the official fontconfig GitLab repository, and given the memory corruption nature of the defect, exploitation is feasible on systems with fontconfig-dependent applications.
Buffer Overflow
RCE
-
CVE-2026-33931
MEDIUM
CVSS 6.5
OpenEMR portal payment pages prior to version 8.0.0.3 expose other patients' protected health information (PHI) and payment card metadata through an Insecure Direct Object Reference vulnerability. Authenticated portal patients can manipulate the `recid` query parameter in `portal/portal_payment.php` to access arbitrary patient payment records and billing data without authorization. The vulnerability affects all versions before 8.0.0.3 and carries a CVSS score of 6.5 (high confidentiality impact); however, the 0.03% EPSS score indicates low real-world exploitation probability, and no public exploit code or active exploitation has been identified.
Openemr
PHP
Information Disclosure
-
CVE-2026-33915
MEDIUM
CVSS 5.4
OpenEMR versions prior to 8.0.0.3 allow authenticated API users to bypass administrative access controls on five insurance company management REST API endpoints due to missing authorization checks. An attacker with valid API credentials but non-administrative OpenEMR privileges can create, read, and modify insurance company records without proper permission validation. The vulnerability requires prior authentication and affects data integrity rather than confidentiality or availability; no public exploit code has been identified, and exploitation probability is very low (EPSS 0.02%).
Openemr
Privilege Escalation
Authentication Bypass
-
CVE-2026-33912
MEDIUM
CVSS 5.4
OpenEMR versions prior to 8.0.0.3 contain a stored cross-site scripting (XSS) vulnerability in form handling that allows authenticated attackers to inject malicious JavaScript into forms, which executes in the browser sessions of victims who submit those forms. An attacker with valid OpenEMR credentials can craft a malicious form that, upon submission by any user, executes arbitrary JavaScript with the privileges of the victim's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the electronic health records system. The vulnerability is low-to-moderate severity (CVSS 5.4) due to the requirement for authentication and user interaction, but it poses significant risk in healthcare environments where attackers may have legitimate credentials and victims include healthcare providers with broad system access.
XSS
-
CVE-2026-33911
MEDIUM
CVSS 5.4
This is a stored/reflected cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.3 where the POST parameter 'title' is improperly encoded in JSON responses but served with a text/html Content-Type header, causing browsers to execute injected JavaScript rather than treat the output as data. An authenticated attacker can craft a malicious request to execute arbitrary JavaScript in a victim's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the electronic health records system. The vulnerability carries a moderate CVSS score of 5.4 but requires authentication and user interaction (UI:R), reducing immediate exploitation likelihood, though a proof-of-concept fix commit is available in the GitHub repository.
XSS
-
CVE-2026-33909
MEDIUM
CVSS 5.9
OpenEMR versions prior to 8.0.0.3 contain a SQL injection vulnerability in the MedEx recall/reminder processing code where user-controlled variables are concatenated directly into SQL queries without parameterization or type casting. An authenticated attacker with high privileges can exploit this to extract, modify, or delete sensitive healthcare data from the database. While the CVSS score of 5.9 is moderate, the attack requires high privilege level (PR:H) and high complexity (AC:H), but the confidentiality and integrity impacts are severe given the medical context.
SQLi
-
CVE-2026-33809
MEDIUM
CVSS 5.3
Memory exhaustion in TIFF image processing allows unauthenticated remote attackers to trigger allocation of up to 4GiB of memory by submitting malicious image files, resulting in denial of service through resource depletion or application crashes. Affected systems lack available patches, leaving deployed instances vulnerable to this attack vector requiring only network access and no user interaction.
Information Disclosure
-
CVE-2026-33751
MEDIUM
CVSS 6.3
n8n contains an LDAP injection vulnerability in the LDAP node's filter escape logic that allows LDAP metacharacters to pass through unescaped when user-controlled input is interpolated into LDAP search filters. This affects n8n versions prior to 1.123.27, 2.13.3, and 2.14.1, enabling attackers to manipulate LDAP queries to retrieve unintended directory records or bypass authentication controls implemented within workflows. The vulnerability requires specific workflow configuration (LDAP node receiving external user input via expressions) and has not been publicly reported as actively exploited, though no proof-of-concept availability is explicitly confirmed across available intelligence sources.
Ldap
Authentication Bypass
Code Injection
-
CVE-2026-33749
MEDIUM
CVSS 6.3
A stored cross-site scripting (XSS) vulnerability in n8n workflow automation platform allows authenticated users to craft malicious workflows that execute arbitrary JavaScript in the browsers of higher-privileged users. Affected versions are n8n prior to 1.123.27, 2.13.3, and 2.14.1 (identified via CPE cpe:2.3:a:n8n-io:n8n). An attacker with workflow creation/modification permissions can exploit the `/rest/binary-data` endpoint's failure to properly sanitize HTML responses, enabling credential theft, workflow manipulation, and privilege escalation to administrative access with full same-origin context.
XSS
Privilege Escalation
-
CVE-2026-33724
MEDIUM
CVSS 6.3
n8n versions prior to 2.5.0 contain a critical SSH host key verification bypass in the Source Control feature that allows network-positioned attackers to perform man-in-the-middle attacks against Git operations. Affected users who have explicitly enabled and configured SSH-based source control can have their workflows injected with malicious content or have repository data intercepted without authentication. While the feature is non-default and requires explicit configuration, the vulnerability enables complete compromise of workflow integrity and potential lateral movement within automation pipelines.
Authentication Bypass
-
CVE-2026-33720
MEDIUM
CVSS 6.3
This vulnerability in n8n (an open-source workflow automation platform) is an authentication bypass in the OAuth callback handler that occurs when the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable is explicitly set to true. An attacker can manipulate the OAuth state parameter verification to trick a victim into completing an OAuth flow that stores the victim's OAuth tokens in an attacker-controlled credential object, allowing the attacker to execute workflows using the victim's delegated permissions. The vulnerability affects n8n versions prior to 2.8.0 and requires non-default configuration to be exploitable, limiting its widespread impact but creating significant risk for affected deployments.
Authentication Bypass
-
CVE-2026-33699
MEDIUM
CVSS 4.6
This vulnerability in pypdf allows an attacker to craft a malicious PDF file that triggers an infinite loop when processed in non-strict mode, resulting in a denial of service condition. The affected product is pypdf (Python package available via pip), and the vulnerability has been patched in version 6.9.2. While no CVSS score or EPSS data is currently available, the vulnerability is classified as a denial of service issue stemming from improper loop handling (CWE-835: Infinite Loop).
Denial Of Service
-
CVE-2026-33693
MEDIUM
CVSS 6.5
A SSRF vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
SSRF
Microsoft
Apple
-
CVE-2026-33682
MEDIUM
CVSS 4.7
Streamlit Open Source versions prior to 1.54.0 running on Windows contain an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the ComponentRequestHandler that improperly validates filesystem paths, allowing attackers to coerce the Streamlit server into initiating outbound SMB connections to attacker-controlled hosts. This can result in the exposure of NTLMv2 credential hashes for the Windows user running the Streamlit process, which may be subjected to offline brute-force attacks or relayed to other internal services. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but a patch is available from the vendor (version 1.54.0), and the attack requires network adjacency (AV:A) and is not trivial to exploit (AC:H).
SSRF
Microsoft
-
CVE-2026-33672
MEDIUM
CVSS 5.3
picomatch is vulnerable to a method injection vulnerability (CWE-1321) in its POSIX_REGEX_SOURCE object that allows specially crafted POSIX bracket expressions like [[:constructor:]] to reference inherited Object.prototype methods, causing these methods to be stringified and injected into generated regular expressions. This affects all versions of the npm package picomatch prior to 2.3.2, 3.0.2, and 4.0.4, and can cause incorrect glob matching behavior leading to integrity violations where patterns match unintended filenames; while this does not enable remote code execution, it can compromise security-relevant logic in applications using glob matching for filtering, validation, or access control. The vulnerability is not listed in CISA KEV and has no widely published proof-of-concept, but patches are available from the vendor.
RCE
Prototype Pollution
-
CVE-2026-33532
MEDIUM
CVSS 4.3
YAML parsing in Node.js and Apple products fails to enforce recursion depth limits, allowing an attacker to trigger a stack overflow with minimal input (2-10 KB of nested flow sequences) that crashes the application with an uncaught RangeError. Applications relying solely on YAML-specific exception handling may fail to catch this error, potentially leading to process termination or service disruption. A patch is available for affected versions.
Node.js
Buffer Overflow
Apple
-
CVE-2026-33268
MEDIUM
CVSS 6.9
Nanoleaf Lines firmware versions prior to 12.3.6 lack authentication controls on firmware file upload endpoints, allowing remote unauthenticated attackers to upload arbitrary files to the device. This vulnerability enables denial-of-service attacks through storage resource exhaustion and potential firmware tampering without requiring valid credentials or user interaction. The vulnerability has a CVSS score of 6.5 (Medium) with network-based attack vector and low complexity, and is tagged with denial-of-service impact indicators in CISA reporting.
Denial Of Service
-
CVE-2026-33182
MEDIUM
CVSS 6.6
Saloon versions prior to v4 contain a Server-Side Request Forgery (SSRF) vulnerability in the resolveEndpoint method that allows attackers to redirect authenticated requests to arbitrary hosts. When user-controlled input is passed as an endpoint parameter containing an absolute URL (e.g., https://attacker.example.com), Saloon ignores the connector's base URL and sends the request directly to the attacker-controlled destination, potentially leaking authentication headers, cookies, and tokens. This vulnerability affects the Saloon PHP HTTP client library (composer package saloonphp/saloon) and requires immediate upgrade to v4 or later to remediate.
SSRF
-
CVE-2026-32567
MEDIUM
CVSS 6.8
YML for Yandex Market versions prior to 5.3.0 contain a path traversal vulnerability that allows high-privileged attackers to access files outside restricted directories without user interaction. This vulnerability could enable unauthorized disclosure of sensitive information across the system. Currently, no patch is available and exploitation appears unlikely in the wild.
Path Traversal
-
CVE-2026-32562
MEDIUM
CVSS 5.4
Unauthorized users in WP Folio Team's Password Protect Page plugin (versions up to 1.9.15) can bypass access controls due to missing authorization checks, allowing them to modify page content or cause service disruptions. Authenticated attackers can exploit this vulnerability to escalate privileges and manipulate access restrictions on protected pages. No patch is currently available.
Authentication Bypass
-
CVE-2026-32541
MEDIUM
CVSS 6.5
Improper access control in Premmerce Redirect Manager through version 1.0.12 permits authenticated users to bypass authorization checks and manipulate redirect configurations. An attacker with valid credentials could exploit this vulnerability to modify, view, or delete redirects they should not have access to, potentially affecting website traffic and user experience. A patch is not currently available.
Authentication Bypass
-
CVE-2026-32535
MEDIUM
CVSS 6.5
JS Help Desk (JoomSky) versions up to 3.0.3 contain an authorization bypass vulnerability caused by insecure direct object references (IDOR) and incorrectly configured access control security levels. An attacker with minimal or no privileges can exploit user-controlled keys in API requests or direct object references to access, modify, or view unauthorized help desk tickets, user data, and support resources. While no CVSS score is currently assigned and KEV/EPSS data are unavailable, the vulnerability has been publicly reported by Patchstack with reference documentation available.
Authentication Bypass
-
CVE-2026-32533
MEDIUM
CVSS 6.5
An authorization bypass vulnerability exists in LatePoint versions up to and including 5.2.6 that allows attackers to exploit incorrectly configured access control security levels through user-controlled key manipulation. This Insecure Direct Object Reference (IDOR) vulnerability enables attackers without proper authentication or authorization to access resources they should not have permission to view or modify. The vulnerability affects the LatePoint WordPress plugin and has been documented by Patchstack with proof-of-concept details available, making it a practical exploitation risk for unpatched installations.
Authentication Bypass
-
CVE-2026-32527
MEDIUM
CVSS 6.5
WP Insightly plugin versions 1.1.5 and earlier for Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms contain an authorization bypass that allows unauthenticated attackers to modify data through misconfigured access controls. An attacker can exploit this vulnerability to perform unauthorized actions on forms and contacts without proper permissions. No patch is currently available.
Authentication Bypass
-
CVE-2026-32521
MEDIUM
CVSS 6.5
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Northern Beaches Websites WP Custom Admin Interface WordPress plugin through version 7.42, allowing attackers to inject and execute arbitrary JavaScript code in users' browsers. This vulnerability affects all installations of the plugin up to and including version 7.42, enabling attackers to steal session cookies, perform unauthorized actions on behalf of authenticated administrators, or redirect users to malicious sites. While no CVSS score or EPSS probability has been published, the DOM-based XSS classification (CWE-79) combined with the plugin's administrative scope indicates a high-severity risk requiring immediate patching.
XSS
-
CVE-2026-32514
MEDIUM
CVSS 6.5
Petitioner version 0.7.3 and earlier contains a missing authorization check that allows authenticated users to modify data or settings they should not have access to due to incorrectly configured access control levels. An attacker with valid credentials can exploit this to perform unauthorized actions without requiring user interaction. A patch is not currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-32511
MEDIUM
CVSS 5.4
A deserialization of untrusted data vulnerability exists in Mikado-Themes Stål (a WordPress theme) that allows arbitrary object injection through unsafe unserialize() operations. Versions prior to 1.7 are affected. An attacker can exploit this to instantiate arbitrary PHP objects, potentially leading to remote code execution, data exfiltration, or site compromise depending on available gadget chains in the WordPress environment.
Deserialization
-
CVE-2026-32510
MEDIUM
CVSS 5.4
A deserialization of untrusted data vulnerability exists in Edge-Themes Kamperen WordPress theme versions prior to 1.3, allowing attackers to perform arbitrary object instantiation through object injection attacks. This CWE-502 vulnerability enables remote code execution or information disclosure without requiring authentication in many scenarios. While no CVSS score is currently published and KEV/EPSS data are unavailable, the vulnerability has been reported by Patchstack and affects all installations of the Kamperen theme below version 1.3.
Deserialization
-
CVE-2026-32509
MEDIUM
CVSS 5.4
A deserialization of untrusted data vulnerability exists in Edge-Themes Gracey WordPress theme versions prior to 1.4, allowing attackers to perform arbitrary object instantiation through object injection attacks. This CWE-502 vulnerability affects all installations of Gracey below version 1.4 and could enable remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No CVSS score, EPSS risk metric, or KEV status has been publicly assigned, but the vulnerability is documented by Patchstack with a patch available in version 1.4.
Deserialization
-
CVE-2026-32508
MEDIUM
CVSS 5.4
This is a deserialization of untrusted data vulnerability in the Mikado-Themes Halstein WordPress theme (versions prior to 1.8) that allows arbitrary object injection via CWE-502. An attacker can exploit this flaw to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains. The vulnerability was reported by Patchstack and affects all versions of Halstein below 1.8; no CVSS score, EPSS data, or KEV status is currently published, limiting immediate risk quantification but indicating this is a serious deserialization flaw that should be patched urgently.
Deserialization
-
CVE-2026-32507
MEDIUM
CVSS 5.4
A deserialization of untrusted data vulnerability exists in Elated-Themes Leroux WordPress theme versions prior to 1.4, allowing unauthenticated attackers to perform arbitrary object instantiation through object injection attacks. An attacker can exploit this vulnerability to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. While no CVSS score or active KEV status is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15861, indicating it is a recognized threat affecting WordPress installations using the vulnerable Leroux theme.
Deserialization
-
CVE-2026-32506
MEDIUM
CVSS 5.4
A deserialization of untrusted data vulnerability exists in Edge-Themes Archicon WordPress theme versions prior to 1.7, allowing attackers to perform arbitrary object instantiation through object injection attacks. This vulnerability, tracked as CWE-502, enables attackers to instantiate arbitrary PHP objects during the deserialization process, potentially leading to remote code execution or other malicious outcomes depending on available gadget chains in the WordPress environment. The vulnerability was reported by Patchstack and affects all versions of Archicon below 1.7, with a patch available in version 1.7 and later.
Deserialization
-
CVE-2026-32497
MEDIUM
CVSS 5.3
A weak authentication vulnerability in the PickPlugins User Verification WordPress plugin (versions up to 2.0.45) allows attackers to bypass email verification mechanisms, enabling authentication abuse and unauthorized account creation or takeover. This vulnerability has been identified by Patchstack as an email verification bypass issue affecting the user verification functionality, potentially exposing sites using this plugin to account compromise and unauthorized access. The practical impact depends on how the plugin integrates with site authentication workflows, but successful exploitation could allow attackers to register accounts, access user data, or impersonate legitimate users.
Information Disclosure
-
CVE-2026-32496
MEDIUM
CVSS 6.7
Path traversal in NYSL Spam Protect for Contact Form 7 up to version 1.2.9 enables authenticated attackers with high privileges to access files outside intended directories. The vulnerability requires administrator-level access and does not allow code execution or service disruption, but could expose sensitive configuration files or other restricted data. No patch is currently available.
Path Traversal
-
CVE-2026-32492
MEDIUM
CVSS 5.3
My Tickets plugin version 2.1.1 and earlier contains an authentication bypass vulnerability that allows unauthenticated attackers to spoof user identities and gain unauthorized access to ticket systems. The vulnerability requires no user interaction and can be exploited remotely by any network-connected attacker. Currently, no patch is available for this medium-severity issue affecting installations of this WordPress plugin.
Authentication Bypass
-
CVE-2026-32491
MEDIUM
CVSS 6.5
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WP Review Slider plugin (also known as wp-facebook-reviews) versions 13.9 and earlier, allowing attackers to inject malicious scripts that persist in the application and execute in users' browsers. This vulnerability affects WordPress site administrators and users who interact with review content. An attacker can exploit this to steal session tokens, deface content, redirect users to malicious sites, or perform actions on behalf of compromised users.
XSS
-
CVE-2026-32490
MEDIUM
CVSS 6.5
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WP TripAdvisor Review Slider WordPress plugin through version 14.1, allowing attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects all versions up to and including 14.1, and an attacker with sufficient privileges to inject content can compromise user sessions, steal credentials, or perform arbitrary actions on behalf of site administrators. No CVSS score or EPSS data is currently available, and active exploitation status via KEV is unknown, but Patchstack has documented this as a confirmed vulnerability with a reference implementation.
XSS
-
CVE-2026-32489
MEDIUM
CVSS 6.5
Improper access control in bPlugins B Blocks versions prior to 2.0.30 allows unauthenticated remote attackers to modify data and degrade system availability through misconfigured security levels. The vulnerability requires no user interaction and can be exploited over the network, affecting the integrity and availability of affected installations.
Authentication Bypass
-
CVE-2026-32483
MEDIUM
CVSS 6.5
Improper access control in Contact Form Email plugin version 1.3.63 and earlier allows authenticated attackers to modify or inject unauthorized data through inadequately restricted endpoints. An attacker with low-privilege access can exploit misconfigured security levels to manipulate form submissions or sensitive information without proper authorization checks.
Authentication Bypass
-
CVE-2026-32326
MEDIUM
CVSS 6.9
CVE-2026-32326 is a security vulnerability (CVSS 6.9). Remediation should follow standard vulnerability management procedures.
Authentication Bypass
-
CVE-2026-32120
MEDIUM
CVSS 6.5
An Insecure Direct Object Reference (IDOR) vulnerability exists in OpenEMR versions prior to 8.0.0.3 within the fee sheet product save logic that allows authenticated users with fee sheet ACL permissions to arbitrarily read, modify, or delete drug_sales records belonging to any patient by manipulating the hidden prod[][sale_id] form field. The vulnerability stems from insufficient authorization checks in the FeeSheet.class.php library, where user-supplied sale_id values are used directly in SQL queries without verifying ownership of the record to the current patient and encounter. With a CVSS score of 6.5 and confirmed patch availability in version 8.0.0.3, this represents a moderate-severity data integrity and confidentiality risk affecting healthcare data.
PHP
Authentication Bypass
-
CVE-2026-31914
MEDIUM
CVSS 6.5
A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the hookandhook WP Courses LMS WordPress plugin through version 3.2.26, allowing attackers to inject malicious scripts that execute in users' browsers. The vulnerability affects all installations of WP Courses LMS up to and including version 3.2.26, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users. No CVSS score, EPSS data, or active KEV/POC information is currently available in public sources, though the vulnerability has been documented by Patchstack and assigned EUVD ID EUVD-2026-15815.
XSS
-
CVE-2026-29092
MEDIUM
CVSS 4.9
A session management vulnerability in Kiteworks Email Protection Gateway versions prior to 9.2.1 allows disabled user accounts to maintain active sessions indefinitely until natural session expiration. An attacker with a disabled account could continue accessing the platform and potentially modify data or system settings without re-authentication. While this vulnerability has not been reported as actively exploited (KEV status not listed as in-the-wild), it represents a direct bypass of account suspension controls and warrants prompt patching.
Authentication Bypass
-
CVE-2026-28895
MEDIUM
CVSS 4.6
A bypass vulnerability exists in iOS and iPadOS Stolen Device Protection that allows an attacker with physical access to an iOS device to circumvent biometric authentication and access protected apps using only the device passcode. This vulnerability affects devices running iOS and iPadOS versions prior to 26.4, where Stolen Device Protection is enabled. An attacker gaining physical possession of a locked device can exploit this flaw to access biometrics-gated Protected Apps, effectively defeating the intended security mechanism that requires biometric verification (Face ID or Touch ID) in addition to the passcode for sensitive app access.
Apple
Authentication Bypass
iOS
-
CVE-2026-28892
MEDIUM
CVSS 5.5
A permissions enforcement vulnerability in macOS allows applications to bypass file system protections and modify protected system files or directories through inadequate access controls. This affects macOS Sequoia (before 15.7.5), macOS Sonoma (before 14.8.5), and macOS Tahoe (before 26.4). Apple has addressed the issue by removing vulnerable code, and no active exploitation or proof-of-concept has been publicly disclosed at this time.
Apple
Information Disclosure
macOS
-
CVE-2026-28890
MEDIUM
CVSS 5.5
Xcode versions prior to 26.4 contain an out-of-bounds read vulnerability that can be triggered by local users with user interaction to cause unexpected application or system termination. This denial-of-service condition affects developers and build systems using vulnerable Xcode installations. No patch is currently available.
Buffer Overflow
Information Disclosure
-
CVE-2026-28889
MEDIUM
CVSS 6.2
A permissions bypass vulnerability in Apple Xcode allows unprivileged applications to read arbitrary files with root-level privileges due to insufficient access controls. The vulnerability affects Xcode versions prior to 26.4 and could enable attackers to exfiltrate sensitive system files or configuration data. While no CVSS score or EPSS data is currently published, the ability to read arbitrary files as root represents a critical privilege escalation issue that warrants immediate patching.
Privilege Escalation
-
CVE-2026-28888
MEDIUM
CVSS 5.1
macOS systems running Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, and Tahoe 26.3 and earlier contain a race condition in state handling that allows local applications to escalate privileges to root. The vulnerability stems from improper synchronization during critical operations, enabling an attacker with local access to exploit the timing window and gain elevated system privileges. Patches have been released for affected macOS versions.
Apple
Race Condition
Information Disclosure
macOS
-
CVE-2026-28886
MEDIUM
CVSS 5.9
Denial-of-service attacks against multiple Apple platforms (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) result from improper null pointer handling that allows attackers in privileged network positions to crash affected systems. An attacker exploiting this CWE-476 vulnerability can render devices unavailable without user interaction. No patch is currently available, requiring users to apply mitigations until updates are released.
Apple
Null Pointer Dereference
Denial Of Service
macOS
iOS
-
CVE-2026-28882
MEDIUM
CVSS 4.0
An information disclosure vulnerability in Apple's operating systems allows applications to enumerate a user's installed apps without proper authorization. This affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS versions prior to 26.4. An attacker can distribute a malicious app that queries the system to discover what applications a user has installed, potentially enabling targeted attacks or privacy violations. No CVSS score, EPSS data, or known public exploits are currently documented, but the vulnerability has been fixed across all Apple platforms, indicating Apple assessed this as requiring immediate remediation.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-28881
MEDIUM
CVSS 5.5
A privacy vulnerability in macOS Tahoe allows applications to access sensitive user data that should have been protected through proper data isolation. The vulnerability affects macOS versions prior to 26.4, where sensitive data was not adequately segregated from application access. An attacker or malicious application could exploit this flaw to read protected user information without proper authorization, representing a direct information disclosure risk.
Apple
Information Disclosure
Authentication Bypass
macOS
-
CVE-2026-28880
MEDIUM
CVSS 6.5
A permissions enforcement vulnerability in Apple operating systems allows unauthorized enumeration of installed applications on a user's device. This information disclosure issue affects iOS 18.7.7 and earlier, iPadOS 18.7.7 and earlier, iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, macOS Tahoe 26.4 and earlier, and visionOS 26.4 and earlier. An attacker with the ability to execute code as an installed application could enumerate the complete list of user-installed applications without explicit user permission, enabling targeted attacks, privacy violations, and device profiling.
Apple
Authentication Bypass
macOS
iOS
-
CVE-2026-28879
MEDIUM
CVSS 6.5
Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS contain a use-after-free vulnerability that could allow remote attackers to crash affected applications by processing maliciously crafted web content. The vulnerability stems from improper memory management and requires user interaction to exploit. No patch is currently available, leaving users vulnerable until official updates are released.
Apple
Use After Free
Denial Of Service
Memory Corruption
macOS
-
CVE-2026-28878
MEDIUM
CVSS 6.5
A privacy vulnerability in Apple's operating systems allows third-party applications to enumerate a user's installed applications, resulting in unauthorized information disclosure about device software inventory. The vulnerability affects iOS and iPadOS versions prior to 18.7.7 and 26.4, macOS Sonoma prior to 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, and watchOS 26.4 across all affected product lines. An attacker can exploit this vulnerability by crafting a malicious application that leverages the enumeration capability to profile a user's installed software, potentially enabling further targeted attacks or privacy inference attacks based on application usage patterns.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-28877
MEDIUM
CVSS 5.5
An authorization bypass vulnerability in Apple's operating systems allows third-party applications to access sensitive user data through improper state management during authorization checks. The vulnerability affects iOS/iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Tahoe 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier across multiple Apple devices and platforms. An attacker can exploit this by crafting a malicious application that circumvents authorization controls to read protected user information without explicit user consent. No CVSS score, EPSS probability, or active exploitation status has been disclosed by Apple, though the vulnerability spans all major Apple operating systems indicating broad platform impact.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-28871
MEDIUM
CVSS 4.3
A cross-site scripting (XSS) vulnerability exists in Apple's Safari browser and iOS/iPadOS operating systems due to insufficient input validation in website content handling. An attacker can craft a malicious website that, when visited by a user, executes arbitrary JavaScript in the context of the victim's browser, potentially stealing credentials, session tokens, or performing actions on behalf of the user. Apple has released patches across Safari 26.4, iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, iPadOS 26.4, and macOS Tahoe 26.4 to address this logic flaw, though no CVSS score, EPSS data, or KEV status has been publicly disclosed, suggesting this may be a proactive disclosure rather than an actively exploited vulnerability.
Apple
XSS
-
CVE-2026-28870
MEDIUM
CVSS 5.5
An information leakage vulnerability affecting Apple's operating systems across multiple platforms (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) allows third-party applications to access sensitive user data through insufficient validation mechanisms. The vulnerability impacts all versions prior to the 26.4 release across affected platforms, enabling malicious or compromised applications to bypass access controls and exfiltrate private user information. While no CVSS score, EPSS data, or active exploitation in the wild has been publicly disclosed, the breadth of affected platforms and the fundamental nature of information disclosure vulnerabilities suggest moderate to significant real-world risk.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-28868
MEDIUM
CVSS 5.5
A logging issue in Apple's operating systems allows improper data redaction, potentially enabling applications to disclose kernel memory contents. This information disclosure vulnerability affects iOS and iPadOS (versions prior to 18.7.7 and 26.4), macOS (Sequoia 15.7.5, Sonoma 14.8.5, Tahoe 26.4), visionOS 26.4, and watchOS 26.4. An untrusted application with standard execution privileges could exploit this to read sensitive kernel memory that should have been redacted from logs, potentially exposing cryptographic material, memory addresses useful for ASLR bypass, or other privileged information. No CVSS score, EPSS data, or public proof-of-concept has been disclosed at this time, and this does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-28867
MEDIUM
CVSS 6.2
A kernel state information disclosure vulnerability exists across Apple's entire platform ecosystem that allows a malicious application to leak sensitive kernel memory without requiring elevated privileges. The vulnerability affects iOS and iPadOS versions prior to 18.7.7 and 26.4, macOS Sequoia prior to 15.7.5, macOS Tahoe 26.4, and tvOS, visionOS, and watchOS 26.4. An attacker can craft a specially designed app that exploits improper authentication mechanisms to access protected kernel state, potentially exposing cryptographic keys, memory addresses, or other sensitive operating system internals that could be chained with other vulnerabilities.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-28866
MEDIUM
CVSS 6.2
A symlink validation vulnerability in Apple's iOS, iPadOS, and macOS operating systems allows malicious applications to bypass file system protections and access sensitive user data through improper handling of symbolic links. The vulnerability affects iOS 18.7.7 and earlier, iPadOS 18.7.7 and earlier, iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, and macOS Tahoe 26.4 and earlier. An attacker with the ability to install or execute an application on the affected system could leverage this weakness to read restricted files and access private user information without proper authorization.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-28863
MEDIUM
CVSS 6.5
A permissions issue across Apple's ecosystem allows applications to fingerprint users by accessing information that should be restricted. The vulnerability affects iOS and iPadOS versions prior to 26.4, tvOS prior to 26.4, visionOS prior to 26.4, and watchOS prior to 26.4. Attackers can exploit this by deploying a malicious app that leverages inadequate permission restrictions to collect device and user identifiers for tracking and profiling purposes. The issue has been addressed by Apple through additional permission restrictions in the patched versions, indicating this is a known vulnerability with an available fix.
Apple
Information Disclosure
iOS
-
CVE-2026-28862
MEDIUM
CVSS 5.3
This vulnerability is a privacy issue in Apple macOS where improved private data redaction for log entries was not properly implemented, allowing applications to potentially access user-sensitive data that should have been redacted. The vulnerability affects macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4, with no public indicators of active exploitation or proof-of-concept code. While CVSS and EPSS scores are unavailable, the nature of the issue suggests moderate real-world risk due to its reliance on application-level exploitation requiring user interaction or system access.
Apple
Information Disclosure
Authentication Bypass
macOS
-
CVE-2026-28861
MEDIUM
CVSS 4.3
A logic error in Apple's script message handler implementation allows malicious websites to access script message handlers intended for other origins, resulting in unauthorized cross-origin information disclosure. This vulnerability affects Safari 26.4 and earlier, iOS/iPadOS 18.7.7 and earlier, macOS Tahoe 26.4 and earlier, and visionOS 26.4 and earlier. An attacker can craft a malicious website that exploits improper state management in the message handler routing mechanism to intercept sensitive data intended for legitimate web applications, potentially exposing authentication tokens, user data, or other confidential information passed through script messaging interfaces.
Apple
Information Disclosure
Safari
macOS
iOS
-
CVE-2026-28859
MEDIUM
CVSS 4.3
A sandbox escape vulnerability in Apple's WebKit browser engine allows malicious websites to process restricted web content outside the security sandbox, potentially enabling unauthorized access to protected system resources. The vulnerability affects Safari and all Apple operating systems including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has addressed this issue through improved memory handling in Safari 26.4 and corresponding OS updates across all affected platforms.
Information Disclosure
Apple
Buffer Overflow
Safari
macOS
-
CVE-2026-28857
MEDIUM
CVSS 6.5
This vulnerability affects Apple's Safari browser and related Apple operating systems (iOS, iPadOS, macOS Tahoe, and visionOS) due to improper memory handling when processing maliciously crafted web content. The flaw can lead to unexpected process crashes, resulting in a denial of service condition affecting all users of the impacted Safari versions and OS versions below 26.4. While no CVSS score or EPSS data is currently published, the vulnerability has been patched by Apple, suggesting it was discovered through internal security review or responsible disclosure rather than active exploitation.
Apple
Information Disclosure
Buffer Overflow
Safari
macOS
-
CVE-2026-28856
MEDIUM
CVSS 4.6
This vulnerability allows an attacker with physical access to a locked Apple device to view sensitive user information through an authentication bypass. The issue affects iOS and iPadOS versions prior to 26.4, visionOS prior to 26.4, and watchOS prior to 26.4 across all affected device lines. Apple has patched this through improved authentication mechanisms, and while no CVSS score, EPSS data, or known exploits-in-the-wild status are publicly disclosed, the physical access requirement and information disclosure impact characterize this as a moderate-priority security update for users in environments with theft or unauthorized device access risks.
Apple
Authentication Bypass
iOS
-
CVE-2026-28852
MEDIUM
CVSS 5.5
Apple iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are vulnerable to a stack overflow vulnerability that can be triggered by user interaction with a malicious app, potentially causing denial-of-service conditions. The vulnerability stems from insufficient input validation and affects multiple recent OS versions across Apple's product ecosystem. While no patch is currently available, users should exercise caution when installing apps from untrusted sources.
Apple
Buffer Overflow
macOS
iOS
-
CVE-2026-28845
MEDIUM
CVSS 5.5
An authorization flaw in macOS Tahoe allows applications to bypass access controls and retrieve protected user data due to improper state management during permission checks. Apple has addressed this vulnerability in macOS Tahoe 26.4, and all versions prior to 26.4 remain vulnerable. Affected users should prioritize upgrading to the patched version to prevent unauthorized data access by malicious or compromised applications.
Apple
Authentication Bypass
macOS
-
CVE-2026-28844
MEDIUM
CVSS 6.5
A file access control vulnerability in macOS Tahoe allows attackers to bypass input validation mechanisms and gain unauthorized access to protected portions of the file system. The vulnerability affects macOS versions prior to Tahoe 26.4, and has been classified as an Information Disclosure issue by Apple. An attacker exploiting this vulnerability can read or access files and directories that should be restricted from their privilege level, potentially exposing sensitive user data, system configuration files, or other protected resources.
Apple
Information Disclosure
macOS
-
CVE-2026-28841
MEDIUM
CVSS 6.2
macOS Tahoe versions prior to 26.4 contain a buffer overflow vulnerability that can cause denial of service through unexpected application termination or memory corruption when exploited by local attackers. The vulnerability stems from insufficient size validation in memory operations and requires no user interaction to trigger. No patch is currently available for affected systems.
Apple
Buffer Overflow
macOS
-
CVE-2026-28839
MEDIUM
CVSS 5.3
This vulnerability allows unauthorized applications to access sensitive user data on affected macOS systems through improved security checks that were insufficient in earlier versions. The issue affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.5), and macOS Tahoe (versions prior to 26.4). An attacker with the ability to execute a malicious application on a vulnerable system could potentially read or exfiltrate sensitive user information that should be protected by macOS security controls. There is no evidence of active exploitation in the wild or public proof-of-concept availability, and the limited disclosure details suggest Apple addressed this proactively before widespread abuse.
Apple
Authentication Bypass
macOS
-
CVE-2026-28838
MEDIUM
CVSS 5.3
A sandbox escape vulnerability in macOS allows malicious applications to break out of their sandbox restrictions through a permissions issue. This affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.5), and macOS Tahoe (versions prior to 26.4). An attacker who distributes a malicious app could potentially gain unauthorized access to system resources and user data that should be protected by the sandbox security boundary.
Apple
Information Disclosure
macOS
-
CVE-2026-28835
MEDIUM
CVSS 6.5
macOS systems running Sequoia 15.7.4 or earlier, Sonoma 14.8.4 or earlier, and Tahoe 26.3 or earlier contain a use-after-free vulnerability in SMB share handling that could allow an attacker to crash the operating system by mounting a specially crafted network share. The vulnerability requires user interaction to mount the malicious share and results in denial of service rather than code execution or data compromise. No patch is currently available for this vulnerability.
Apple
Use After Free
Memory Corruption
Information Disclosure
macOS
-
CVE-2026-28834
MEDIUM
CVSS 5.1
macOS systems running Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, or Tahoe 26.3 and earlier are vulnerable to a race condition in application state handling that allows local attackers to trigger unexpected system termination and cause denial of service. The vulnerability requires specific timing conditions but does not require user interaction or elevated privileges to exploit. Apple has released patches for affected versions, though exploitation likelihood remains low.
Apple
Race Condition
Information Disclosure
macOS
-
CVE-2026-28833
MEDIUM
CVSS 6.2
A permissions enforcement vulnerability in Apple's operating systems allows third-party applications to enumerate installed applications on a user's device without proper authorization. This information disclosure issue affects iOS, iPadOS, macOS, and visionOS versions prior to 26.4, enabling attackers to gain insight into a user's software ecosystem for profiling or targeting purposes. Apple has addressed this with additional access restrictions in the patched versions, though no CVSS score, EPSS data, or known active exploitation has been publicly disclosed.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-28831
MEDIUM
CVSS 5.5
An authorization flaw in macOS allows applications to bypass state management controls and access sensitive user data without proper authorization. The vulnerability affects macOS Sequoia 15.7.4 and earlier, macOS Sonoma 14.8.4 and earlier, and macOS Tahoe 26.3 and earlier. While no CVSS score, EPSS data, or public exploit code is currently available, Apple has silently patched this issue across three major macOS versions, suggesting it posed a meaningful risk to user privacy and data confidentiality.
Apple
Information Disclosure
macOS
-
CVE-2026-28829
MEDIUM
CVSS 5.5
A permissions enforcement vulnerability in macOS allows applications to modify protected portions of the file system that should be restricted from unauthorized access. This issue affects macOS Sequoia, Sonoma, and Tahoe across multiple versions prior to their patched releases (15.7.5, 14.8.5, and 26.4 respectively). An attacker controlling or tricking a user into running a malicious application could leverage this permissions bypass to modify system-critical files, potentially enabling privilege escalation, persistence mechanisms, or system compromise.
Apple
Information Disclosure
macOS
-
CVE-2026-28828
MEDIUM
CVSS 5.3
A permissions enforcement vulnerability in macOS allows unauthorized applications to access sensitive user data due to insufficient access controls that have been remediated through code removal. The vulnerability affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.5), and macOS Tahoe (versions prior to 26.4). An unprivileged application could potentially read or access protected user information without proper user consent or authorization, representing a confidentiality breach with moderate real-world impact depending on the specific data accessible.
Apple
Authentication Bypass
macOS
-
CVE-2026-28826
MEDIUM
CVSS 4.0
A logic issue in macOS Tahoe allows a malicious application to escape its sandbox and execute code outside of the restricted security boundary. This vulnerability affects macOS versions prior to 26.4 and represents a critical sandbox bypass that could enable arbitrary code execution with elevated privileges. While no CVSS score or active exploitation data is currently available, the sandbox escape capability makes this a high-priority patch for all affected macOS users.
Apple
Information Disclosure
macOS
-
CVE-2026-28825
MEDIUM
CVSS 5.5
Improper bounds checking in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.3 and earlier) permits a local attacker to write out-of-bounds memory through a malicious application, potentially allowing modification of protected filesystem areas. The vulnerability requires user interaction to execute the malicious app and affects the file system's integrity rather than confidentiality. No patch is currently available for this out-of-bounds write condition.
Apple
Buffer Overflow
Memory Corruption
macOS
-
CVE-2026-28824
MEDIUM
CVSS 5.3
An authorization bypass vulnerability in macOS allows applications to access sensitive user data through improper state management of access controls. The vulnerability affects macOS Sequoia (before 15.7.5), macOS Sonoma (before 14.8.5), and macOS Tahoe (before 26.4). While no CVSS score, EPSS data, or KEV status is currently published, Apple has released patches addressing this issue, indicating it was discovered through internal review rather than active exploitation.
Apple
Authentication Bypass
macOS
-
CVE-2026-28823
MEDIUM
CVSS 4.9
Root-privileged applications on Apple macOS can bypass path validation to delete protected system files due to insufficient input sanitization. This affects macOS Tahoe 26.4 and requires the attacker to already have root-level access, limiting the attack surface to local privilege escalation scenarios. No patch is currently available.
Apple
Authentication Bypass
macOS
-
CVE-2026-28822
MEDIUM
CVSS 6.2
Type confusion in Apple's iOS, iPadOS, macOS, tvOS, visionOS, and watchOS allows local attackers to trigger unexpected application termination through memory corruption. The vulnerability affects multiple OS versions and currently lacks a publicly available patch. An attacker with local access can exploit this to cause denial of service by crashing targeted applications.
Apple
Memory Corruption
Information Disclosure
macOS
iOS
-
CVE-2026-28820
MEDIUM
CVSS 5.3
An information disclosure vulnerability in macOS Tahoe allows applications to access sensitive user data through insufficient access controls. The vulnerability affects all versions of macOS prior to version 26.4, where the flaw was remediated through improved permission checking mechanisms. While specific technical details are limited, the vulnerability enables malicious or compromised applications to bypass privacy protections and exfiltrate user information.
Apple
Information Disclosure
macOS
-
CVE-2026-28818
MEDIUM
CVSS 5.3
A logging issue in Apple macOS allows applications to access sensitive user data that should have been redacted from logs. The vulnerability affects macOS Sequoia (versions before 15.7.5), macOS Sonoma (versions before 14.8.5), and macOS Tahoe (versions before 26.4). An attacker controlling a malicious app could exploit improper data redaction in system logging to exfiltrate sensitive information that was intended to be masked.
Apple
Authentication Bypass
macOS
-
CVE-2026-28816
MEDIUM
CVSS 4.0
Unauthorized file deletion in macOS Sequoia, Sonoma, and Tahoe allows unprivileged applications to delete files without proper permissions due to insufficient path validation. An attacker could exploit this vulnerability through a malicious app to remove sensitive files outside the application's intended scope. This medium-severity local vulnerability affects multiple recent macOS versions and currently has no available patch.
Apple
Path Traversal
macOS
-
CVE-2026-27659
MEDIUM
CVSS 4.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in Mattermost's access control policy activation endpoint due to improper CSRF token validation. Authenticated attackers can exploit this to trick administrators into activating or deactivating access control policies via crafted requests, potentially altering security posture. The vulnerability affects Mattermost versions 10.11.x through 10.11.10, 11.2.x through 11.2.2, 11.3.x through 11.3.1, and 11.4.0. No public exploitation or active KEV status has been reported, though the CISA SSVC framework indicates no current exploitation evidence and non-automatable attack requirements, limiting immediate real-world threat severity.
CSRF
-
CVE-2026-27656
MEDIUM
CVSS 5.7
Mattermost fails to properly validate user identity in OpenID Connect authentication logic due to an overly permissive substring matching flaw in the IsSameUser() comparison function, allowing attackers with high privileges to take over arbitrary user accounts through the user discovery flow. This affects Mattermost versions 10.11.0-10.11.11, 11.2.0-11.2.3, 11.3.0-11.3.1, and 11.4.0. While the CVSS score of 5.7 is moderate and requires high privilege access and user interaction, the core impact is account takeover with full account compromise possible.
Information Disclosure
-
CVE-2026-27046
MEDIUM
CVSS 6.5
Kaira StoreCustomizer woocustomizer versions 2.6.3 and earlier contain a missing authorization flaw that allows authenticated users to modify store customization settings they should not have access to. An attacker with low-level user privileges can exploit this misconfigured access control to make unauthorized changes to the store's appearance and configuration. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-26233
MEDIUM
CVSS 4.3
Mattermost versions 11.4.0, 11.3.x through 11.3.1, 11.2.x through 11.2.3, and 10.11.x through 10.11.11 lack proper rate limiting on login endpoints, allowing unauthenticated attackers to trigger denial of service through HTTP/2 single packet attacks delivering 100+ parallel login requests. This causes server crashes and forced restarts. While the CVSS score of 4.3 is moderate and requires low attack complexity over the network, the vulnerability enables complete service disruption without authentication.
Denial Of Service
Suse
-
CVE-2026-25645
MEDIUM
CVSS 4.4
The Requests library before version 2.33.0 contains a predictable temporary file extraction vulnerability in the `extract_zipped_paths()` utility function that allows local attackers to perform file injection attacks. An attacker with write access to the system temporary directory can pre-create a malicious file at a predictable location that will be loaded instead of the legitimate extracted file, potentially leading to code execution or privilege escalation. This vulnerability only affects applications that directly call the vulnerable utility function, as standard Requests library usage is not impacted.
Information Disclosure
Redhat
-
CVE-2026-25469
MEDIUM
CVSS 6.5
The ViaBill payment gateway plugin for WooCommerce versions 1.1.53 and earlier contains an authorization bypass vulnerability that allows unauthenticated attackers to manipulate access controls. An attacker can exploit this misconfiguration to modify transaction data or disrupt payment processing on affected WordPress stores. No patch is currently available for this vulnerability.
Authentication Bypass
WordPress
-
CVE-2026-25465
MEDIUM
CVSS 6.5
A Stored Cross-Site Scripting (XSS) vulnerability exists in the CodePeople CP Multi View Event Calendar WordPress plugin through version 1.4.35, allowing authenticated or unauthenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site visitors. This CWE-79 vulnerability enables attackers to steal session cookies, redirect users to malicious sites, or perform actions on behalf of administrators. While no CVSS score or EPSS data are currently published and the vulnerability has not been designated as actively exploited in CISA's KEV catalog, the nature of stored XSS combined with the plugin's event calendar functionality-which typically accepts user input for event creation and editing-indicates a credible attack surface.
XSS
-
CVE-2026-25462
MEDIUM
CVSS 6.5
Improper access control in Avalex versions up to 3.1.3 allows unauthenticated remote attackers to modify data or cause service disruptions due to incorrectly configured security levels. The vulnerability requires no user interaction and can be exploited over the network, affecting the integrity and availability of the affected system.
Authentication Bypass
-
CVE-2026-25460
MEDIUM
CVSS 6.3
This is a Missing Authorization (Broken Access Control) vulnerability in LiquidThemes Ave Core plugin affecting versions up to 2.9.1, where incorrectly configured access control security levels allow attackers to bypass authentication mechanisms and access protected functionality. The vulnerability, classified under CWE-862, impacts WordPress installations using the affected Ave Core plugin versions. While no CVSS score, EPSS data, or confirmed KEV status is currently available, the Patchstack intelligence indicates this represents an authentication bypass weakness that could enable unauthorized access to administrative or sensitive features without proper privilege escalation.
Authentication Bypass
-
CVE-2026-25455
MEDIUM
CVSS 6.5
Authenticated users can bypass authorization checks in PickPlugins Product Slider for WooCommerce version 1.13.60 and earlier due to improper access control, allowing them to modify product slider configurations they should not have permission to alter. This vulnerability requires valid WordPress credentials but no additional user interaction, affecting all installations of the vulnerable plugin. A patch is not currently available.
WordPress
Authentication Bypass
-
CVE-2026-25454
MEDIUM
CVSS 6.5
This is a missing authorization vulnerability (CWE-862) in MVPThemes The League WordPress theme affecting versions up to 4.4.1, where incorrectly configured access control security levels allow attackers to bypass authentication mechanisms. An attacker can exploit this broken access control to perform unauthorized actions or access restricted functionality without proper credentials. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15732, indicating active tracking by EU vulnerability databases.
Authentication Bypass
-
CVE-2026-25437
MEDIUM
CVSS 6.5
GZSEO through version 2.0.14 contains an authorization bypass that allows unauthenticated remote attackers to modify data or cause service disruption through improperly configured access controls. The vulnerability enables attackers to exploit weakened security levels without requiring valid credentials or user interaction. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-25430
MEDIUM
CVSS 6.5
The CRM Perks Integration plugin for Mailchimp (versions through 1.2.2) contains a missing authorization flaw that allows authenticated attackers to modify data through incorrectly configured access controls. An attacker with user-level permissions could bypass authorization checks to alter form submissions and contact information across integrated platforms including Contact Form 7, WPForms, Elementor, and Ninja Forms. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-25417
MEDIUM
CVSS 6.5
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Metagauss ProfileGrid WordPress plugin through version 5.9.8.1, allowing attackers to inject malicious scripts that persist in the database and execute in the browsers of other users. The vulnerability affects all versions of ProfileGrid up to and including 5.9.8.1, enabling attackers with appropriate access to compromise user sessions, steal credentials, or perform actions on behalf of victims. While no CVSS score or EPSS data is currently available, the Stored XSS classification (CWE-79) combined with active reporting from security researchers indicates this is a legitimate and actionable threat.
XSS
-
CVE-2026-25398
MEDIUM
CVSS 6.5
Vertex Addons for Elementor through version 1.6.4 contains an authorization bypass vulnerability that allows authenticated attackers to modify content or settings they should not have access to due to improperly configured access controls. An attacker with low-level user privileges can escalate their capabilities by exploiting the misconfigured security levels. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-25390
MEDIUM
CVSS 6.5
The New User Approve plugin for WordPress versions 3.2.3 and earlier contains a missing authorization check that allows authenticated users to modify access control settings beyond their intended privileges. An attacker with basic user credentials could escalate their permissions or alter security configurations without proper authorization. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-25365
MEDIUM
CVSS 6.5
Kargo Takip versions prior to 0.2.4 contain a missing authorization vulnerability that allows authenticated users to modify data or perform unauthorized actions due to improper access control enforcement. An attacker with valid credentials could exploit this weakness to manipulate shipment tracking information or other protected resources without proper privilege verification. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-25355
MEDIUM
CVSS 6.5
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sanzo theme by skygroup, allowing authenticated or unauthenticated attackers to inject malicious scripts that are permanently stored and executed in the context of other users' browsers. This vulnerability affects Sanzo versions prior to 2.4.3 and has been documented by Patchstack as a high-risk input validation failure. Attackers can leverage this to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites.
XSS
-
CVE-2026-25344
MEDIUM
CVSS 6.5
The RadiusTheme Review Schema WordPress plugin versions up to and including 2.2.6 contains an information disclosure vulnerability (CWE-497) that allows unauthorized attackers to retrieve embedded sensitive data through the plugin's schema implementation. An attacker can exploit this vulnerability to access system information that should not be exposed, potentially leveraging the data for reconnaissance or further attacks. No CVSS score, EPSS data, or confirmed KEV/POC status is currently available, but the vulnerability has been documented by Patchstack and assigned EUVD-2026-15657.
Information Disclosure
-
CVE-2026-25339
MEDIUM
CVSS 6.5
Contact Form by WPForms versions up to 1.9.8.7 contain an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) that allows attackers to retrieve embedded sensitive data from contact form submissions. This information disclosure flaw affects the popular WordPress plugin maintained by Syed Balkhi, potentially exposing user data submitted through contact forms. While CVSS and EPSS scores are not yet published and KEV/POC status is unknown, the vulnerability was reported through Patchstack and tracked under ENISA EUVD-2026-15649.
Information Disclosure
-
CVE-2026-25328
MEDIUM
CVSS 6.8
A remote code execution vulnerability in add-ons (CVSS 6.8). Remediation should follow standard vulnerability management procedures.
WordPress
Path Traversal
File Upload
-
CVE-2026-25327
MEDIUM
CVSS 6.5
Rustaurius Five Star Restaurant Reservations through version 2.7.9 contains an authorization bypass vulnerability that allows unauthenticated attackers to modify reservation data and disrupt service availability by exploiting misconfigured access controls. The vulnerability requires no user interaction and can be triggered remotely, enabling attackers to tamper with restaurant operations without authentication. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-25034
MEDIUM
CVSS 6.5
Iqonic Design KiviCare clinic management system versions 3.6.16 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data and disrupt service availability through improperly configured access controls. The vulnerability has no available patch and affects the system's ability to properly enforce permission levels across its features.
Authentication Bypass
-
CVE-2026-25009
MEDIUM
CVSS 6.5
The Education Zone WordPress theme through version 1.3.8 contains an access control misconfiguration that allows unauthenticated remote attackers to modify content and cause service disruptions. This missing authorization vulnerability enables attackers to bypass security controls and perform unauthorized actions on affected sites. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-24987
MEDIUM
CVSS 6.5
Authenticated users can bypass authorization controls in WP System Log plugin versions up to 1.2.7 to modify system logs due to improper access control validation. An attacker with valid credentials could alter log data to cover tracks or manipulate audit records without additional privileges. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-24972
MEDIUM
CVSS 6.5
Elated Listing through version 1.4 contains an authorization bypass that allows authenticated users to modify data they should not have access to due to improperly configured access controls. An attacker with valid credentials can exploit this missing authorization check to perform unauthorized modifications, though they cannot access sensitive information or disrupt system availability. No patch is currently available for this medium-severity vulnerability.
Authentication Bypass
-
CVE-2026-24964
MEDIUM
CVSS 6.4
A Server-Side Request Forgery (SSRF) vulnerability exists in Contest Gallery, a WordPress plugin developed by Wasiliy Strecker, affecting versions up to and including 28.1.2.1. This vulnerability allows attackers to abuse the affected application to make unauthorized requests to internal or external systems, potentially leading to information disclosure, internal network reconnaissance, or attacks against backend services. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15576; however, no CVSS score, EPSS data, or confirmed active exploitation status is currently available, limiting the ability to assess immediate severity.
SSRF
-
CVE-2026-24376
MEDIUM
CVSS 6.5
WPVulnerability plugin through version 4.2.1 contains an authorization bypass that allows authenticated users to modify data they should not have access to due to improperly enforced access controls. An attacker with valid login credentials can escalate privileges to perform unauthorized modifications within the plugin's protected functions. No patch is currently available for this vulnerability.
Authentication Bypass
-
CVE-2026-24370
MEDIUM
CVSS 6.5
A Stored Cross-Site Scripting (XSS) vulnerability exists in Theme-one's The Grid WordPress plugin versions prior to 2.8.0, allowing attackers to inject and persist malicious scripts that execute in the browsers of other users viewing affected pages. An authenticated or unauthenticated attacker can exploit improper input neutralization during web page generation to inject arbitrary JavaScript code. While no CVSS score, EPSS probability, or KEV status has been assigned, the vulnerability is confirmed by Patchstack and carries significant risk given the stored nature of the XSS and the plugin's widespread WordPress ecosystem adoption.
XSS
-
CVE-2026-24364
MEDIUM
CVSS 6.5
Improper access control in WP User Frontend through version 4.2.5 allows authenticated users to modify content they should not have permission to access. An attacker with valid WordPress credentials could exploit misconfigured security levels to gain unauthorized write access to restricted resources without requiring additional user interaction.
Authentication Bypass
-
CVE-2026-24362
MEDIUM
CVSS 6.4
A missing authorization vulnerability exists in bdthemes Ultimate Post Kit WordPress plugin through version 4.0.21, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit broken access control security levels. An attacker can leverage this vulnerability to perform unauthorized actions that should be restricted to authenticated or privileged users. While no CVSS score, EPSS data, or confirmed KEV status is currently available, the vulnerability is classified under CWE-862 (Missing Authorization) and has been documented by Patchstack, indicating active research and potential exploitation concern.
Authentication Bypass
-
CVE-2026-23972
MEDIUM
CVSS 6.5
The Booking and Rental Manager plugin for WordPress through version 2.6.0 contains an authorization bypass that allows authenticated attackers to modify data they should not have access to. An attacker with low-privilege user credentials can exploit inadequately enforced access controls to perform unauthorized actions. No patch is currently available for this vulnerability.
WordPress
Authentication Bypass
-
CVE-2026-23636
MEDIUM
CVSS 5.5
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to upload files with dangerous types due to missing input validation. An authenticated attacker with manager privileges can exploit this to upload malicious files, potentially leading to code execution or system compromise. The vulnerability affects all versions prior to 9.2.1, and a patch is available; no public exploit code has been confirmed, but the moderate CVSS score of 5.5 reflects the high integrity impact combined with the requirement for elevated privileges.
File Upload
-
CVE-2026-23635
MEDIUM
CVSS 6.5
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprotected transport of credentials over the network. This vulnerability affects all versions below 9.2.1 and enables attackers to intercept sensitive authentication material in transit, potentially leading to account compromise and unauthorized access to the private data network. No active exploitation in the wild (KEV) or public proof-of-concept has been reported, though the CVSS 6.5 score and high confidentiality impact indicate meaningful risk.
Information Disclosure
-
CVE-2026-22485
MEDIUM
CVSS 6.5
Improper access control in My Album Gallery versions up to 1.0.4 enables authenticated users to modify gallery data they should not have permission to access. An attacker with valid credentials can exploit this misconfiguration to alter or manipulate album content without proper authorization checks.
Authentication Bypass
-
CVE-2026-20719
MEDIUM
CVSS 4.3
Mattermost fails to properly sanitize external SVG rendering in link embeds, allowing unauthenticated users to trigger denial-of-service conditions in both web and desktop applications. An attacker can create a malicious GitHub issue or pull request containing a crafted external SVG that crashes the Mattermost webapp and desktop client when the link is embedded. This vulnerability affects Mattermost versions 11.4.0 and below, 11.3.1 and below, 11.2.3 and below, and 10.11.11 and below, with a CVSS score of 4.3 indicating low-to-moderate severity focused on availability impact rather than confidentiality or integrity.
Denial Of Service
-
CVE-2026-20699
MEDIUM
CVSS 6.2
A downgrade vulnerability affecting Intel-based Mac computers allows malicious applications to bypass code-signing restrictions and access user-sensitive data. The vulnerability impacts macOS Sequoia (versions before 15.7.5), macOS Sonoma (versions before 14.8.5), macOS Tahoe (versions before 26.3 and 26.4), and affects all Intel-based Mac systems running vulnerable versions. An attacker can craft an application that exploits insufficient code-signing validation to downgrade security protections and exfiltrate sensitive user information.
Apple
Information Disclosure
Intel
Jwt Attack
macOS
-
CVE-2026-20697
MEDIUM
CVSS 5.3
A permissions enforcement vulnerability in macOS allows applications to bypass sandbox restrictions and access sensitive user data without proper authorization. The issue affects macOS Sequoia (versions before 15.7.5), macOS Sonoma (versions before 14.8.5), and macOS Tahoe (versions before 26.4). Apple has patched this vulnerability through enhanced permission restrictions, but no public exploit code or active in-the-wild exploitation has been confirmed at this time.
Apple
Authentication Bypass
macOS
-
CVE-2026-20695
MEDIUM
CVSS 6.2
An information disclosure vulnerability in macOS allows applications to determine kernel memory layout through improper memory management, enabling potential attacks that rely on kernel address space layout randomization (KASLR) bypass. This issue affects macOS Sequoia (before 15.7.5), macOS Sonoma (before 14.8.5), and macOS Tahoe (before 26.4). An unprivileged application can exploit this to leak kernel memory addresses, which is a critical prerequisite for more sophisticated kernel exploitation attacks. No CVSS score, EPSS probability, or evidence of active exploitation in CISA KEV catalog has been published, though the vulnerability was patched by Apple across three major OS versions, suggesting it was discovered through responsible disclosure rather than in-the-wild exploitation.
Apple
Information Disclosure
macOS
-
CVE-2026-20694
MEDIUM
CVSS 5.5
This vulnerability involves improper handling of symbolic links in Apple operating systems that could allow an application to access user-sensitive data without proper authorization. The flaw affects iOS and iPadOS versions prior to 26.3, macOS Sequoia versions prior to 15.7.4, macOS Sonoma versions prior to 14.8.4, and macOS Tahoe versions prior to 26.3 and 26.4. An attacker with the ability to execute code in a sandboxed application context could potentially bypass security restrictions to access protected user information, though no active exploitation in the wild has been confirmed at this time.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-20693
MEDIUM
CVSS 4.9
Protected system files on macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) can be deleted by attackers with root privileges due to improper state management. This integrity-impacting vulnerability affects administrators and privileged users who could leverage elevated access to remove critical system components. No patch is currently available for this medium-severity issue.
Apple
Information Disclosure
macOS
-
CVE-2026-20692
MEDIUM
CVSS 5.3
A privacy vulnerability in Apple's Mail application allows the "Hide IP Address" and "Block All Remote Content" user preferences to fail inconsistently across certain mail content, potentially exposing user IP addresses and loading remote content despite explicit user configuration. This affects iOS, iPadOS, and multiple macOS versions. While no CVSS score or EPSS data is currently available and there is no indication of active exploitation in the wild (KEV status not listed), the vulnerability represents a direct circumvention of privacy controls that users explicitly enable to protect their identity and security posture.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-20691
MEDIUM
CVSS 4.3
An authorization and state management flaw in Apple's WebKit browser engine allows maliciously crafted webpages to fingerprint users by exploiting improper state handling during web interactions. This vulnerability affects Safari 26.4, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, and watchOS 26.4 across all Apple platforms. An attacker can exploit this by hosting a specially crafted webpage that leverages the state management weakness to extract browser or device identifiers without user knowledge, enabling user tracking and profiling attacks. No CVSS score, EPSS data, or public proof-of-concept details are currently available, though Apple has released fixes across all affected platforms.
Apple
Information Disclosure
Safari
macOS
iOS
-
CVE-2026-20690
MEDIUM
CVSS 6.5
Maliciously crafted media files containing out-of-bounds memory access in Apple's audio processing can crash affected applications across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. An attacker can trigger a denial of service by triggering the vulnerability through a specially crafted audio stream, though no patch is currently available. This impacts multiple recent OS versions where an out-of-bounds read occurs during media file processing.
Apple
Buffer Overflow
Information Disclosure
macOS
iOS
-
CVE-2026-20686
MEDIUM
CVSS 5.3
An input validation flaw in iOS and iPadOS allows malicious applications to bypass security controls and access sensitive user data without proper authorization. The vulnerability affects iOS and iPadOS versions prior to 26.3, where insufficient input validation in an unspecified component permits unauthorized data disclosure. Apple has patched this vulnerability in iOS 26.3 and iPadOS 26.3, and there are no public indicators of active exploitation or proof-of-concept availability.
Apple
Information Disclosure
iOS
-
CVE-2026-20670
MEDIUM
CVSS 5.5
An authorization bypass vulnerability in macOS allows applications to access sensitive user data through improper state management. The vulnerability affects macOS Sonoma 14.8.4 and earlier versions, as well as macOS Tahoe 26.3 and earlier, enabling unprivileged apps to circumvent authorization checks and obtain restricted user information. Apple has addressed this issue through patched releases, and no public exploitation activity or proof-of-concept code has been reported at this time.
Apple
Information Disclosure
macOS
-
CVE-2026-20668
MEDIUM
CVSS 5.5
A logging issue in Apple's operating systems allows improper data redaction in system logs, enabling installed applications to access sensitive user data that should have been masked. This vulnerability affects iOS 18.7.7 and earlier, iPadOS 18.7.7 and earlier, iOS 26.3 and earlier, iPadOS 26.3 and earlier, macOS Sequoia 15.7.5 and earlier, macOS Sonoma 14.8.5 and earlier, macOS Tahoe 26.3 and earlier, and visionOS 26.3 and earlier. An attacker with the ability to install or control an application on an affected device could exploit inadequate log data filtering to extract confidential user information that should be protected by the operating system's redaction mechanisms.
Apple
Information Disclosure
macOS
iOS
-
CVE-2026-20665
MEDIUM
CVSS 6.5
This vulnerability allows attackers to bypass Content Security Policy (CSP) enforcement in Apple's WebKit engine through maliciously crafted web content, affecting Safari and all Apple platforms including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The vulnerability stems from improper state management during web content processing, enabling attackers to circumvent a critical security control that prevents injection attacks and unauthorized script execution. While no CVSS score or EPSS data is currently available, the broad platform impact across Apple's entire ecosystem and the fundamental nature of CSP bypass as an information disclosure vector indicate significant real-world risk.
Apple
Information Disclosure
Safari
macOS
iOS
-
CVE-2026-20664
MEDIUM
CVSS 4.3
Memory corruption in Apple Safari, iOS, iPadOS, macOS, and visionOS allows remote attackers to crash affected processes by delivering maliciously crafted web content to users. The vulnerability requires user interaction to view the malicious content and does not enable code execution or information disclosure. A patch is currently unavailable for this issue.
Apple
Memory Corruption
Buffer Overflow
Safari
macOS
-
CVE-2026-20657
MEDIUM
CVSS 6.5
Improper memory handling in Apple iOS, iPadOS, and macOS allows remote denial of service when processing maliciously crafted files, potentially causing unexpected application crashes. An attacker can trigger this vulnerability by delivering a specially crafted file to a victim, resulting in app termination without requiring user privileges or interaction beyond opening the file. No patch is currently available for this medium-severity vulnerability affecting multiple Apple platforms.
Apple
Buffer Overflow
macOS
iOS
-
CVE-2026-20651
MEDIUM
CVSS 6.2
A privacy vulnerability in macOS allows applications to access sensitive user data through improper handling of temporary files. The issue affects macOS Sequoia (versions prior to 15.7.5), macOS Sonoma (versions prior to 14.8.4), and macOS Tahoe (versions prior to 26.3). An unprivileged application could exploit weak temporary file protections to read or manipulate sensitive data, though no active exploitation in the wild or public proof-of-concept has been confirmed at this time.
Apple
Information Disclosure
macOS
-
CVE-2026-20637
MEDIUM
CVSS 6.2
Denial of service in Apple iOS, iPadOS, and macOS due to a use-after-free memory corruption vulnerability allows local attackers to trigger unexpected system termination. The flaw affects multiple Apple platforms including iOS 18.x, macOS Sequoia, Sonoma, and Tahoe versions. No patch is currently available.
Apple
Use After Free
Denial Of Service
Memory Corruption
macOS
-
CVE-2026-20633
MEDIUM
CVSS 5.5
This vulnerability involves improper handling of symbolic links (symlinks) in macOS, which could allow an application to access sensitive user data without proper authorization. The issue affects multiple macOS versions including Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4, representing an information disclosure vulnerability with potential impact on user privacy. Apple has released patches to address the symlink handling deficiency, though specific attack complexity and exploitation metrics are not publicly detailed.
Apple
Information Disclosure
macOS
-
CVE-2026-20632
MEDIUM
CVSS 5.3
Improper path validation in Apple macOS Tahoe allows unauthenticated remote attackers to read sensitive user data through directory path traversal. The vulnerability requires no user interaction and affects systems prior to macOS Tahoe 26.4. No patch is currently available for this medium-severity issue.
Apple
Authentication Bypass
macOS
-
CVE-2026-20607
MEDIUM
CVSS 4.0
A permissions enforcement vulnerability in macOS allows applications to bypass security restrictions and access protected user data due to insufficient authorization checks. This issue affects macOS Sequoia (prior to 15.7.5), macOS Sonoma (prior to 14.8.5), and macOS Tahoe (prior to 26.4). An attacker with the ability to execute an application on the affected system could potentially access sensitive user information without proper user consent or authorization. No CVSS score, EPSS data, or active exploitation in the wild (KEV status) has been disclosed by Apple.
Apple
Privilege Escalation
macOS
-
CVE-2026-20115
MEDIUM
CVSS 6.1
Cisco Meraki devices running vulnerable IOS XE Software transmit configuration data over unencrypted channels, enabling remote attackers to intercept sensitive device information through on-path attacks. The vulnerability requires user interaction and network proximity but carries no patch availability, leaving affected organizations exposed until remediation is implemented. This affects both Cisco and Apple products integrating the vulnerable software.
Cisco
Information Disclosure
Apple
-
CVE-2026-20114
MEDIUM
CVSS 5.4
Insufficient parameter validation in Cisco IOS XE Software's Lobby Ambassador management API allows authenticated remote attackers to bypass access controls and create unauthorized administrative accounts. An attacker with standard Lobby Ambassador credentials can exploit this flaw to escalate privileges and gain full management API access on affected devices. This impacts Cisco and Apple products and currently has no available patch.
Cisco
Information Disclosure
Apple
-
CVE-2026-20113
MEDIUM
CVSS 5.3
A CRLF injection vulnerability exists in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software that allows unauthenticated remote attackers to inject arbitrary log entries and manipulate log file structure. The vulnerability stems from insufficient input validation in the Cisco IOx management interface and affects a broad range of Cisco IOS XE Software versions from 16.6.1 through 17.18.1x. A successful exploit enables attackers to obscure legitimate log events, inject malicious log entries, or corrupt log file integrity without requiring authentication, making it particularly dangerous in environments where log analysis is relied upon for security monitoring and compliance.
Cisco
Code Injection
Apple
-
CVE-2026-20112
MEDIUM
CVSS 4.8
A stored cross-site scripting (XSS) vulnerability exists in the web-based Cisco IOx application hosting environment management interface within Cisco IOS XE Software, allowing authenticated remote attackers with administrative credentials to inject malicious scripts that execute in the context of other users' browser sessions. Successful exploitation enables arbitrary script execution and access to sensitive browser-based information affecting a wide range of Cisco IOS XE versions from 16.6.1 through 17.18.1a. This vulnerability requires valid administrative credentials and user interaction but poses a significant risk in multi-administrator environments where privilege escalation or lateral movement could occur.
Cisco
XSS
Apple
-
CVE-2026-20110
MEDIUM
CVSS 6.5
Insufficient privilege validation on the start maintenance command in Cisco IOS XE Software enables authenticated local attackers to trigger a denial of service by placing devices into maintenance mode, which disables network interfaces. Low-privileged users can exploit this via CLI access without administrative credentials. Device recovery requires administrator intervention using the stop maintenance command.
Cisco
Denial Of Service
Apple
-
CVE-2026-20108
MEDIUM
CVSS 5.4
Cisco Catalyst SD-WAN Manager's web interface contains a reflected cross-site scripting (XSS) vulnerability that requires user interaction and authentication to exploit. An attacker can craft a malicious link to execute arbitrary JavaScript in a victim's browser session, potentially stealing sensitive information or performing unauthorized actions within the management interface. No patch is currently available.
Cisco
XSS
-
CVE-2026-20104
MEDIUM
CVSS 6.1
This vulnerability in Cisco IOS XE Software bootloader affects Catalyst 9200, ESS9300, IE9310/9320, and IE3500/3505 series switches, allowing authenticated local attackers with level-15 privileges or unauthenticated attackers with physical access to execute arbitrary code at boot time and bypass the chain of trust. An attacker can manipulate loaded binaries to circumvent integrity checks during boot, enabling execution of non-Cisco-signed images. While the CVSS score is 6.1 (Medium), Cisco assigned it a High Security Impact Rating due to the critical nature of breaking the secure boot mechanism, a foundational security control.
Cisco
RCE
Apple
-
CVE-2026-20083
MEDIUM
CVSS 6.5
Improper validation of malformed SCP requests in Cisco IOS XE Software allows authenticated local attackers to trigger unexpected device reloads and cause service disruption. An attacker with low privileges can exploit this vulnerability by sending a crafted SSH command to the SCP server component. No patch is currently available for this denial of service vulnerability.
Cisco
Denial Of Service
Apple
-
CVE-2026-4826
MEDIUM
CVSS 5.3
SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the sid parameter in /update_stock.php via HTTP GET requests, enabling unauthorized database query execution with limited confidentiality and integrity impact. Publicly available exploit code exists, and the vulnerability carries a moderate CVSS 5.3 score with low real-world exploitation probability (EPSS 0.03%, percentile 8%), indicating this is a lower-priority issue despite public disclosure.
PHP
SQLi
-
CVE-2026-4825
MEDIUM
CVSS 5.3
SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_sales.php allows authenticated remote attackers to execute arbitrary SQL queries and potentially access or modify database contents. Public exploit code exists for this vulnerability and exploitation requires valid user credentials. No patch is currently available.
PHP
SQLi
-
CVE-2026-4816
MEDIUM
CVSS 4.8
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Support Board v3.7.7 that allows unauthenticated attackers to inject malicious JavaScript code via the 'search' parameter in the '/supportboard/include/articles.php' endpoint. Successful exploitation enables attackers to steal session cookies, perform unauthorized actions on behalf of victims, or harvest sensitive user data through victim browsers. A vendor patch is available, and the vulnerability has been officially reported by INCIBE, indicating moderate real-world attention.
XSS
PHP
-
CVE-2026-4784
MEDIUM
CVSS 6.9
SQL injection in Simple Laundry System 1.0 PHP application allows unauthenticated remote attackers to execute arbitrary database queries through the serviceId parameter in /checkcheckout.php. Public exploit code exists for this vulnerability, and no patch is currently available.
PHP
SQLi
-
CVE-2026-4783
MEDIUM
CVSS 5.3
SQL injection in the College Management System 1.0 parameter handler allows authenticated attackers to manipulate the course_code argument in /admin/add-single-student-results.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid credentials but can compromise data confidentiality and integrity.
PHP
SQLi
-
CVE-2026-4766
MEDIUM
CVSS 6.4
The Easy Image Gallery plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Gallery shortcode post meta field that affects all versions up to and including 1.5.3. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes in the browsers of users viewing the affected pages, potentially compromising user sessions, stealing credentials, or performing actions on behalf of legitimate users. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handler, as documented in the WordPress plugin repository source code.
WordPress
XSS
-
CVE-2026-3591
MEDIUM
CVSS 5.4
A use-after-return vulnerability in ISC BIND 9's SIG(0) DNS query handler allows an attacker with low-level authentication privileges to manipulate ACL matching logic, potentially bypassing default-allow access controls and gaining unauthorized access to DNS services. The vulnerability affects BIND 9 versions 9.20.0-9.20.20, 9.21.0-9.21.19, and their security branches (9.20.9-S1-9.20.20-S1), while older stable releases (9.18.x) are unaffected. Vendor patches are available, and the moderate CVSS 5.4 score reflects limited technical impact when ACLs are properly configured with fail-secure defaults.
Authentication Bypass
Ubuntu
Debian
Suse
-
CVE-2026-3218
MEDIUM
CVSS 4.8
The Drupal Responsive Favicons module contains an improper input neutralization vulnerability that allows attackers to inject malicious JavaScript code into web pages (Cross-Site Scripting/XSS). All versions from 0.0.0 up to and including 2.0.1 are affected, with the vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). While no CVSS score or EPSS probability metric is currently available, the vulnerability is documented in the official Drupal security advisory (SA-CONTRIB-2026-019) and has been assigned EUVD-2026-15479, indicating this is a confirmed security flaw requiring immediate patching.
XSS
-
CVE-2026-3217
MEDIUM
CVSS 6.1
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal SAML SSO - Service Provider module due to improper neutralization of user input during web page generation. All versions prior to 3.1.3 are affected, allowing attackers to inject malicious scripts that execute in the browsers of users interacting with SAML authentication flows. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), and while no CVSS score or EPSS data is currently available, the nature of XSS in authentication modules represents a significant risk to credential theft and session hijacking.
XSS
-
CVE-2026-3216
MEDIUM
CVSS 5.0
A Server-Side Request Forgery (SSRF) vulnerability exists in Drupal Canvas versions prior to 1.1.1, allowing attackers to manipulate the server into making unauthorized requests to internal or external resources. This vulnerability affects all Drupal Canvas installations from version 0.0.0 through 1.1.0, enabling attackers to access sensitive internal services, bypass network segmentation, or exfiltrate data. No CVSS score, EPSS data, or public proof-of-concept information is currently available, though the vulnerability has been formally documented by the Drupal security team.
SSRF
-
CVE-2026-3215
MEDIUM
CVSS 5.4
A Cross-Site Scripting (XSS) vulnerability exists in Drupal Islandora due to improper neutralization of user input during web page generation. All versions of Islandora from 0.0.0 through 2.17.4 are affected, allowing attackers to inject and execute malicious JavaScript in the context of affected users' browsers. Exploitation enables session hijacking, credential theft, malware distribution, and defacement of the repository interface.
XSS
-
CVE-2026-3214
MEDIUM
CVSS 6.5
The Drupal CAPTCHA module contains an authentication bypass vulnerability (CWE-288) that allows attackers to circumvent CAPTCHA protection through an alternate path or channel, enabling functionality bypass. This vulnerability affects CAPTCHA versions 0.0.0 through 1.16.x and 2.0.0 through 2.0.9, allowing attackers to bypass CAPTCHA challenges intended to prevent automated abuse. While no CVSS score or EPSS data is currently available, the presence of an official Drupal security advisory and specific patched versions indicates active remediation efforts by the vendor.
Authentication Bypass
-
CVE-2026-3213
MEDIUM
CVSS 4.7
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal Anti-Spam by CleanTalk module due to improper neutralization of user input during web page generation. All versions from 0.0.0 through 9.6.x are affected, with a patch available in version 9.7.0 or later. Attackers can inject malicious scripts that execute in the context of authenticated users' browsers, potentially leading to session hijacking, credential theft, or defacement of Drupal sites.
XSS
-
CVE-2026-3212
MEDIUM
CVSS 5.4
A Cross-Site Scripting (XSS) vulnerability exists in Drupal Tagify module versions prior to 1.2.49, stemming from improper neutralization of user input during web page generation. An attacker can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. This vulnerability affects all Tagify installations from version 0.0.0 through 1.2.48, and patch availability has been confirmed through the Drupal security advisory.
XSS
Drupal
-
CVE-2026-3211
MEDIUM
CVSS 4.3
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Drupal Theme Negotiation by Rules module, affecting all versions from 0.0.0 before 1.2.1. An attacker can exploit this flaw to perform unauthorized actions on behalf of authenticated users by crafting malicious requests that bypass CSRF protections in the theme negotiation functionality. The vulnerability has been officially documented by the Drupal security team via SA-contrib-2026-012, and users of this contrib module should prioritize patching to version 1.2.1 or later.
CSRF
-
CVE-2026-3210
MEDIUM
CVSS 5.3
An incorrect authorization vulnerability exists in the Drupal Material Icons module that allows attackers to bypass authentication controls and access restricted resources through forceful browsing (CWE-863). The vulnerability affects Material Icons versions 0.0.0 through 2.0.3, enabling unauthenticated or low-privileged users to enumerate and access icon resources that should be restricted. No CVSS score, EPSS data, or known exploits in the wild have been disclosed at this time, but the vulnerability has been formally documented by the Drupal security team with a dedicated security advisory.
Authentication Bypass
-
CVE-2026-3119
MEDIUM
CVSS 6.5
BIND 9 DNS server crashes when processing specially crafted TSIG-authenticated queries containing TKEY records, affecting versions 9.20.0-9.20.20, 9.21.0-9.21.19, and 9.20.9-S1-9.20.20-S1 on Ubuntu, SUSE, and Debian systems. An authenticated attacker with a valid TSIG key can trigger a denial of service by sending a malformed query, disrupting DNS resolution services. A patch is available for affected installations.
Denial Of Service
Ubuntu
Suse
Debian
-
CVE-2026-2973
MEDIUM
CVSS 5.4
This vulnerability is a stored cross-site scripting (XSS) flaw in GitLab's Mermaid diagram rendering that allows authenticated users to inject arbitrary JavaScript code into other users' browsers through improperly sanitized entity-encoded content. The vulnerability affects GitLab CE/EE versions 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, with a CVSS score of 5.4 (medium severity). A public proof-of-concept exploit is available on HackerOne, indicating active awareness in the security community.
Gitlab
XSS
-
CVE-2026-2745
MEDIUM
CVSS 6.8
GitLab CE/EE versions 7.11 through 18.10 contain an authentication bypass vulnerability in the WebAuthn two-factor authentication implementation due to inconsistent input validation, allowing unauthenticated attackers to gain unauthorized access to user accounts. The vulnerability affects a wide version range spanning multiple releases (7.11 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1). A proof-of-concept exploit is publicly available, and while the CVSS score of 6.8 indicates moderate severity, the authentication bypass nature and active exploit availability represent a significant real-world threat to GitLab deployments.
Gitlab
Authentication Bypass
-
CVE-2026-2726
MEDIUM
CVSS 4.3
GitLab CE/EE contains an improper access control vulnerability in cross-repository merge request operations that allows authenticated users to perform unauthorized actions on merge requests in projects they should not have access to. Affected versions span from 11.10 through 18.10.1, with patches available in 18.8.7, 18.9.3, and 18.10.1. A public proof-of-concept exploit exists (referenced via HackerOne report 3543886), though CISA has not listed this in the Known Exploited Vulnerabilities catalog, indicating limited active exploitation despite public availability of exploit code.
Gitlab
Authentication Bypass
-
CVE-2026-2485
MEDIUM
CVSS 4.8
IBM Infosphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored cross-site scripting (XSS) vulnerability in the Web UI that allows privileged users to inject arbitrary JavaScript code, potentially leading to credential disclosure and session compromise. While a vendor patch is available, the attack requires high privileges and user interaction, resulting in a moderate CVSS score of 4.8. This vulnerability does not appear to have active exploitation in the wild or public proof-of-concept code, but should be prioritized for organizations running vulnerable versions in security-sensitive environments.
IBM
XSS
-
CVE-2026-2484
MEDIUM
CVSS 4.3
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to steal session tokens, capture credentials entered by other users, or perform actions on behalf of compromised administrators within a trusted session, potentially leading to unauthorized access to sensitive data integration and metadata management systems.
IBM
XSS
-
CVE-2026-2483
MEDIUM
CVSS 5.4
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a stored or reflected cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter application functionality and potentially steal session credentials or perform actions on behalf of other users within a trusted browser session. A patch is available from IBM, and the vulnerability has a CVSS score of 5.4 with moderate real-world risk due to the requirement for prior authentication and user interaction.
IBM
XSS
-
CVE-2026-2414
MEDIUM
CVSS 5.6
A user-controlled key authorization bypass vulnerability in HYPR Server versions 9.5.2 through 10.7.1 enables authenticated attackers to escalate privileges through improper authorization checks. An attacker with low-level privileges can manipulate cryptographic keys or authorization tokens to gain high-level access, compromising confidentiality, integrity, and availability of the authentication system. This vulnerability requires local or physical access to the system and valid user credentials, limiting its immediate threat scope but representing a critical risk in multi-tenant or shared infrastructure deployments.
Privilege Escalation
Authentication Bypass
-
CVE-2026-2349
MEDIUM
CVSS 6.1
A Cross-Site Scripting (XSS) vulnerability exists in the Drupal UI Icons module due to improper neutralization of user input during web page generation. This vulnerability affects UI Icons versions 0.0.0 through 1.0.0 and versions 1.1.0 through 1.1.0, allowing attackers to inject malicious scripts that execute in the context of victim browsers. No CVSS score, EPSS data, or confirmed KEV status is currently available; however, the XSS classification and Drupal reporting indicate this requires prompt patching to versions 1.0.1 or 1.1.1.
XSS
-
CVE-2026-2348
MEDIUM
CVSS 5.4
A Cross-Site Scripting (XSS) vulnerability exists in Drupal Quick Edit due to improper neutralization of user input during web page generation. This vulnerability affects Quick Edit versions 0.0.0 through 1.0.4 and versions 2.0.0 through 2.0.0, allowing attackers to inject malicious scripts that execute in the context of authenticated users' browsers. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and has been disclosed by the Drupal security team with patches available for affected versions.
XSS
-
CVE-2026-2343
MEDIUM
CVSS 5.3
The PeproDev Ultimate Invoice WordPress plugin through version 2.2.5 contains an information disclosure vulnerability in its bulk download invoices feature, which generates ZIP archives with predictably named files containing exported invoice PDFs. An unauthenticated or low-privileged attacker can brute force the predictable ZIP file naming scheme to retrieve and download archives containing sensitive personally identifiable information (PII) from invoices. A public proof-of-concept exploit is available via WPScan, making this vulnerability actively exploitable in the wild.
WordPress
Information Disclosure
-
CVE-2026-1917
MEDIUM
CVSS 4.3
The Drupal Login Disable module contains an authentication bypass vulnerability (CWE-288) that allows attackers to circumvent login restrictions through an alternate authentication path or channel. This affects Login Disable versions prior to 2.1.3, enabling attackers to bypass intended functionality that disables user logins. While CVSS and EPSS scores are not available from public sources, the vulnerability has been formally documented by the Drupal security team, indicating a substantive security concern that requires patching.
Authentication Bypass
-
CVE-2026-1724
MEDIUM
CVSS 6.8
GitLab EE contains an improper access control vulnerability that allows unauthenticated users to retrieve API tokens for self-hosted AI models without authentication. The vulnerability affects GitLab versions 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, impacting any organization running these versions with AI model integrations. With a CVSS score of 6.8 and publicly available proof-of-concept code, this represents a significant credential exposure risk requiring immediate patching.
Gitlab
Authentication Bypass
-
CVE-2026-1712
MEDIUM
CVSS 5.8
An incorrect privilege assignment vulnerability in HYPR Server allows authenticated users to escalate their privileges through an unspecified mechanism. HYPR Server versions 10.5.1 through 10.6.x are affected, with the vulnerability resolved in version 10.7 and later. An attacker with valid user credentials can exploit this flaw to gain elevated permissions, potentially compromising the entire authentication infrastructure managed by the HYPR Server instance.
Privilege Escalation
-
CVE-2026-1561
MEDIUM
CVSS 5.4
IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.3 contain a server-side request forgery (SSRF) vulnerability that allows authenticated remote attackers to send unauthorized requests from the vulnerable system. This exposure could enable network enumeration, internal service discovery, or facilitate secondary attacks against internal infrastructure. A patch is available from IBM, and the vulnerability requires authenticated access (PR:L) but has low attack complexity, making it a medium-priority issue for organizations running affected Liberty instances.
IBM
SSRF
-
CVE-2026-1262
MEDIUM
CVSS 4.3
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability (CWE-209) that allows authenticated attackers to access sensitive information over the network without user interaction. The vulnerability has a CVSS score of 4.3 with low attack complexity and low privileges required, meaning any logged-in user can exploit it. A vendor patch is available, reducing immediate risk for organizations that can deploy updates promptly.
IBM
Information Disclosure
-
CVE-2026-1166
MEDIUM
CVSS 4.3
An Open Redirect vulnerability exists in Hitachi Ops Center Administrator versions 10.2.0 through 11.0.7, allowing unauthenticated attackers to redirect users to arbitrary external websites through a crafted URL. The vulnerability requires user interaction (clicking a malicious link) but can be leveraged for phishing attacks, credential harvesting, or malware distribution. There is no indication of active exploitation in the wild or public proof-of-concept availability at this time.
Open Redirect
-
CVE-2026-1015
MEDIUM
CVSS 5.4
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a server-side request forgery (SSRF) vulnerability that allows authenticated attackers to send unauthorized requests from the affected system. This could enable network enumeration, lateral movement, or facilitate secondary attacks against internal systems. The vulnerability requires valid authentication credentials but presents moderate risk with a CVSS score of 5.4 and has an available patch from IBM.
IBM
SSRF
-
CVE-2026-1014
MEDIUM
CVSS 6.5
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain an information disclosure vulnerability caused by improper handling of JSON server responses, allowing authenticated attackers to expose sensitive data. The vulnerability requires low-complexity network access with valid credentials but does not require user interaction, making it accessible to any authenticated user with network connectivity. No evidence of active exploitation in the wild has been identified, though a patch is available from the vendor.
IBM
Information Disclosure
-
CVE-2026-1001
MEDIUM
CVSS 4.8
Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.
XSS
Redhat
-
CVE-2025-64648
MEDIUM
CVSS 5.9
IBM Concert versions 1.0.0 through 2.2.0 transmit sensitive data in cleartext, allowing attackers to intercept and read this information via man-in-the-middle (MITM) attacks. The vulnerability affects all versions within the specified range of the IBM Concert application. An attacker positioned on the network path between a client and Concert server can eavesdrop on communications to obtain confidential information, though exploitation requires moderate attack complexity and active network positioning.
IBM
Information Disclosure
-
CVE-2025-64647
MEDIUM
CVSS 5.9
IBM Concert versions 1.0.0 through 2.2.0 implement cryptographic algorithms that are weaker than expected, allowing attackers to decrypt highly sensitive information without authentication. The vulnerability has a CVSS score of 5.9 with high confidentiality impact but no integrity or availability impact. A patch is available from IBM, and this represents a pure information disclosure risk affecting the confidentiality of encrypted data.
IBM
Information Disclosure
-
CVE-2025-64646
MEDIUM
CVSS 6.2
IBM Concert versions 1.0.0 through 2.2.0 suffer from improper buffer resource clearing that allows local attackers to read sensitive information directly from process memory without requiring privileges or user interaction. This information disclosure vulnerability (CVSS 6.2) affects IBM Concert across multiple versions and has a vendor patch available, though no evidence of active exploitation or public proof-of-concept has been reported in the provided intelligence.
IBM
Information Disclosure
-
CVE-2025-43534
MEDIUM
CVSS 6.8
A path handling vulnerability in iOS and iPadOS allows users with physical access to an iOS device to bypass Activation Lock through improved validation gaps in path handling logic. This authentication bypass affects iOS versions prior to 18.7.7 and 26.2, as well as corresponding iPadOS releases. While no CVSS score or EPSS data is publicly available, the physical access requirement and authentication bypass nature indicate a meaningful risk to device security and stolen device protection.
Apple
Authentication Bypass
iOS
-
CVE-2025-40841
MEDIUM
CVSS 5.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in Ericsson Indoor Connect 8855 prior to version 2025.Q3 that allows attackers to perform unauthorized modification of certain information by tricking authenticated users into executing malicious requests. The vulnerability affects the Ericsson Indoor Connect 8855 product line and can be exploited to compromise the integrity of system data without explicit user awareness. No active exploitation in the wild (KEV status) or public proof-of-concept has been confirmed at this time, though the attack vector is typically network-based with low to medium complexity.
Ericsson
CSRF
-
CVE-2025-36440
MEDIUM
CVSS 5.1
IBM Concert versions 1.0.0 through 2.2.0 contain a missing function-level access control vulnerability that allows local users to obtain sensitive information without authentication. An attacker with local system access can bypass authorization checks to read confidential data stored within the application. While the CVSS score of 5.1 indicates moderate severity, the lack of authentication requirements and local attack vector present a meaningful risk in multi-tenant or shared system environments.
IBM
Information Disclosure
-
CVE-2025-36438
MEDIUM
CVSS 5.1
IBM Concert versions 1.0.0 through 2.2.0 contain an improper channel communication restriction vulnerability that allows privileged users to perform unauthorized actions by bypassing intended endpoint controls. The vulnerability, classified as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints), has a CVSS score of 5.1 with medium integrity impact and is not currently listed in CISA's Known Exploited Vulnerabilities catalog, though a vendor patch is available.
IBM
Authentication Bypass
-
CVE-2025-36422
MEDIUM
CVSS 4.3
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 contain a cross-site request forgery (CSRF) vulnerability in the DataStage Flow Designer component that allows unauthenticated attackers to trigger unauthorized state-changing actions on behalf of authenticated users. The vulnerability has a CVSS score of 4.3 with low attack complexity and no privileges required, though it requires user interaction (UI:R). A vendor patch is available, and this represents an integrity-focused attack vector rather than confidentiality or availability impact.
IBM
CSRF