THREAT ALERT

EMERGENCY CVE-2026-35616 9.8 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). | ACT NOW CVE-2026-5281 8.8 Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification. | ACT NOW CVE-2026-3502 7.8 Arbitrary code execution in TrueConf Client allows authenticated attackers on adjacent networks to deliver malicious updates due to missing integrity verification. The auto-update mechanism accepts unsigned or unverified payloads, enabling man-in-the-middle attackers with high privileges to substitute trojanized updates that execute with the application's permissions. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code not identified at time of analysis. CVSS 7.8 reflects the adjacent network attack vector and user interaction requirement, reducing immediate internet-scale risk. | EMERGENCY CVE-2026-33634 9.4 Trivy security scanner v0.69.4 was compromised in a supply chain attack where a threat actor used stolen credentials to publish malicious releases and force-push credential-stealing malware to GitHub Actions repositories. | EMERGENCY CVE-2026-3055 9.3 An insufficient input validation vulnerability exists in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, allowing attackers to trigger a memory overread condition. The vulnerability affects both the NetScaler ADC and NetScaler Gateway products across multiple versions, and successful exploitation could lead to information disclosure by reading adjacent memory contents. While no CVSS score or EPSS data is currently published, the CWE-125 classification (Out-of-bounds Read) combined with the SAML IDP configuration context suggests moderate to high real-world risk for organizations relying on these devices for identity management. | EMERGENCY CVE-2026-33017 9.3 Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication. | ACT NOW CVE-2026-3910 8.8 Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript. | ACT NOW CVE-2026-3909 8.8 Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers. | ACT NOW CVE-2025-14558 7.2 The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH] |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — April 04, 2026

48 CVEs tracked today. 2 Critical, 20 High, 24 Medium, 2 Low.

CVE-2026-35616 CRITICAL CVSS 9.8
Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV).

Fortinet Authentication Bypass
CVE-2026-35459 CRITICAL CVSS 9.3
Server-Side Request Forgery (SSRF) in pyload-ng allows authenticated users with ADD permission to access internal network resources and cloud metadata endpoints by exploiting unchecked HTTP redirect handling. The vulnerability bypasses CVE-2026-33992 mitigations through redirect chains-pycurl follows up to 10 redirects automatically without validating destination IPs against the SSRF filter. Attackers can retrieve AWS/GCP/Azure instance metadata (including IAM credentials) and probe internal services. While exploitation requires authentication (reducing severity from the Critical unauthenticated CVE-2026-33992), a public proof-of-concept demonstrates the attack and no vendor-released patch has been identified at time of analysis.

SSRF Microsoft
CVE-2026-35464 HIGH CVSS 7.5
Arbitrary code execution in pyload-ng via pickle deserialization allows non-admin users with SETTINGS and ADD permissions to write malicious session files and trigger unauthenticated RCE. Attackers redirect the download directory to Flask's session store (/tmp/pyLoad/flask), plant a crafted pickle payload as a predictable session filename, then trigger deserialization by sending any HTTP request with the corresponding session cookie. This bypasses CVE-2026-33509 fix controls because storage_folder was not added to ADMIN_ONLY_OPTIONS. No public exploit identified at time of analysis, though detailed proof-of-concept methodology is documented in the advisory. EPSS data not available for this recent CVE.

RCE Deserialization Docker Python
CVE-2026-35463 HIGH CVSS 8.8
Remote code execution in pyLoad download manager allows authenticated non-admin users with SETTINGS permission to execute arbitrary system commands via the AntiVirus plugin configuration. The vulnerability stems from incomplete enforcement of admin-only security controls: while core configuration options like reconnect scripts and SSL certificates require admin privileges, plugin configuration lacks this protection. Attackers can modify the AntiVirus plugin's executable path (avfile) parameter, which is directly passed to subprocess.Popen() without validation, achieving command execution when file downloads complete. CVSS 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV), but detailed proof-of-concept exists in the GitHub security advisory.

Python RCE Privilege Escalation Command Injection
CVE-2026-35457 HIGH CVSS 8.2
Memory exhaustion in libp2p-rendezvous allows unauthenticated attackers to cause denial-of-service via unbounded pagination cookie storage. Remote attackers can repeatedly send protocol-compliant DISCOVER requests to force unlimited HashMap growth without authentication or rate limiting. No public exploit identified at time of analysis, though proof-of-concept exists in maintainer-controlled fork. EPSS data not available for this newly-assigned CVE; CVSS 8.2 reflects high availability impact with low attack complexity.

Denial Of Service
CVE-2026-35454 HIGH CVSS 8.7
Path traversal in Coder code-marketplace ≤ v2.4.1 allows authenticated users to write arbitrary files outside the extension directory during VSIX extraction. The ExtractZip function passes unsanitized zip entry names containing '..' sequences to filepath.Join, which resolves parent directory references without confining output to the intended base path. Attackers can inject malicious cron jobs, SSH keys, or overwrite binaries depending on process privileges. Fixed in v2.4.2. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists.

Path Traversal
CVE-2026-35442 HIGH CVSS 8.1
Directus CMS aggregate query functions bypass field-level concealment controls, exposing static API tokens and TOTP secrets from the directus_users table to any authenticated user with read access. Attackers can extract credentials for all accounts via min/max operations combined with groupBy clauses, enabling account takeover and two-factor authentication bypass. CVSS 8.1 (High) reflects network-accessible attack requiring only low-privilege authentication. No public exploit code or CISA KEV listing identified at time of analysis, though the attack vector is clearly documented in the GitHub security advisory.

Information Disclosure
CVE-2026-35412 HIGH CVSS 7.1
Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. Attackers with basic file upload permissions can permanently overwrite victim files with malicious content, potentially escalating privileges by replacing admin-owned assets. EPSS data not available, but the moderate complexity (CVSS AC:L, PR:L) and specific bypass mechanism suggest focused targeting risk. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Privilege Escalation Authentication Bypass File Upload
CVE-2026-35409 HIGH CVSS 7.7
Server-Side Request Forgery (SSRF) in Directus headless CMS allows authenticated attackers (or unauthenticated users with public file-import permissions) to bypass IP address deny-list protections and access internal network resources. Attackers exploit IPv4-Mapped IPv6 address notation (e.g., ::ffff:127.0.0.1) to circumvent validation logic, enabling unauthorized requests to localhost services, internal databases, caches, APIs, and cloud instance metadata endpoints (AWS/GCP/Azure IMDS). With CVSS 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) indicating low attack complexity, network accessibility, and scope change with high confidentiality impact, this represents a significant risk for data exfiltration from cloud environments and internal infrastructure. No public exploit identified at time of analysis, though the technical details in the advisory provide clear exploitation guidance.

SSRF Canonical Microsoft
CVE-2026-35408 HIGH CVSS 8.7
OAuth authorization flow interception in Directus enables attackers to steal victims' identity provider access tokens through cross-origin window manipulation. This authentication bypass vulnerability (CVSS 8.7) affects the Directus npm package due to missing Cross-Origin-Opener-Policy headers on SSO login pages, allowing malicious sites to redirect OAuth flows to attacker-controlled clients. No public exploit identified at time of analysis, though EPSS data unavailable. Attack complexity rated HIGH due to requirement for victim interaction with attacker-controlled origin during authentication flow.

Authentication Bypass Google
CVE-2026-35405 HIGH CVSS 7.5
Unbounded namespace registration in libp2p-rendezvous allows remote unauthenticated attackers to trigger out-of-memory conditions on rendezvous servers. The Rust implementation accepts unlimited unique namespace registrations per peer with 72-hour TTLs, enabling resource exhaustion via repeated REGISTER messages. Confirmed publicly available exploit code exists. CVSS 7.5 (High) reflects network accessibility and lack of authentication barriers, while the straightforward attack vector (simple loop of registration requests) presents immediate risk to public rendezvous nodes critical for peer discovery in libp2p networks.

Denial Of Service
CVE-2026-35394 HIGH CVSS 8.3
Arbitrary Android intent execution in mobile-mcp npm package (versions <0.0.50) allows remote attackers to trigger USSD codes, phone calls, SMS drafting, and content provider access through unvalidated URL schemes passed to adb shell commands. Attack vector exploits AI agent prompt injection: malicious documents can instruct connected AI systems to execute dangerous intents on paired Android devices. CVSS 8.3 (Network/Low complexity/No privileges/User interaction required). Publicly available exploit code exists. Vendor-released patch available (version 0.0.50+).

RCE Google
CVE-2026-35213 HIGH CVSS 8.7
Regular Expression Denial of Service (ReDoS) in @hapi/content npm package versions through 6.0.0 allows unauthenticated remote attackers to crash Node.js processes via a single HTTP request containing maliciously crafted Content-Type or Content-Disposition header values. Three regular expressions used for header parsing contain catastrophic backtracking patterns that can consume unbounded CPU resources. Vendor-released patch available via GitHub (PR #38). No public exploit code identified at time of analysis, though the attack vector is straightforward for any attacker with HTTP request capabilities.

Node.js Denial Of Service
CVE-2026-35209 HIGH CVSS 7.5
Prototype pollution in defu npm package (≤6.1.4) allows remote attackers to override application logic by injecting __proto__ keys through unsanitized user input. The vulnerability enables authentication bypass and arbitrary property injection when applications merge untrusted JSON, database records, or configuration data using defu(). CVSS 7.5 (High) with network-accessible, low-complexity exploitation requiring no authentication. No active exploitation confirmed (not in CISA KEV), but public proof-of-concept exists in the GitHub advisory demonstrating admin privilege escalation.

Prototype Pollution Authentication Bypass
CVE-2026-35187 HIGH CVSS 7.7
Server-Side Request Forgery in pyLoad-ng allows authenticated users with ADD permissions to read local files via file:// protocol, access internal network services, and exfiltrate cloud metadata. The parse_urls API endpoint fetches arbitrary URLs without protocol validation, enabling attackers to read /etc/passwd, configuration files, SQLite databases, and AWS/GCP metadata endpoints at 169.254.169.254. Error-based responses create a file existence oracle. Multi-protocol support (file://, gopher://, dict://) escalates impact beyond standard HTTP SSRF. CVSS 7.7 reflects network attack vector, low complexity, and scope change with high confidentiality impact. No public exploit code identified at time of analysis, though detailed proof-of-concept included in advisory demonstrates exploitation via curl commands against Docker deployments.

SSRF Docker Redis Python CSRF
CVE-2026-30762 HIGH CVSS 7.5
LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.

AI / ML Hardcoded Credentials Jwt Attack
CVE-2026-5425 HIGH CVSS 7.2
Stored cross-site scripting (XSS) in the Widgets for Social Photo Feed WordPress plugin (versions ≤1.7.9) allows unauthenticated remote attackers to inject malicious scripts via unsanitized 'feed_data' parameter keys, achieving persistent code execution in victim browsers with scope change impact. The vulnerability stems from insufficient input validation on widget configuration data. CVSS 7.2 reflects network-accessible, low-complexity exploitation requiring no privileges or user interaction, with changed scope enabling attacks beyond the vulnerable component. Patch released in version 1.8 per WordPress.org changeset references. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis, though the technical simplicity and unauthenticated attack vector present moderate real-world risk for sites using affected versions.

WordPress XSS
CVE-2026-4896 HIGH CVSS 8.1
Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete any WordPress posts, products, or pages beyond their ownership scope. Exploitation requires only vendor-level credentials (PR:L) with no user interaction, enabling privilege escalation through unauthorized access to store-wide content. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability's straightforward IDOR nature increases weaponization risk once details are public.

WordPress Authentication Bypass
CVE-2026-3666 HIGH CVSS 8.8
Arbitrary file deletion in wpForo Forum WordPress plugin versions ≤2.4.16 allows authenticated attackers with subscriber-level privileges to delete any file on the server by embedding path traversal sequences in forum post content and subsequently deleting the post. CVSS 8.8 (High) with network-based attack vector requiring low-complexity exploitation. No public exploit identified at time of analysis, though EPSS data unavailable. Patched in version 2.4.17 per WordPress plugin repository changeset.

WordPress Path Traversal
CVE-2026-3445 HIGH CVSS 7.1
Authenticated attackers with subscriber-level access can obtain paid lifetime membership plans in the ProfilePress WordPress plugin (≤4.16.11) without payment by exploiting a missing ownership verification flaw. The vulnerability allows hijacking of another user's active subscription during checkout to manipulate proration calculations. With a 7.1 CVSS score, low attack complexity, and requiring only low-privilege authentication, this presents a significant revenue loss risk for sites using ProfilePress for paid memberships. No public exploit identified at time of analysis, though EPSS data not available. Vendor patch released in version 4.16.12.

WordPress Authentication Bypass
CVE-2026-2936 HIGH CVSS 7.2
Stored Cross-Site Scripting in Visitor Traffic Real Time Statistics WordPress plugin (≤8.4) allows unauthenticated remote attackers to inject malicious JavaScript via the 'page_title' parameter that executes when administrators view the Traffic by Title section. No public exploit identified at time of analysis, though CVSS 7.2 (High) severity reflects the unauthenticated attack vector and cross-site scripting scope. Upstream fix available (PR/commit); released patched version not independently confirmed based on provided Trac changeset reference.

WordPress XSS
CVE-2026-1233 HIGH CVSS 7.5
Hardcoded database credentials in Text to Speech for WP (AI Voices by Mementor) WordPress plugin versions ≤1.9.8 expose the vendor's external telemetry MySQL server to unauthorized write access by unauthenticated remote attackers. The credentials are embedded in the Mementor_TTS_Remote_Telemetry class and can be extracted via static analysis or HTTP request inspection. EPSS data not provided, but the unauthenticated network vector (CVSS:3.1/AV:N/AC:L/PR:N) and public disclosure via Wordfence indicate elevated risk despite no confirmed active exploitation (CISA KEV) or publicly available exploit code identified at time of analysis.

WordPress Information Disclosure Authentication Bypass
CVE-2026-35452 MEDIUM CVSS 5.3
Unauthenticated information disclosure in AVideo CloneSite plugin allows remote attackers to retrieve sensitive operational logs containing internal filesystem paths, remote server URLs, and SSH connection metadata via the client.log.php endpoint, which lacks authentication controls present in all sibling endpoints within the same plugin directory.

PHP Information Disclosure
CVE-2026-35450 MEDIUM CVSS 5.3
Unauthenticated access to FFmpeg server configuration endpoint in AVideo allows remote attackers to probe infrastructure details and determine encoding architecture without authentication, while sibling management endpoints properly enforce admin-only access. This information disclosure aids reconnaissance for targeted attacks against video encoding infrastructure. CVSS 5.3, no public exploit code identified, no active exploitation confirmed.

PHP Authentication Bypass
CVE-2026-35449 MEDIUM CVSS 5.3
AVideo install/test.php diagnostic script exposes sensitive viewer statistics including IP addresses, session IDs, and user agents to unauthenticated remote attackers due to a disabled CLI-only access guard. The vulnerability allows any visitor to retrieve video viewer data via HTTP GET requests without authentication, combined with enabled error reporting that leaks internal filesystem paths. CVSS 5.3 reflects low confidentiality impact; no public exploit code identified at time of analysis.

PHP Information Disclosure
CVE-2026-35441 MEDIUM CVSS 6.5
Directus GraphQL endpoints fail to deduplicate resolver invocations within single requests, allowing authenticated users to exploit GraphQL aliasing for denial-of-service attacks. An attacker with minimal read-only permissions can repeat expensive relational queries using multiple aliases in a single request, forcing concurrent execution of numerous complex database queries that exhaust connection pools and server resources, potentially degrading or crashing the service. No public exploit code has been identified, and this vulnerability requires prior authentication to the Directus instance.

Denial Of Service
CVE-2026-35413 MEDIUM CVSS 5.3
Directus allows information disclosure of GraphQL schema structure via the `/graphql/system` endpoint when `GRAPHQL_INTROSPECTION=false` is configured, exposing collection names, field names, types, and relationships to unauthenticated users and authenticated users at their permission level. The vulnerability bypasses the introspection control mechanism by returning an equivalent SDL (Schema Definition Language) representation through the `server_specs_graphql` resolver, giving administrators a false sense of security while schema information remains publicly accessible.

Information Disclosure
CVE-2026-35411 MEDIUM CVSS 4.3
Open redirect vulnerability in Directus allows unauthenticated attackers to redirect administrators to attacker-controlled URLs after 2FA setup completion via crafted `/admin/tfa-setup` redirect parameter. The attack leverages user interaction on the trusted Directus domain before redirecting to a malicious site, enabling phishing campaigns targeting administrators. CVSS 4.3 (low severity), no public exploit code or active exploitation confirmed.

Open Redirect
CVE-2026-35410 MEDIUM CVSS 6.1
Open redirect vulnerability in Directus login redirection logic allows unauthenticated attackers to bypass URL allow-list validation through malformed URLs containing backslashes, silently redirecting authenticated users to arbitrary external domains. The vulnerability exploits a parser differential between server-side validation and browser URL normalization, creating a phishing vector particularly dangerous in SSO/OAuth2 flows where attackers can capture authentication tokens without visible user indication. CVSS 6.1 reflects moderate real-world risk due to user interaction requirement and limited direct confidentiality impact, but the attack chain (authentication + silent redirect + credential theft) presents meaningful business risk.

Open Redirect
CVE-2026-5527 MEDIUM CVSS 5.5
Tenda 4G03 Pro wireless router contains a hard-coded ECDSA P-256 private cryptographic key in the /etc/www/pem/server.key file, enabling remote attackers to decrypt HTTPS communications and potentially impersonate the device without authentication. The vulnerability affects firmware versions 1.0, 1.0re, 01.bin, and 04.03.01.53, and carries a CVSS score of 5.3 with proof-of-concept exploitation likely (E:P rating). No public exploit code has been independently confirmed at the time of this analysis.

Tenda Information Disclosure
CVE-2026-5526 MEDIUM CVSS 6.9
Improper access controls in Tenda 4G03 Pro firmware (versions up to 04.03.01.53) enable unauthenticated remote attackers to bypass authentication mechanisms via the /bin/httpd binary, potentially achieving unauthorized administrative access to the router. This vulnerability has publicly available exploit code and affects consumer-grade 4G routers commonly used for home and small office networks. EPSS data not available, but the combination of network-accessible attack vector, low complexity, and public exploit elevates real-world risk.

Tenda Authentication Bypass
CVE-2026-3571 MEDIUM CVSS 6.5
Unauthenticated attackers can modify registration form status in Pie Register plugin for WordPress versions up to 3.8.4.8 due to a missing capability check in the pie_main() function. The vulnerability allows unauthorized changes to critical registration settings without authentication, impacting the integrity of user registration workflows. CVSS 6.5 reflects moderate severity with both confidentiality and availability impact; no public exploit code or active exploitation has been confirmed at this time.

WordPress Authentication Bypass
CVE-2026-3309 MEDIUM CVSS 6.5
Arbitrary shortcode execution in ProfilePress plugin for WordPress (all versions up to 4.16.11) allows unauthenticated attackers to execute arbitrary shortcodes by injecting malicious code into billing field values during checkout, potentially leading to information disclosure or content manipulation. The vulnerability stems from insufficient sanitization of user-supplied input before shortcode processing. Wordfence has documented this issue with a CVSS score of 6.5 and no confirmed active exploitation at time of analysis.

WordPress Code Injection RCE
CVE-2026-2949 MEDIUM CVSS 6.4
Stored Cross-Site Scripting (XSS) in Xpro Addons - 140+ Widgets for Elementor plugin for WordPress up to version 1.4.24 allows authenticated contributors and above to inject malicious scripts via the Icon Box widget that execute for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, making it a direct code injection risk in a widely-used page builder extension. CVSS 6.4 reflects moderate severity with limited direct impact (confidentiality and integrity) but cross-site scope; no public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS
CVE-2026-2924 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin versions up to 3.4.6 allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript via the 'imageLoad' parameter, resulting in persistent script execution in pages viewed by other users. CVSS 6.4 reflects medium severity with cross-site scope; no public exploit code or active exploitation has been identified at the time of analysis, but the vulnerability requires only low privileges and no user interaction beyond initial page access.

WordPress XSS
CVE-2026-2826 MEDIUM CVSS 4.3
Kadence Blocks Page Builder Toolkit for Gutenberg Editor plugin for WordPress allows authenticated contributors to bypass authorization checks and upload arbitrary images to the Media Library via the process_pattern REST API endpoint. An attacker with contributor-level access or higher can supply remote image URLs that the server downloads and converts into media attachments, exploiting missing capability verification for the upload_files action. No public exploit code or active exploitation has been reported at time of analysis.

WordPress Authentication Bypass
CVE-2026-2600 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in ElementsKit Elementor Addons and Templates plugin (versions up to 3.7.9) allows authenticated contributors and above to inject malicious scripts via the 'ekit_tab_title' parameter in the Simple Tab widget due to insufficient input sanitization and output escaping. Injected scripts execute when users access affected pages. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS
CVE-2026-2437 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in WP Travel Engine plugin versions up to 6.7.5 allows authenticated contributors and above to inject malicious scripts via the 'wte_trip_tax' shortcode due to insufficient input sanitization and output escaping. When site visitors access pages containing the injected payload, the arbitrary JavaScript executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS
CVE-2026-0738 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in WP Shortcodes Plugin - Shortcodes Ultimate up to version 7.4.8 allows authenticated attackers with author-level permissions to inject arbitrary JavaScript into pages via the su_carousel shortcode's 'su_slide_link' attachment meta field. The vulnerability stems from insufficient input sanitization and output escaping, enabling malicious scripts to execute when any user visits an affected page. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress XSS
CVE-2026-0737 MEDIUM CVSS 6.4
Stored Cross-Site Scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate up to version 7.4.7 allows authenticated contributors and above to inject arbitrary JavaScript via the 'src' attribute of the su_lightbox shortcode, which executes in the browsers of all users viewing the affected page. The vulnerability stems from insufficient input sanitization and output escaping, requiring only contributor-level access to exploit. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress XSS
CVE-2026-0664 MEDIUM CVSS 6.4
Stored Cross-Site Scripting (XSS) in Royal Addons for Elementor plugin allows authenticated contributors and above to inject arbitrary JavaScript via the 'button_text' parameter, affecting all versions through 1.7.1049. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to execute malicious scripts in the context of any user visiting an affected page. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS
CVE-2026-0626 MEDIUM CVSS 6.4
Stored cross-site scripting (XSS) in WPFunnels - Easy Funnel Builder plugin for WordPress versions up to 3.7.9 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript via the 'button_icon' parameter in the 'wpf_optin_form' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, potentially compromising website visitors and enabling session hijacking, credential theft, or malware distribution. This vulnerability requires authenticated attacker access but affects all site visitors who view injected pages.

WordPress XSS
CVE-2026-0552 MEDIUM CVSS 6.4
Stored Cross-Site Scripting (XSS) in Simple Shopping Cart WordPress plugin versions up to 5.2.4 allows authenticated contributors and above to inject arbitrary JavaScript via the 'wpsc_display_product' shortcode attributes due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages. No public exploit code or active exploitation has been reported at time of analysis.

WordPress XSS
CVE-2025-15064 MEDIUM CVSS 6.4
Stored cross-site scripting in Ultimate Member plugin versions up to 2.11.1 allows authenticated subscribers and above to inject arbitrary JavaScript via the user description field when HTML support is enabled, executing malicious scripts in pages viewed by other users. The vulnerability requires prior authentication and user interaction but affects site visitors broadly once injected. Wordfence reported the issue; a fix is available in patched versions.

WordPress XSS
CVE-2025-14938 MEDIUM CVSS 5.3
Unauthenticated arbitrary media upload in Listeo Core plugin for WordPress (versions up to 2.0.27) allows remote attackers to upload arbitrary files to the site's media library via the unprotected listeo_core_handle_dropped_media AJAX endpoint. The vulnerability stems from missing authorization checks and does not directly enable code execution, but significantly degrades site integrity by enabling malicious file storage and potential downstream attacks.

WordPress File Upload RCE
CVE-2025-13368 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in Xpro Addons - 140+ Widgets for Elementor plugin up to version 1.4.20 allows authenticated contributors and above to inject malicious scripts via the Pricing Widget's 'onClick Event' setting, which execute in the browsers of any user viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS attacks that compromise site integrity and user sessions. No active exploitation has been confirmed, but the low attack complexity and contributor-level access requirement present a moderate real-world risk for WordPress sites with contributor user bases.

WordPress XSS
CVE-2026-35448 LOW CVSS 3.7
Unauthenticated access to payment order data in the BlockonomicsYPT plugin for AVideo allows remote attackers to retrieve sensitive payment information including user IDs, transaction amounts, and Bitcoin transaction details for any address without authentication. The vulnerable check.php endpoint returns complete order records queryable by Bitcoin address alone, enabling attackers to link on-chain transactions to specific platform user accounts and violate user privacy. No exploit complexity is required beyond discovering Bitcoin addresses on the public blockchain.

PHP Authentication Bypass
CVE-2026-35200 LOW CVSS 2.1
Parse Server file upload handler fails to validate Content-Type headers against filename extensions, allowing attackers to upload files with benign extensions (e.g., .txt) but malicious MIME types (e.g., text/html) that are served with the user-supplied Content-Type by cloud storage adapters like S3 and GCS. This enables content-type confusion attacks such as reflected XSS when files are served through CDNs or web servers that trust the stored Content-Type header. The default GridFS adapter is unaffected due to its filename-based Content-Type derivation at serving time.

File Upload

Today's Vulnerabilities Vulnerabilities