A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attackers to inject malicious scripts when modifying forms. Kiteworks Secure Data Forms versions prior to 9.2.1 are affected, enabling attackers with low-level privileges to execute arbitrary JavaScript in victims' browsers. There is no indication this vulnerability is actively exploited (not in CISA KEV), and no public proof-of-concept has been identified in available intelligence.
PrestaShop contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the back-office (BO) administration panel. An attacker with limited back-office access or who has exploited a separate vulnerability to inject data into the database can exploit unprotected template variables to execute arbitrary JavaScript in administrators' browsers. The CVSS score of 7.7 reflects high attack complexity and the requirement for high privileges, though no evidence of active exploitation (KEV) or public proof-of-concept is currently available.
Improper access control in OpenEMR versions prior to 8.0.0.3 allows any authenticated user to download and permanently delete electronic claim batch files containing protected health information (PHI) via the billing file-download endpoint, regardless of whether they have billing privileges. The vulnerability has a 7.6 CVSS score with low attack complexity and requires only low-level authentication. EPSS exploitation probability is 0.03% (8th percentile), indicating low observed targeting in real-world exploitation at time of analysis, and no public exploit has been identified.
A Local File Inclusion (LFI) vulnerability exists in the nK Visual Portfolio, Photo Gallery & Post Grid WordPress plugin through version 3.5.1, allowing attackers to include and execute arbitrary local files on the server via improper control of filename parameters in PHP include/require statements. An attacker with network access can exploit this vulnerability to disclose sensitive information such as configuration files, database credentials, or other local files stored on the web server. While CVSS and EPSS scores are not publicly available, the vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require) and affects all installations of this plugin running version 3.5.1 or earlier.
A critical pre-authentication denial of service vulnerability in nats-server allows an unauthenticated remote attacker to crash the entire server process by sending a single malicious 15-byte WebSocket frame. The vulnerability affects nats-server versions 2.2.0 through 2.11.13 and 2.12.0 through 2.12.4 when WebSocket listeners are enabled. A working proof-of-concept exploit in Go has been publicly disclosed by security researcher Mistz1, demonstrating that a single TCP connection can bring down the entire NATS deployment including all connected clients, JetStream streams, and cluster routes.
pf4j versions prior to commit 20c2f80 contain a Zip Slip path traversal vulnerability in the Unzip.java extract() function that fails to properly validate and normalize zip entry names, allowing attackers to write files outside the intended extraction directory. An attacker can craft a malicious zip file with directory traversal sequences (e.g., ../../../) in entry names to extract arbitrary files to unauthorized locations on the system. This vulnerability affects the pf4j plugin framework, which is widely used in Java applications that dynamically load plugins; a proof-of-concept has been documented on GitHub (weaver4VD gist), indicating functional exploitation is possible.
Unpatched denial-of-service vulnerability in Apple iOS and iPadOS allows unauthenticated remote attackers to crash applications due to insufficient input validation. The vulnerability requires no user interaction and affects all versions prior to 26.4, with no security patch currently available.
Remote attackers can trigger denial-of-service conditions against multiple Apple operating systems (iOS, iPadOS, macOS variants) through network requests that bypass insufficient input validation. The vulnerability affects iOS 26.4 and earlier, iPadOS 26.4 and earlier, macOS Sequoia 15.7.4 and earlier, macOS Sonoma 14.8.4 and earlier, and macOS Tahoe 26.3 and earlier. No patch is currently available for this high-severity vulnerability with a 7.5 CVSS score.
iOS and iPadOS devices are vulnerable to denial-of-service attacks due to insufficient buffer bounds checking that allows remote attackers to crash affected systems without authentication. The vulnerability affects iOS 26.4 and earlier versions, requiring network access but no user interaction. No patch is currently available for this HIGH severity issue.
Improper state management in Apple's authentication mechanisms across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS allows attackers positioned on a network to intercept and potentially manipulate encrypted traffic. An attacker with privileged network access can exploit this vulnerability to conduct man-in-the-middle attacks without user interaction, compromising the confidentiality of communications. No patch is currently available for this high-severity flaw.
LiquidJS template engine version 10.24.0 and earlier contains a denial-of-service vulnerability in the replace_first filter that enables 625,000:1 memory amplification by exploiting JavaScript's $& backreference pattern. The memoryLimit security control is bypassed because only input strings are charged while exponentially amplified outputs (up to 312.5 MB from 1 byte input) remain unaccounted. Demonstrated proof-of-concept shows 20 concurrent requests cause complete service unavailability for 29 seconds with legitimate user requests delayed by 10.9 seconds. A patch is available via GitHub commit 35d523026345d80458df24c72e653db78b5d061d.
LiquidJS versions 10.24.x and earlier contain a memory limit bypass vulnerability that allows unauthenticated attackers to crash Node.js processes through a single malicious template. By exploiting reverse range expressions to drive the memory counter negative, attackers can allocate unlimited memory and trigger a V8 Fatal error that terminates the entire process, causing complete denial of service. A detailed proof-of-concept exploit is publicly available demonstrating the full attack chain from bypass to process crash.
picomatch, a widely-used Node.js glob pattern matching library, contains a Regular Expression Denial of Service (ReDoS) vulnerability when processing crafted extglob patterns such as '+(a|aa)' or nested patterns like '+(+(a))'. The vulnerability affects picomatch versions prior to 4.0.4, 3.0.2, and 2.3.2 (tracked via CPE pkg:npm/picomatch) and allows unauthenticated remote attackers to cause multi-second event-loop blocking with relatively short inputs, resulting in application-wide denial of service. Patches are available from the vendor, and while no KEV listing or EPSS score is provided in the data, the CVSS score of 7.5 (High) reflects the network-accessible, low-complexity attack vector requiring no privileges or user interaction.
The SMTP Mailer plugin for WordPress (versions up to 1.1.24) contains an Insertion of Sensitive Information Into Sent Data vulnerability that allows attackers to retrieve embedded sensitive data through the plugin's email transmission functionality. This information disclosure flaw affects all installations of the affected SMTP Mailer versions and could expose credentials, configuration data, or other sensitive information transmitted via the plugin's SMTP implementation. No CVSS score or EPSS data is currently available, and no indication of active exploitation or public proof-of-concept has been documented at this time.
StellarWP Restrict Content plugin versions 3.2.22 and earlier contain an authorization bypass that allows unauthenticated attackers to modify access control settings through improper validation of security levels. An attacker can leverage this vulnerability to escalate privileges or grant unauthorized content access to restricted resources. No patch is currently available.
Improper path validation in Apple's operating systems (iOS, iPadOS, macOS, and visionOS) allows applications to bypass directory access restrictions and read sensitive user data without user interaction. An attacker with a malicious app could exploit this parsing weakness to access confidential information across affected Apple devices. No patch is currently available, though Apple has released fixed versions across its product line.
Unauthenticated path traversal in File Uploader for WooCommerce plugin (versions ≤1.0.4) allows remote attackers to read arbitrary files from the WordPress server via malformed file path sequences ('.../...//'). The vulnerability permits high-impact confidentiality breach through network-accessible endpoints without authentication, potentially exposing wp-config.php, database credentials, and other sensitive server files. EPSS score of 0.03% suggests low observed exploitation probability despite the critical CVSS 7.5 rating, and SSVC assessment confirms no active exploitation at time of analysis. Reported by Patchstack, this WordPress plugin vulnerability affects installations where the file upload functionality processes user-controlled path inputs without proper sanitization.
This vulnerability is an authentication bypass in the ThimPress LearnPress Sepay Payment plugin for WordPress that allows attackers to abuse authentication mechanisms through alternate paths or channels. The vulnerability affects LearnPress Sepay Payment versions up to and including 4.0.0. An attacker exploiting this flaw could bypass normal authentication controls to gain unauthorized access to the learning platform, potentially accessing student accounts, course content, or administrative functions without valid credentials.
An authentication bypass vulnerability exists in WP Swings Subscriptions for WooCommerce plugin versions up to and including 1.8.10, allowing attackers to manipulate input data to spoof authentication credentials and bypass access controls. This vulnerability affects WordPress installations using the affected plugin and could allow unauthenticated attackers to gain unauthorized access to subscription management functionality. While no CVSS score or EPSS data is currently available, the vulnerability has been documented by Patchstack and assigned EUVD-2026-15568, indicating active tracking by European vulnerability databases.
A path traversal vulnerability exists in flexcubed PitchPrint plugin through version 11.1.2, allowing attackers to access files outside of restricted directories. The vulnerability affects the PitchPrint WordPress plugin and enables unauthorized file access through improper pathname validation. No CVSS score or EPSS data is currently available, but the CWE-22 classification and Patchstack reporting indicate this is a genuine path traversal issue requiring immediate attention.
A buffer overflow vulnerability in Apple macOS Tahoe prior to version 26.4 enables remote attackers to trigger a denial-of-service condition through memory corruption and application crashes without requiring user interaction or authentication. The flaw stems from insufficient bounds checking and currently lacks a security patch. This vulnerability affects all macOS users running vulnerable versions.
A privacy vulnerability in macOS allows applications to capture a user's screen through improper handling of temporary files. The issue affects macOS Sequoia versions prior to 15.7.4 and macOS Tahoe versions prior to 26.3, enabling unauthorized screen capture by malicious or compromised applications. This vulnerability represents an information disclosure threat where sensitive user data visible on screen could be exfiltrated without user consent or awareness.
A logic flaw in macOS Tahoe allows applications to bypass security controls and access sensitive user data without proper authorization. The vulnerability affects macOS versions prior to 26.4 and is addressed through improved input validation and access control checks. While CVSS scoring data is unavailable, Apple has released a patch indicating this is a genuine security concern requiring immediate attention.
A Missing Authorization vulnerability (CWE-862) exists in the Miraculous theme by kamleshyadav, affecting versions prior to 2.1.2, that allows attackers to bypass access control security levels through incorrectly configured authorization mechanisms. An attacker can exploit this flaw to access restricted functionality or resources that should require proper authentication and authorization checks. While no CVSS score, EPSS data, or KEV status has been publicly assigned, the vulnerability has been documented by Patchstack and carries authentication bypass implications that warrant timely patching.
A missing authorization vulnerability exists in Metagauss RegistrationMagic (custom-registration-form-builder-with-submission-manager) plugin versions up to and including 6.0.7.6, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit broken access control. An attacker can leverage this vulnerability to perform unauthorized actions within the application by circumventing intended authorization checks. The vulnerability is classified as CWE-862 (Missing Authorization) and was reported by Patchstack; while CVSS and EPSS scores are not publicly available, the authentication bypass nature of this flaw indicates significant exploitability potential.
A missing authorization vulnerability exists in WP Terms Popup plugin for WordPress (versions through 2.10.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthenticated or low-privileged attackers to access restricted functionality without proper permission checks. This issue was reported by Patchstack and affects all installations of the plugin up to and including version 2.10.0.
A missing authorization vulnerability exists in weDevs WP User Frontend plugin through version 4.2.8, allowing attackers to bypass access control checks and perform unauthorized actions. The vulnerability stems from incorrectly configured access control security levels (CWE-862: Missing Authorization), enabling attackers with varying privilege levels to access or modify restricted functionality. All installations of WP User Frontend up to and including version 4.2.8 are vulnerable, and immediate patching is strongly recommended.
A hard-coded credentials vulnerability exists in the Addi buy-now-pay-later WordPress plugin (versions up to 2.0.4) that enables password recovery exploitation and authentication bypass attacks. Attackers can leverage embedded credentials to gain unauthorized access to user accounts and potentially escalate privileges within the plugin's functionality. This vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and has been reported by Patchstack; no CVSS score, EPSS data, or active KEV status is currently available, though the authentication bypass nature suggests active exploitation risk.
A missing authorization vulnerability exists in Arni Cinco WPCargo Track & Trace WordPress plugin through version 8.0.2, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit sensitive functionality. This broken access control flaw (CWE-862) affects all installations of the plugin up to and including version 8.0.2, enabling unauthenticated or low-privileged attackers to access resources or perform actions they should not be permitted to execute. The vulnerability was reported by Patchstack and has been tracked under ENISA EUVD ID EUVD-2026-15715.
A Missing Authorization vulnerability (CWE-862) exists in CoderPress Commerce Coinbase For WooCommerce plugin versions up to and including 1.6.6, allowing attackers to bypass access control mechanisms and perform unauthorized actions through incorrectly configured security levels. An attacker can exploit this broken access control to manipulate commerce functions or access restricted administrative features without proper authentication. No CVSS score, EPSS data, or active KEV status is currently available, but the vulnerability was reported by Patchstack and assigned EUVD ID EUVD-2026-15707.
A missing authorization vulnerability exists in the Print Invoice & Delivery Notes for WooCommerce plugin (tychesoftwares) through version 5.9.0, allowing attackers to exploit incorrectly configured access control to bypass authentication mechanisms and gain unauthorized access to sensitive functionality. The vulnerability is classified as a broken access control issue (CWE-862) affecting all versions up to and including 5.9.0. Attackers can leverage this flaw to access restricted operations without proper authorization, potentially exfiltrating invoice and delivery note data or manipulating order information.
A missing authorization vulnerability in PublishPress Authors plugin versions up to 4.10.1 allows attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication mechanisms. This vulnerability affects WordPress installations using the PublishPress Authors plugin and could enable unauthorized users to perform actions they should not be permitted to execute. The vulnerability is classified as an authentication bypass issue with CWE-862 (Missing Authorization), though specific CVSS scoring and exploitation data are not yet published.
A missing authorization vulnerability exists in RadiusTheme Team plugin (versions up to 5.0.11) that allows attackers to exploit incorrectly configured access control security levels. This broken access control issue (CWE-862) enables unauthorized users to access or manipulate resources they should not have permission to access. The vulnerability affects the WordPress plugin tlp-team and has been documented by Patchstack as an authentication bypass vector, though no CVSS score, EPSS probability, or KEV status is currently available to assess active exploitation.
A missing authorization vulnerability in the WordPress News Magazine X theme (versions up to 1.2.50) allows attackers to bypass access control mechanisms and exploit incorrectly configured security levels. This broken access control issue, classified under CWE-862, enables unauthorized users to access restricted functionality or resources that should require proper authentication or authorization. The vulnerability affects all installations of News Magazine X theme through version 1.2.50, and remediation requires immediate theme updates to patched versions.
A missing authorization vulnerability exists in the loopus WP Cost Estimation & Payment Forms Builder WordPress plugin (versions prior to 10.3.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized users to access or manipulate form data and cost estimation functionality that should be restricted. While no CVSS score or EPSS data is currently available, the authentication bypass nature of this vulnerability and its inclusion in vulnerability databases like ENISA EUVD-2026-15559 suggests moderate-to-high real-world exploitability.
A missing authorization vulnerability exists in WPFactory's Helpdesk Support Ticket System for WooCommerce plugin (versions up to 2.1.2) that allows attackers to exploit incorrectly configured access control security levels to bypass authentication mechanisms. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized access to sensitive helpdesk support ticket functionality through broken access control. This affects WordPress installations using the vulnerable plugin, potentially exposing customer support interactions and sensitive information handled through the ticketing system.
A missing authorization vulnerability exists in BlueGlass Interactive AG's Jobs for WordPress plugin (versions up to 2.8) that allows attackers to bypass access control mechanisms through incorrectly configured security levels. This vulnerability (CWE-862: Missing Authorization) could permit unauthenticated or low-privileged attackers to access job posting functionality intended to be restricted to authorized users. While no CVSS score, EPSS data, or confirmed public exploit has been published, the straightforward nature of authorization bypass flaws and the plugin's widespread WordPress deployment make this a moderate-to-high priority for administrators managing job posting systems.
A missing authorization vulnerability exists in the Metagauss EventPrime event calendar management plugin for WordPress, classified as CWE-862 (Missing Authorization), that allows attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability affects EventPrime versions up to and including 4.2.6.0, enabling exploitation through incorrectly configured access control security levels. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2025-209001, suggesting active security community awareness, though KEV status and proof-of-concept availability remain unconfirmed from available intelligence.
An access control vulnerability in macOS allows applications to connect to network shares without explicit user consent, bypassing the sandbox restrictions designed to prevent unauthorized network access. This affects macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4, where a malicious or compromised application could silently establish connections to network resources. Apple has addressed this issue through additional sandbox restrictions in the specified patch versions; no public exploit code or active exploitation via KEV has been reported, but the nature of the vulnerability suggests moderate real-world risk due to the ease with which local applications could abuse this capability.
Integer overflow vulnerability in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.2 and earlier) allows remote attackers to trigger heap corruption by processing a specially crafted string without requiring user interaction or privileges. The vulnerability results in denial of service and potential memory corruption but currently lacks a public patch. No active exploitation has been reported.
Denial of service in Kea DHCP daemons (versions 2.6.0-2.6.4 and 3.0.0-3.0.2) allows unauthenticated remote attackers to crash affected services by sending maliciously crafted messages to API sockets or HA listeners, triggering a stack overflow. Vulnerable Kea installations across Ubuntu, Red Hat, SUSE, and Debian are susceptible to service interruption attacks with no authentication required. A patch is available for affected distributions.
A permissions enforcement vulnerability in Apple's operating systems allows applications to bypass access controls and read protected user data without proper authorization. The issue affects iOS and iPadOS versions prior to 26.3, and macOS Tahoe prior to 26.3. An attacker with a malicious app could exploit insufficient permission restrictions to access sensitive user information such as contacts, location data, photos, or other protected resources that should require explicit user consent.
The Linux kernel's ksmbd (SMB server implementation) component uses the non-constant-time memcmp() function to compare Message Authentication Codes (MACs) instead of the cryptographically-secure crypto_memneq() function, enabling timing-based attacks to leak authentication credentials. All Linux kernel versions with ksmbd are affected, allowing attackers to potentially forge authentication by measuring response time differences during MAC validation. While no public exploit code is confirmed, multiple stable kernel branches have received patches addressing this vulnerability, indicating kernel maintainers treated this as a legitimate information disclosure risk.
Memory exhaustion in Cisco IOS XE and Apple devices via improper TLS resource handling allows adjacent attackers to trigger denial of service by repeatedly initiating failed authentication or manipulating TLS connections. An unauthenticated attacker can exploit this by resetting TLS sessions or abusing EAP authentication mechanisms to deplete device memory without requiring network access from the internet. Successful exploitation renders affected devices unresponsive, with no patch currently available.
Unauthenticated access control bypass in Aarsiv Groups' a2z-fedex-shipping WordPress plugin (versions ≤5.1.8) allows remote attackers to exploit incorrectly configured authorization checks, enabling unauthorized viewing, modification, or disruption of FedEx shipping data and label generation. The vulnerability is categorized as automatable with partial technical impact per SSVC framework, though EPSS scoring indicates low observed exploitation probability (0.02%, 4th percentile). Patchstack reported this CWE-862 missing authorization flaw; no active exploitation confirmed via CISA KEV at time of analysis.
Ericsson Indoor Connect 8855 prior to version 2025.Q3 contains an Improper Filtering of Special Elements vulnerability (CWE-790) that allows attackers to bypass input validation controls and achieve unauthorized modification of sensitive information. This vulnerability affects all versions of the Indoor Connect 8855 product line below the 2025.Q3 release. No CVSS score, CVSS vector, EPSS data, or active exploitation status is currently available in public sources, limiting quantitative risk assessment, though the CWE-790 classification suggests the vulnerability involves inadequate sanitization of special characters or metacharacters in user input.
Modoboa, an open-source mail server management platform, contains a command injection vulnerability in its subprocess execution handler that allows authenticated Reseller or SuperAdmin users to execute arbitrary operating system commands. A proof-of-concept exploit exists demonstrating how shell metacharacters in domain names can achieve code execution, typically as root in standard deployments. The vulnerability affects modoboa versions up to and including 2.7.0, with patches available in version 2.7.1.
A buffer overflow vulnerability in the dgiot binary in LSC Smart Indoor IP Camera V7.6.32. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A blind SQL injection vulnerability exists in the PostCalendar module of OpenEMR, a widely-used open source electronic health records system. Versions prior to 8.0.0.3 are affected, allowing authenticated administrators to execute arbitrary SQL commands through the categoriesUpdate function's dels parameter. The vulnerability requires high privileges (PR:H) but is network-accessible and has no attack complexity, enabling attackers to extract sensitive patient data, modify health records, or disrupt medical operations.
OpenEMR versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability stems from insufficient input validation and can lead to complete compromise of confidentiality, integrity, and availability of the healthcare database. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept is currently available.