Skip to main content
CVE-2026-28827 CRITICAL PATCH Act Now

Improper path validation in macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) allows sandboxed applications to escape their sandbox restrictions through directory path traversal. A local attacker with the ability to run malicious apps can exploit this weakness to execute code outside sandbox boundaries with full system privileges. No patch is currently available for this critical vulnerability.

Apple Path Traversal macOS
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-20688 CRITICAL PATCH Act Now

Sandbox escape vulnerability in Apple iOS, iPadOS, macOS, and visionOS allows local attackers to break out of application sandboxes through improper path validation, potentially enabling unauthorized access to system resources and data. An attacker with local access could leverage this flaw to execute arbitrary operations outside application boundaries and bypass security restrictions. No patch is currently available for this critical vulnerability affecting multiple Apple platforms.

Apple Path Traversal macOS iOS
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-32573 CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in Nelio AB Testing WordPress plugin through version 8.2.7 that allows attackers to execute arbitrary code on affected installations. The vulnerability affects the Nelio Software product across all versions up to and including 8.2.7, potentially enabling remote code execution (RCE). This is a critical severity issue as it permits unauthenticated or low-privilege attackers to gain complete control over WordPress sites running the vulnerable plugin.

Code Injection RCE Nelio Ab Testing
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25447 CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in the Jonathan Daggerhart Widget Wrangler WordPress plugin through version 2.3.9, allowing unauthenticated attackers to execute arbitrary code on affected installations. This Remote Code Execution (RCE) vulnerability enables complete server compromise and data exfiltration. Active exploitation has been documented by Patchstack, indicating this is a practical, real-world threat requiring immediate patching.

Code Injection RCE Widget Wrangler
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-32524 CRITICAL Act Now

An unrestricted file upload vulnerability (CWE-434) exists in Jordy Meow's Photo Engine WordPress plugin versions up to and including 6.4.9, allowing attackers to upload malicious web shells to compromised servers. The vulnerability affects the wplr-sync component and permits arbitrary file uploads with dangerous types, potentially leading to remote code execution. No CVSS score, EPSS probability, or KEV status information is currently available, but the ability to upload executable web shells represents a critical exploitation path.

File Upload Photo Engine
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27071 CRITICAL Act Now

A missing authorization vulnerability exists in Arraytics WPCafe WordPress plugin versions up to 3.0.7, where incorrectly configured access control allows attackers to bypass authentication and authorization checks. This broken access control flaw (CWE-862) enables unauthorized users to perform actions they should not have permission to execute, potentially leading to unauthorized data access, modification, or plugin functionality abuse. The vulnerability affects all installations of WPCafe through version 3.0.7 and is tracked under ENISA EUVD ID EUVD-2026-15773 with confirmation from Patchstack vulnerability research.

Authentication Bypass Wpcafe
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-32991 CRITICAL Act Now

N2WS Backup & Recovery before version 4.4.0 contains a remote code execution vulnerability in its RESTful API that requires a two-step attack chain to exploit. An unauthenticated attacker can execute arbitrary code on affected systems, potentially compromising backup and disaster recovery infrastructure. This vulnerability affects the N2WS product line and should be treated as critical given the RCE classification and the security-sensitive nature of backup systems.

RCE Race Condition
NVD VulDB
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-32519 CRITICAL Act Now

Bit SMTP version 1.2.2 and earlier contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. The vulnerability affects the Bit SMTP WordPress plugin and permits attackers to elevate their privileges beyond their intended authorization level. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15882, indicating formal recognition of the security issue.

Privilege Escalation Bit Smtp
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy