A prototype pollution vulnerability in the XML and GSuiteAdmin nodes of n8n workflow automation platform allows authenticated users with workflow creation or modification permissions to achieve remote code execution. Versions prior to 2.14.1, 2.13.3, and 1.123.27 are affected. The CVSS score of 9.4 (Critical) reflects network-based exploitation with low complexity requiring only low-level authentication, though no current KEV listing or public POC availability is indicated in the provided intelligence.
An authenticated user with workflow creation or modification privileges in n8n workflow automation platform can exploit the Merge node's 'Combine by SQL' mode to read arbitrary local files on the n8n host and achieve remote code execution. n8n versions prior to 2.14.1, 2.13.3, and 1.123.26 are affected. The vulnerability carries a CVSS 4.0 score of 9.4 (Critical) due to insufficient sandbox restrictions in the AlaSQL component, allowing SQL injection-style attacks against the host system. No public proof-of-concept or active exploitation (KEV) status has been reported at this time.
A Code Injection vulnerability (CWE-94) exists in JetFormBuilder versions up to and including 3.5.6.1, allowing attackers to inject and execute arbitrary code within the application context. The vulnerability affects the JetFormBuilder plugin for WordPress across all versions through 3.5.6.1, and an attacker can leverage this to achieve Remote Code Execution (RCE) by injecting malicious code through form-processing mechanisms. Patchstack has documented this vulnerability with an assigned EUVD ID (EUVD-2026-15889), and while a CVSS score has not been formally assigned, the RCE classification indicates critical severity.
Total Poll Lite, a WordPress plugin, contains an improper code injection vulnerability (CWE-94) that allows remote code inclusion and execution. All versions up to and including 4.12.0 are affected. An attacker can exploit this vulnerability to achieve remote code execution (RCE) on WordPress installations running the vulnerable plugin, potentially gaining full control of the affected web application.
A Code Injection vulnerability exists in the Themeisle Woody ad snippets plugin (insert-php) through version 2.7.1 that allows unauthenticated attackers to execute arbitrary PHP code on affected WordPress installations. The vulnerability stems from improper control of code generation, classified as CWE-94, enabling remote code execution (RCE). Patchstack has documented this issue, and affected installations should be patched immediately as the attack vector appears to be network-accessible with low complexity.
The halfdata Green Downloads plugin for WordPress contains an unrestricted file upload vulnerability (CWE-434) that permits attackers to upload malicious files to affected systems. This vulnerability affects Green Downloads versions up to and including 2.08, as confirmed by Patchstack and ENISA. An unauthenticated or low-privileged attacker can exploit this to upload dangerous file types, potentially leading to remote code execution, website defacement, or malware distribution.
A improper input validation vulnerability in GalleryCreator SimpLy Gallery plugin (versions up to 3.3.2) allows attackers to access functionality that should be restricted by access control lists (ACLs), potentially leading to information disclosure and arbitrary code execution. The vulnerability affects WordPress installations using the simply-gallery-block plugin and stems from insufficient validation of quantity inputs combined with inadequate authorization checks. While CVSS scoring is unavailable, the reported nature of the vulnerability suggests elevated risk due to the potential for unauthorized functionality access and code execution capabilities.
WPJAM Basic, a WordPress plugin, contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files without proper validation. All versions through 6.9.2 are affected, potentially enabling remote code execution or other attacks depending on server configuration. While CVSS and EPSS scores are unavailable, the nature of arbitrary file upload vulnerabilities in WordPress plugins typically carries high real-world risk due to ease of exploitation and severe impact.
An unrestricted file upload vulnerability exists in the deothemes Ona WordPress theme that allows attackers to upload web shells to affected servers. All versions of Ona prior to 1.24 are vulnerable, enabling remote code execution through malicious file uploads. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and represents a critical risk for any WordPress installation using the affected theme versions.
WPBookit Pro through version 1.6.18 contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files to affected WordPress installations. This arbitrary file upload flaw enables remote code execution and complete site compromise without requiring authentication or special privileges. The vulnerability affects all versions of the iqonicdesign WPBookit Pro plugin up to and including 1.6.18, making it a critical risk for WordPress administrators using this booking plugin.
The pdf-image npm package through version 2.0.0 contains an OS command injection vulnerability in the pdfFilePath parameter. Attackers can exploit this remotely without authentication by injecting malicious commands through file path inputs that are passed unsafely to shell commands via child_process.exec(). A proof-of-concept exploit is publicly available on GitHub (zebbernCVE/CVE-2026-26830), significantly increasing exploitation risk.
The node-tesseract-ocr npm package versions through 2.2.1 contains a critical OS command injection vulnerability in the recognize() function where file path parameters are concatenated into shell commands without sanitization before being passed to child_process.exec(). Attackers can achieve complete remote code execution with no authentication required. A proof-of-concept exploit exists at the GitHub repository linked in references (zebbernCVE/CVE-2026-26832), indicating active research into this vulnerability.
Thumbler through version 1.1.2 contains an OS command injection vulnerability in the thumbnail() function where user-supplied input from the input, output, time, or size parameters is directly concatenated into shell commands executed via Node.js child_process.exec() without sanitization or escaping. This allows unauthenticated attackers to execute arbitrary operating system commands with the privileges of the application process. A proof-of-concept has been documented in public repositories, making this vulnerability immediately actionable for exploitation.
The textract library through version 2.5.0 contains an OS command injection vulnerability in its file extraction modules that allows attackers to execute arbitrary operating system commands by crafting malicious filenames. The vulnerability affects multiple extractors (doc.js, rtf.js, dxf.js, images.js, and util.js) where user-supplied file paths are passed directly to child_process.exec() without adequate sanitization. An attacker can exploit this by uploading or referencing files with specially crafted names containing shell metacharacters, leading to complete system compromise with the privileges of the process running textract.
SiYuan, a note-taking application written in Go, contains an unauthenticated directory traversal vulnerability in its /api/file/readDir endpoint. The vulnerability allows remote attackers without authentication to enumerate the entire directory structure of notebooks, configuration folders, plugins, and resource directories, which can be chained with file reading vulnerabilities for arbitrary document access. A working Python proof-of-concept exploit is publicly available, demonstrating recursive directory enumeration of data/ and conf/ directories.
N2W versions prior to 4.3.2 and 4.4.0 prior to 4.4.1 contain improper validation of API request parameters that enables unauthenticated remote code execution. An attacker can craft malicious API requests to bypass input validation and achieve arbitrary code execution on affected systems. This vulnerability affects cloud backup and disaster recovery infrastructure and poses critical risk to data protection environments.
N2W versions before 4.3.2 and 4.4.x before 4.4.1 contain a spoofing vulnerability that enables remote code execution and account credential theft. The vulnerability allows attackers to impersonate legitimate entities, potentially leading to arbitrary code execution on affected systems and unauthorized access to sensitive credentials. No CVSS score, EPSS data, or active KEV designation is currently available, limiting immediate risk quantification.
Insufficient bounds checking in Apple iOS and iPadOS 26.4 allows unauthenticated remote attackers to trigger buffer overflow conditions that corrupt kernel memory or cause system crashes without user interaction. This critical vulnerability affects all devices running the affected OS versions and has no available patch. An attacker can exploit this flaw over the network to achieve denial of service or potentially escalate privileges through kernel memory corruption.
A privilege escalation vulnerability exists in osslsigncode (mtrojnar) versions 2.10 and earlier within the osslsigncode.c component, allowing remote attackers to escalate privileges. The vulnerability affects users of the osslsigncode code signing utility. While CVSS scoring is not yet available, referenced GitHub issues and pull requests suggest this is an authenticated or context-dependent issue that has been identified and likely patched.
An unauthenticated information disclosure vulnerability exists in SiYuan note-taking application that allows remote attackers to read the content of all documents, including encrypted or access-restricted files, through two API endpoints (/api/file/readDir and /api/block/getChildBlocks). A working proof-of-concept Python exploit has been published demonstrating complete document enumeration and content retrieval. With a CVSS score of 9.8 (Critical) indicating network-based exploitation requiring no privileges or user interaction, this represents a severe confidentiality breach for all published SiYuan instances.
A PHP object injection vulnerability exists in the Edge-Themes Pelicula video production and movie theme due to insecure deserialization of untrusted data, classified as CWE-502. The vulnerability affects Pelicula versions prior to 1.10, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. No CVSS score or EPSS data has been published, and no confirmed KEV or active exploitation in the wild has been reported, but the nature of object injection vulnerabilities typically enables high-impact attacks when paired with accessible gadget chains in the WordPress ecosystem.
A deserialization of untrusted data vulnerability exists in Select-Themes Borgholm marketing agency theme (WordPress) that allows object injection attacks. The vulnerability affects Borgholm versions prior to 1.6, and attackers can exploit this to inject malicious PHP objects that execute arbitrary code within the WordPress environment. While no CVSS score or EPSS data is currently available, the CWE-502 classification indicates this is a critical deserialization flaw with high exploitation potential; no active KEV or public POC status is documented, but the vulnerability was reported through Patchstack with full advisory details available.
A deserialization of untrusted data vulnerability (CWE-502) exists in the magepeopleteam Bus Ticket Booking with Seat Reservation WordPress plugin through version 5.6.0, allowing object injection attacks. An attacker can inject malicious serialized PHP objects into the application, potentially leading to remote code execution or other critical impacts depending on available gadget chains in the WordPress environment. No CVSS score or EPSS data is currently available, and KEV status is unknown, but the vulnerability affects all installations running the vulnerable plugin versions.
A PHP Object Injection vulnerability exists in the ThemeREX Buisson WordPress theme through version 1.1.11, stemming from unsafe deserialization of untrusted data (CWE-502). This flaw allows attackers to inject malicious serialized objects that can lead to arbitrary code execution or other object manipulation attacks depending on available gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, the public disclosure via Patchstack indicates active awareness in the security community.
A PHP Object Injection vulnerability exists in the ThemeREX Work & Travel Company WordPress theme through version 1.2, stemming from unsafe deserialization of untrusted data (CWE-502). An attacker can exploit this vulnerability to inject malicious objects into the application, potentially leading to remote code execution or arbitrary object manipulation depending on the gadget chains available in the WordPress environment. No CVSS score, EPSS data, or KEV status is currently available, and the vulnerability was identified and reported by Patchstack, though active exploitation status remains unclear.
A PHP Object Injection vulnerability exists in ThemeREX Love Story WordPress theme through version 1.3.12, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects that can lead to remote code execution or other object-oriented attack chains. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and has been reported by Patchstack; no CVSS score or EPSS data is currently available, and KEV status is unknown.
Unauthenticated attackers can bypass authentication controls in NooTheme Jobica Core through an alternate access path, affecting versions up to 1.4.2. This critical vulnerability (CVSS 9.8) enables attackers to gain unauthorized access without credentials or user interaction. No patch is currently available.
A PHP Object Injection vulnerability exists in the Nexa Blocks WordPress plugin (versions up to and including 1.1.1) due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary PHP objects and potentially achieve remote code execution. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and affects all installations of the affected plugin versions. While no CVSS score or EPSS data are currently available, the nature of object injection vulnerabilities combined with PHP's magic methods provides significant exploitation potential for code execution or privilege escalation.
Contest Gallery through version 28.1.2.2 contains an authentication bypass vulnerability that allows unauthenticated remote attackers to abuse alternate authentication paths and gain unauthorized access to the application. With a CVSS score of 9.8 and no patch currently available, this critical vulnerability poses an immediate risk to all affected installations.
A deserialization of untrusted data vulnerability exists in the park_of_ideas Ricky theme (all versions prior to 2.31) that allows object injection attacks. An attacker can inject malicious serialized PHP objects to achieve arbitrary code execution or data manipulation. While no CVSS score or EPSS data is currently available and KEV status is unknown, the CWE-502 classification indicates a critical deserialization flaw that typically requires network access but no authentication.
A PHP Object Injection vulnerability exists in the Tasty Daily WordPress theme (park_of_ideas) through version 1.27, caused by unsafe deserialization of untrusted data (CWE-502). This vulnerability allows attackers to inject arbitrary PHP objects, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published, the vulnerability affects an active WordPress theme distribution and has been documented by Patchstack security researchers.
A PHP Object Injection vulnerability exists in the park_of_ideas Goldish theme due to insecure deserialization of untrusted data, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. The vulnerability affects Goldish versions prior to 3.47. While no CVSS score or EPSS data is publicly available, the CWE-502 classification indicates a serious deserialization flaw that could be exploited if untrusted data is processed without validation.
A deserialization of untrusted data vulnerability exists in the park_of_ideas KIDZ theme that permits object injection attacks. All versions of KIDZ through 5.24 are affected, as confirmed via CPE cpe:2.3:a:park_of_ideas:kidz:*:*:*:*:*:*:*:*. An attacker can inject malicious serialized PHP objects to achieve arbitrary code execution or other unintended actions on affected WordPress installations running this theme.
A PHP object injection vulnerability exists in FantasticPlugins SUMO Affiliates Pro due to unsafe deserialization of untrusted data (CWE-502). This allows attackers to inject malicious serialized objects, potentially achieving remote code execution or other arbitrary actions depending on available gadget chains in the WordPress environment. All versions before 11.4.0 are affected, and a patch has been made available by the vendor.
This is a PHP Object Injection vulnerability in the Metagauss EventPrime WordPress plugin (eventprime-event-calendar-management) caused by unsafe deserialization of untrusted data. All versions up to and including 4.2.8.0 are affected, allowing attackers to inject malicious serialized objects that can lead to remote code execution or arbitrary actions depending on available PHP gadget chains. The vulnerability has been publicly disclosed and documented by Patchstack; exploitation likelihood and real-world impact depend on the presence of exploitable gadget chains in the target WordPress environment.
A PHP Object Injection vulnerability exists in AncoraThemes Beelove WordPress theme through version 1.2.6, allowing attackers to inject and deserialize untrusted objects. This insecure deserialization flaw (CWE-502) enables object injection attacks that could lead to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15515, indicating it is tracked in official vulnerability databases.
A PHP object injection vulnerability exists in the Axiom Themes m2 | Construction and Tools Store theme through version 1.1.2, stemming from unsafe deserialization of untrusted data (CWE-502). This allows remote attackers to inject malicious serialized objects that can lead to arbitrary code execution or privilege escalation depending on available gadget chains in the WordPress environment. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability was reported by Patchstack and affects all installations running the vulnerable theme version.
RewardsWP, a WordPress plugin by Andrew Munro/AffiliateWP, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows authenticated or unauthenticated attackers to escalate their privileges within the plugin and potentially the WordPress installation. Affected versions are RewardsWP up to and including 1.0.4. This vulnerability enables privilege escalation attacks, allowing attackers with limited access to gain elevated permissions and control over reward or affiliate functionality.
An Incorrect Privilege Assignment vulnerability (CWE-266) exists in uxper Golo theme versions up to and including 1.7.0, enabling privilege escalation attacks. This WordPress theme vulnerability allows attackers to elevate their privileges within the application, potentially gaining unauthorized administrative access. The vulnerability was reported by Patchstack and affects all versions from an unspecified baseline through 1.7.0; no CVSS score, EPSS data, or active KEV status information is currently available.
Elated-Themes Search & Go contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. All versions up to and including version 2.8 are affected. An attacker can exploit this flaw to escalate privileges within the WordPress environment, gaining unauthorized administrative or elevated capabilities. While CVSS and EPSS scores are not available, the vulnerability has been documented by security researcher Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15582, indicating it has received third-party security scrutiny.
This is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Xagio SEO WordPress plugin that allows privilege escalation. The vulnerability affects Xagio SEO versions up to and including 7.1.0.30. An attacker can exploit this flaw to elevate their privileges within the affected WordPress installation, potentially gaining administrative access or performing unauthorized actions. No CVSS score, EPSS data, or KEV status information is currently available, and the vulnerability has not been confirmed as actively exploited in the wild.
A deserialization vulnerability in OpenTelemetry Java instrumentation versions prior to 2.26.1 allows remote code execution when the RMI instrumentation endpoint processes untrusted data without serialization filters. The vulnerability affects applications using the OpenTelemetry Java agent with network-reachable RMI/JMX endpoints and gadget-chain-compatible libraries on the classpath. This was responsibly disclosed in coordination with Datadog, and a patch is available in version 2.26.1.
A blind SQL injection vulnerability exists in the PublishPress Revisions WordPress plugin through version 3.7.23, allowing attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects all installations of PublishPress Revisions up to and including version 3.7.23, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. No CVSS score or EPSS data is currently available, and KEV status is unknown, though the vulnerability has been documented by Patchstack security researchers with a public reference available.
A blind SQL injection vulnerability exists in QuantumCloud ChatBot plugin affecting versions up to and including 7.7.9, allowing attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability impacts all installations of the ChatBot plugin across the affected version range, potentially enabling unauthorized data extraction, manipulation, or deletion depending on database permissions. While no CVSS score or EPSS data is currently available, the blind SQL injection classification indicates a high-risk condition requiring immediate patching.
A blind SQL injection vulnerability exists in the Product Rearrange for WooCommerce plugin (versions up to 1.2.2) that allows attackers to execute arbitrary SQL commands against the WooCommerce database without direct output visibility. This affects WordPress installations using the Devteam HaywoodTech product-rearrange-woocommerce plugin, enabling attackers to extract sensitive data, modify database records, or potentially escalate privileges. While no CVSS score or EPSS data is currently published, the vulnerability's classification as blind SQL injection combined with its presence in a publicly available WordPress plugin suggests moderate to high real-world risk of exploitation.
A SQL injection vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting all versions through 3.0, that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability stems from improper neutralization of special SQL characters in user-supplied input, classified under CWE-89 (SQL Injection). While no CVSS score or EPSS metric is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15695, indicating active awareness in vulnerability tracking systems.
A blind SQL injection vulnerability exists in King-Theme's Lumise Product Designer WordPress plugin, allowing unauthenticated attackers to extract sensitive data through time-based or boolean-based SQL inference techniques without direct query result visibility. The vulnerability affects all versions of Lumise Product Designer prior to 2.0.9. Attackers can exploit this to bypass authentication, enumerate database schemas, or extract user credentials and plugin configuration data.
A blind SQL injection vulnerability exists in the NooTheme Jobmonster WordPress theme that allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability affects Jobmonster versions prior to 4.8.4, and while no active exploitation in the wild has been confirmed via KEV status, the vulnerability was disclosed by Patchstack with sufficient technical detail to enable exploitation. This is a critical web application flaw that could lead to complete database compromise, including extraction of sensitive user data, credentials, and job postings.
A blind SQL injection vulnerability exists in WPFactory's Advanced WooCommerce Product Sales Reporting plugin (versions through 4.1.3) that allows attackers to execute arbitrary SQL commands against the underlying database. This WordPress plugin is widely deployed on e-commerce sites using WooCommerce, and the blind SQL injection technique enables attackers to extract sensitive data without requiring direct error message feedback. While no CVSS score, EPSS value, or KEV status has been assigned at this time, the vulnerability is classified as CWE-89 (SQL Injection) and has been documented by Patchstack, indicating active research and potential proof-of-concept availability.
A SQL Injection vulnerability exists in Pebas Lisfinity Core, a WordPress plugin, affecting versions up to and including 1.5.0. This improper neutralization of special elements in SQL commands (CWE-89) allows attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion of the underlying database. The vulnerability has been documented by Patchstack and assigned EUVD-2026-15489, though no CVSS score, EPSS data, or confirmed active exploitation status is currently available in the provided intelligence.