499 CVEs tracked today. 20 Critical, 122 High, 206 Medium, 6 Low.
-
CVE-2025-14816
CRITICAL
CVSS 9.3
SQL Server credentials are displayed in cleartext within the Hyper Historian Splitter GUI across multiple Mitsubishi Electric SCADA/HMI platforms (GENESIS64, ICONICS Suite, MC Works64, and related products), allowing local authenticated attackers with low privileges to capture database credentials and subsequently gain unauthorized access to backend SQL Servers. This affects versions 10.97.3 and prior for most products and all versions of MC Works64. No active exploitation confirmed (not in CISA KEV), though CISA has issued ICS advisory ICSA-26-097-01. With a CVSS 9.3 (Critical) score reflecting high confidentiality, integrity, and availability impact on both vulnerable and subsequent systems, the risk centers on credential theft enabling downstream SQL Server compromise.
Information Disclosure
-
CVE-2025-14815
CRITICAL
CVSS 9.3
Plaintext SQL Server credential storage in Mitsubishi Electric SCADA/HMI products allows local authenticated attackers with low-complexity exploitation to extract database credentials from SQLite cache files, enabling subsequent unauthorized SQL Server access for data manipulation and denial-of-service attacks. Affects multiple product lines including GENESIS64 ≤10.97.3, ICONICS Suite ≤10.97.3, and all MC Works64 versions when local SQLite caching is enabled with SQL authentication. CVSS 9.3 severity reflects extensive downstream impact potential (confidentiality, integrity, availability across both vulnerable system and connected SQL Server). No evidence of active exploitation (not in CISA KEV), but EPSS data unavailable and attack complexity rated low with only local authenticated access required.
Information Disclosure
-
CVE-2026-40088
CRITICAL
CVSS 9.6
Command injection in PraisonAI pip package allows remote code execution when processing untrusted YAML workflows, agent configurations, or LLM-generated tool calls. Multiple execution paths (`execute_command`, workflow shell steps, action orchestrator) pass user-controlled input to `subprocess.run()` with `shell=True`, enabling arbitrary command execution via shell metacharacters (`;`, `|`, `&&`, `$()`). Affected: PraisonAI versions < 4.5.121. Attack vectors include malicious YAML definitions, agent marketplace poisoning, and document-based prompt injection. No public exploit identified at time of analysis. CVSS 9.7 (Critical) reflects network-accessible unauthenticated attack requiring only user interaction, with complete system compromise potential.
Command Injection
Python
-
CVE-2026-40035
CRITICAL
CVSS 9.3
Remote code execution in dfir-unfurl versions through 20250810 via exposed Werkzeug debugger. Improper string-based config parsing enables Flask debug mode by default, allowing unauthenticated remote attackers to access the interactive debugger interface and execute arbitrary Python code or extract sensitive application data including source code, environment variables, and stack traces. No public exploit identified at time of analysis.
RCE
Python
-
CVE-2026-39987
CRITICAL
CVSS 9.3
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis.
Docker
Authentication Bypass
Python
-
CVE-2026-39890
CRITICAL
CVSS 9.8
Unsafe YAML deserialization in PraisonAI allows remote code execution through malicious agent definition files. The AgentService.loadAgentFromFile method uses js-yaml.load without safe schema restrictions, permitting dangerous tags like !!js/function that execute arbitrary JavaScript. Unauthenticated attackers can upload crafted YAML files via API endpoints to achieve complete server compromise. Affects PraisonAI prior to v4.5.115. Publicly available exploit code exists via proof-of-concept demonstrating command execution.
RCE
Deserialization
-
CVE-2026-39888
CRITICAL
CVSS 9.9
Remote code execution in praisonaiagents (all versions through 1.5.113) allows authenticated users to escape the Python subprocess sandbox and execute arbitrary shell commands on the host. The vulnerability exists in the execute_code() tool's sandbox mode, where an incomplete AST attribute blocklist permits frame traversal through exception objects (__traceback__, tb_frame, f_back, f_builtins). Attackers chain these four unblocked attributes to retrieve the real exec builtin from the subprocess wrapper's frame, bypassing all security layers. Exploitation requires low-privilege agent API access and no victim interaction. Confirmed actively exploited (CISA KEV). Publicly available exploit code exists.
RCE
Python
-
CVE-2026-39860
CRITICAL
CVSS 9.0
Local privilege escalation in Nix package manager daemon (versions prior to 2.34.5/2.33.4/2.32.7/2.31.4/2.30.4/2.29.3/2.28.6) allows unprivileged users to gain root access in multi-user Linux installations. Incomplete fix for CVE-2024-27297 permits symlink attacks during fixed-output derivation registration, enabling arbitrary file overwrites as root. Attackers exploit sandboxed build registration by placing symlinks in temporary output paths, causing the daemon to follow symlinks and overwrite sensitive system files with controlled content. Affects default configurations where all users can submit builds. No public exploit identified at time of analysis.
Information Disclosure
Apple
-
CVE-2026-39619
CRITICAL
CVSS 9.6
Cross-Site Request Forgery (CSRF) in Busiprof WordPress theme versions ≤2.5.2 enables unauthenticated attackers to upload web shells to the server by tricking authenticated administrators into executing malicious requests. Successful exploitation grants remote code execution capabilities through arbitrary file upload, allowing complete server compromise. CVSS 9.6 reflects cross-site scope with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, with low observed exploitation activity (EPSS 0.01%).
CSRF
Busiprof
-
CVE-2026-39617
CRITICAL
CVSS 9.6
Cross-Site Request Forgery in priyanshumittal Bluestreet WordPress theme through version 1.7.3 enables unauthenticated attackers to perform arbitrary plugin installations via CSRF. Exploitation requires user interaction (victim must click malicious link or visit attacker-controlled page while authenticated to WordPress). High severity due to scope change and potential for complete site compromise through malicious plugin deployment. No public exploit identified at time of analysis.
CSRF
Bluestreet
-
CVE-2026-31040
CRITICAL
CVSS 9.8
Remote code execution via command injection in stata-mcp versions before 1.13.0 allows unauthenticated attackers to execute arbitrary commands through insufficiently validated Stata do-file content. The vulnerability stems from CWE-94 improper control of code generation, enabling network-accessible exploitation without user interaction. CVSS 9.8 (Critical) reflects complete compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, percentile 6%).
RCE
Code Injection
-
CVE-2026-31017
CRITICAL
CVSS 9.1
Server-Side Request Forgery in ERPNext 16.0.1 and Frappe Framework 16.1.1 enables unauthenticated attackers to force servers to make arbitrary HTTP requests to internal services through insufficiently sanitized HTML in Print Format PDF generation. Attackers inject HTML elements like <iframe> referencing external resources, which the PDF rendering engine automatically fetches server-side, exposing cloud metadata endpoints and internal network resources. No public exploit identified at time of analysis. CVSS 9.1 severity reflects network-accessible attack vector requiring no authentication or user interaction.
Information Disclosure
SSRF
N A
-
CVE-2026-25776
CRITICAL
CVSS 9.3
Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical impact. The CVSS:4.0 score of 9.3 reflects network-accessible exploitation requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), enabling complete system compromise. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor Six Apart has released patched version MT 9.0.7 addressing this CWE-94 code injection flaw.
Code Injection
RCE
-
CVE-2026-5874
CRITICAL
CVSS 9.6
Use-after-free vulnerability in Google Chrome's PrivateAI component (versions prior to 147.0.7727.55) enables sandbox escape when remote attackers socially engineer victims into performing specific UI interactions with malicious HTML pages. Exploitation requires user engagement with attacker-controlled content but no authentication. CVSS 9.6 critical severity reflects potential for complete compromise of confidentiality, integrity, and availability with scope change indicating sandbox boundary violation. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.03%).
Denial Of Service
Memory Corruption
Google
Use After Free
-
CVE-2026-4003
CRITICAL
CVSS 9.8
Arbitrary user metadata modification in Users Manager - PN plugin for WordPress (versions ≤1.1.15) allows unaneticated remote attackers to escalate privileges and hijack accounts. The vulnerability stems from flawed authorization logic in userspn_ajax_nopriv_server() that fails to verify authentication when user_id is supplied, combined with publicly exposed nonce values. Attackers can modify critical user metadata including userspn_secret_token for any WordPress user. CVSS 9.8 (Critical). EPSS data not available. No public exploit identified at time of analysis, but exploitation requires only HTTP requests with predictable parameters.
WordPress
Privilege Escalation
Authentication Bypass
-
CVE-2026-3535
CRITICAL
CVSS 9.8
Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized.
WordPress
PHP
RCE
File Upload
Google
-
CVE-2026-3296
CRITICAL
CVSS 9.8
PHP object injection in Everest Forms for WordPress (all versions ≤3.4.3) allows unauthenticated remote attackers to achieve critical system compromise. Attackers submit malicious serialized payloads through any public form field, which persist through sanitization into the wp_evf_entrymeta database table. When administrators view form entries, unsafe unserialize() without class restrictions processes the payload, enabling arbitrary code execution. CVSS 9.8 (Critical) reflects network-accessible attack requiring no authentication or user interaction. No active exploitation confirmed (not in CISA KEV); EPSS data not provided. Vendor-released patch available in version 3.4.4.
WordPress
PHP
Deserialization
-
CVE-2026-3199
CRITICAL
CVSS 9.4
Remote code execution in Sonatype Nexus Repository 3.22.1-3.90.2 allows authenticated attackers with task creation permissions to execute arbitrary code via unsafe deserialization in the task management component. Exploitation bypasses the nexus.scripts.allowCreation security control, granting unauthorized code execution on the server. CVSS 9.4 (Critical). No public exploit identified at time of analysis. Attack requires low-privileged authentication (PR:L) and network access but no user interaction.
RCE
Deserialization
-
CVE-2026-2942
CRITICAL
CVSS 9.8
Unauthenticated arbitrary file upload in ProSolution WP Client plugin (≤1.9.9) enables attackers to upload executable files without validation via the 'proSol_fileUploadProcess' function, leading to remote code execution on WordPress servers. Critical severity (CVSS 9.8) with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.
RCE
WordPress
File Upload
-
CVE-2026-1346
CRITICAL
CVSS 9.3
Local privilege escalation to root in IBM Verify/Security Verify Access products 10.0-11.0.2 allows unauthenticated local users to gain full system control via excessive process privileges (CWE-250). The CVSS 9.3 score reflects local attack vector but no authentication requirement (PR:N) and complete system compromise with scope change. Patch available per vendor advisory. No public exploit identified at time of analysis, though the local attack vector and low complexity (AC:L) suggest straightforward exploitation once local access is obtained.
IBM
Privilege Escalation
-
CVE-2026-40037
HIGH
CVSS 7.1
Cross-origin request body replay in OpenClaw's fetchWithSsrFGuard function before version 2026.3.31 enables attackers to exfiltrate sensitive request data and headers to unintended origins through redirect manipulation. The vulnerability requires user interaction and allows high confidentiality impact through unsafe request body transmission across origin boundaries. Affects unauthenticated contexts. No public exploit identified at time of analysis, with low observed exploitation activity (EPSS <1%).
Open Redirect
Openclaw
-
CVE-2026-40036
HIGH
CVSS 8.7
Unbounded zlib decompression in dfir-unfurl versions through 20250810 enables unauthenticated remote attackers to exhaust server memory via crafted compressed payloads submitted to the /json/visjs endpoint. Attackers can submit highly compressed data that expands to gigabytes when decompressed, crashing the service through resource exhaustion. The vulnerability affects the parse_compressed.py module and requires no authentication. No public exploit identified at time of analysis.
Denial Of Service
Dfir Unfurl
-
CVE-2026-40032
HIGH
CVSS 8.5
Command injection in Unix-like Artifacts Collector (UAC) pre-3.3.0-rc1 enables arbitrary code execution through unsanitized placeholder substitution in the _run_command() pipeline. Attackers inject shell metacharacters via %line%, %user%, or %user_home% placeholders processed by foreach iterators and system file parsers, exploiting direct eval() execution without input validation. Exploitation requires local access with user interaction but no authentication, executing commands at UAC process privilege level. No public exploit identified at time of analysis.
Command Injection
Uac
-
CVE-2026-40031
HIGH
CVSS 8.5
DLL and shared-library hijacking in ufrisk MemProcFS versions prior to 5.17 enables local arbitrary code execution through six distinct attack surfaces. Unsafe library-loading patterns-including unqualified LoadLibraryU and dlopen calls for vmmpyc, libMSCompression, and plugin DLLs-allow attackers to plant malicious libraries in the working directory or manipulate LD_LIBRARY_PATH. Exploitation requires user interaction (CVSS UI:P) but no authentication (PR:N), achieving high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.
RCE
Memprocfs
-
CVE-2026-40030
HIGH
CVSS 8.4
OS command injection in parseusbs (versions prior to 1.9) allows local attackers to execute arbitrary commands through unsanitized volume path arguments passed to the -v flag. The vulnerability stems from passing user-controlled input directly to os.popen() with shell=True during volume enumeration via ls command, enabling shell metacharacter injection. Exploitation requires user interaction to execute parseusbs with a malicious -v argument. No public exploit identified at time of analysis, though proof-of-concept exists in commit history.
Command Injection
Parseusbs
-
CVE-2026-40029
HIGH
CVSS 8.5
OS command injection in parseusbs <1.9 enables arbitrary code execution on forensic examiner systems through maliciously crafted .lnk filenames. The parseUSBs.py module passes LNK file paths unsanitized into os.popen() shell commands, allowing attackers to embed shell metacharacters in filenames that execute during USB artifact parsing. Exploitation requires no authentication (PR:N) but necessitates user interaction (UI:P) when the examiner processes USB artifacts containing weaponized .lnk files. No public exploit identified at time of analysis.
Command Injection
Parseusbs
-
CVE-2026-40027
HIGH
CVSS 8.4
Path traversal in ALEAPP (Android Logs Events And Protobuf Parser) 3.4.0 and earlier enables arbitrary file writes outside the report directory through malicious NQ_Vault.py artifact parser database entries. Attackers embedding traversal sequences (e.g., ../../../target.bin) in file_name_from database values can overwrite system executables or configuration files, achieving local code execution. Exploitation requires user interaction to process a crafted Android database artifact. CVSS:4.0 base score 8.4 (High). No public exploit identified at time of analysis.
Path Traversal
Google
RCE
Aleapp
-
CVE-2026-40024
HIGH
CVSS 8.4
Path traversal in The Sleuth Kit (tsk_recover) through version 4.14.0 allows local attackers to write files outside intended recovery directories via malicious filesystem images. Crafted filenames with ../ sequences in processed disk images can overwrite arbitrary files, enabling potential code execution through shell configuration or cron file manipulation. Exploitation requires user interaction (processing attacker-supplied filesystem image). No public exploit identified at time of analysis.
Path Traversal
RCE
Sleuthkit
-
CVE-2026-39983
HIGH
CVSS 8.6
Command injection in basic-ftp npm package v5.2.0 allows unauthenticated remote attackers to inject arbitrary FTP protocol commands via CRLF sequences in file path parameters. Affected methods include cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). Inadequate input sanitization in protectWhitespace() combined with direct socket writes enables attackers to split single FTP commands into multiple commands, leading to unauthorized file deletion, directory manipulation, file exfiltration, or session hijacking. Vendor-released patch available in version 5.2.1. No public exploit identified at time of analysis. EPSS unavailable.
Command Injection
Node.js
-
CVE-2026-39981
HIGH
CVSS 8.8
Path traversal in AGiXT Python package (versions ≤1.9.1) allows authenticated attackers to read, write, or delete arbitrary files on the host server. The essential_abilities extension's safe_join() function fails to validate that resolved paths remain within the agent workspace directory, enabling directory traversal sequences (e.g., ../../etc/passwd) to bypass intended file access restrictions. Exploitation requires low-privilege authentication (valid API key) but no user interaction. Public exploit code exists demonstrating /etc/passwd disclosure via the read_file command endpoint.
Path Traversal
Denial Of Service
RCE
Python
-
CVE-2026-39974
HIGH
CVSS 8.5
Server-Side Request Forgery in n8n-mcp (npm package) versions ≤2.47.3 allows authenticated attackers with valid AUTH_TOKEN to force the server to issue HTTP requests to arbitrary URLs via manipulated multi-tenant HTTP headers (x-n8n-url, x-n8n-key). Response bodies are reflected through JSON-RPC, enabling unauthorized access to cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Oracle, Alibaba), internal network services, and any host reachable by the server process. Multi-tenant HTTP deployments with shared or multiple AUTH_TOKENs are at highest risk. No public exploit identified at time of analysis.
SSRF
Oracle
Microsoft
-
CVE-2026-39972
HIGH
CVSS 7.1
Cache key collision in Mercure hub TopicSelectorStore enables authorization bypass through crafted topic names. Attackers can poison the match result cache by exploiting underscore-based key concatenation, causing private updates to be delivered to unauthorized subscribers or blocking legitimate deliveries. Affects Go package github.com/dunglas/mercure prior to version 0.22.0. Exploitation requires ability to subscribe to the hub or publish updates with specially crafted topic/selector combinations. No public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-39959
HIGH
CVSS 7.1
Malicious D-Bus peers can execute three distinct attacks against applications using Tmds.DBus or Tmds.DBus.Protocol .NET libraries: signal spoofing via well-known name impersonation (integrity compromise), file descriptor exhaustion causing resource depletion or fd spillover, and application crashes through malformed message bodies triggering unhandled exceptions on SynchronizationContext. Attack requires local access with low-privileged D-Bus peer presence (PR:L). Vendor-released patches available in versions 0.92.0 (both libraries) and 0.21.3 (Protocol only). No public exploit identified at time of analysis.
Denial Of Service
-
CVE-2026-39891
HIGH
CVSS 8.8
Template injection in PraisonAI Python package enables remote code execution through unescaped user input in agent-centric tools. Authenticated attackers inject malicious Jinja2 template expressions via agent instructions to execute arbitrary system commands with process privileges. The create_agent_centric_tools() function passes unsanitized user input directly to template-rendering tools under auto-approval mode, causing expressions like {{self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned")}} to execute rather than render as literal text. Affects PraisonAI pip package. No public exploit identified at time of analysis beyond proof-of-concept in advisory.
RCE
Python
Code Injection
-
CVE-2026-39889
HIGH
CVSS 7.5
Unauthenticated information disclosure in PraisonAI's A2U event stream server allows remote attackers to intercept real-time AI agent activity including responses, internal reasoning chains, and tool invocation arguments. The create_a2u_routes() function exposes five endpoints (/a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, /a2u/health) without authentication controls. Attackers subscribe via POST /a2u/subscribe to receive subscription IDs, then stream live Server-Sent Events containing sensitive agent outputs. Affects PraisonAI Python package (pkg:pip/praisonai) versions prior to 4.5.115. No public exploit identified at time of analysis.
Information Disclosure
-
CVE-2026-39885
HIGH
CVSS 7.5
Server-Side Request Forgery in mcp-from-openapi (<= 2.1.2) allows unauthenticated remote attackers to retrieve cloud metadata credentials, scan internal networks, and read local files by providing malicious OpenAPI specifications containing $ref pointers to internal URLs (http://169.254.169.254/) or file:// paths. The library's json-schema-ref-parser fetches referenced resources without protocol or hostname restrictions during OpenAPI document initialization, enabling AWS/GCP/Azure credential theft and arbitrary file disclosure with no privileges required beyond spec submission.
SSRF
Microsoft
-
CVE-2026-39883
HIGH
CVSS 7.3
Command injection in OpenTelemetry Go SDK allows local attackers to execute arbitrary code by placing malicious `kenv` binary in PATH on BSD and Solaris systems. Vulnerability occurs during resource detection initialization when application resolves bare command name instead of absolute path. Affects DragonFly BSD, FreeBSD, NetBSD, OpenBSD, and Solaris platforms when `/etc/hostid` does not exist. Incomplete fix for prior CVE-2026-24051 left BSD/Solaris code path vulnerable to identical PATH hijacking attack.
RCE
-
CVE-2026-39863
HIGH
CVSS 7.5
Out-of-bounds memory access in Kamailio SIP server versions before 5.8.8, 6.0.6, and 6.1.1 enables unauthenticated remote attackers to crash server processes via malformed TCP packets. Affects deployments with TCP or TLS listeners enabled. Exploits network-accessible SIP signaling infrastructure without authentication or user interaction, resulting in complete service unavailability. No public exploit identified at time of analysis.
Buffer Overflow
Denial Of Service
-
CVE-2026-39684
HIGH
CVSS 7.5
Local file inclusion in UnTheme OrganicFood WordPress theme versions up to 3.6.4 enables authenticated attackers with low privileges to read arbitrary files on the server and potentially achieve remote code execution. Exploitation requires network access and high attack complexity (CVSS AC:H), allowing disclosure of sensitive configuration data, credentials, and system files. Authenticated access (PR:L) is required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.05%).
Information Disclosure
Lfi
PHP
Organicfood
-
CVE-2026-39623
HIGH
CVSS 7.5
Local file inclusion vulnerability in kutethemes Biolife WordPress theme versions up to 3.2.3 enables authenticated attackers with low privileges to include and execute arbitrary PHP files from the server filesystem via improper filename control in include/require statements. Exploitation requires network access and high complexity conditions (CVSS:3.1 AV:N/AC:H/PR:L), potentially leading to information disclosure, code execution, and full system compromise. No public exploit identified at time of analysis. EPSS score indicates low observed exploitation activity (0.05%).
Information Disclosure
Lfi
PHP
Biolife
-
CVE-2026-39621
HIGH
CVSS 8.8
CSRF vulnerability in SpicePress WordPress theme versions ≤2.3.2.5 enables unauthenticated attackers to upload web shells via arbitrary plugin installation, achieving remote code execution. Successful exploitation requires user interaction (victim must click malicious link while authenticated). No public exploit identified at time of analysis. CVSS 8.8 score reflects network-accessible, low-complexity attack with high impact to confidentiality, integrity, and availability.
CSRF
Spicepress
-
CVE-2026-39613
HIGH
CVSS 7.5
Local file inclusion in kutethemes Boutique WordPress theme versions ≤2.3.3 allows authenticated attackers with low privileges to include arbitrary PHP files, leading to high-severity impacts including information disclosure, code execution, and system compromise. Exploitation requires network access with high attack complexity. No public exploit identified at time of analysis. Authenticated attack vector (PR:L) limits exposure to users with existing credentials.
PHP
Information Disclosure
Lfi
Boutique
-
CVE-2026-39611
HIGH
CVSS 7.5
Local File Inclusion vulnerability in KuteShop WordPress theme versions ≤4.2.9 enables authenticated attackers with low privileges to include arbitrary PHP files through improper filename control in require/include statements. Exploitation requires high attack complexity and yields complete confidentiality, integrity, and availability compromise within the application context. No public exploit identified at time of analysis. EPSS 0.05% indicates low observed exploitation activity.
PHP
Information Disclosure
Lfi
Kuteshop
-
CVE-2026-39497
HIGH
CVSS 7.6
Blind SQL injection in FOX WooCommerce Currency Switcher plugin (versions ≤1.4.5) allows authenticated high-privilege users to extract database contents via crafted SQL commands. Attacker requires high-privilege access (PR:H) but can breach scope boundaries (S:C), achieving high confidentiality impact and limited availability disruption. No public exploit identified at time of analysis. Affects WordPress installations using the vulnerable plugin for multi-currency e-commerce functionality.
SQLi
WordPress
Fox
-
CVE-2026-39495
HIGH
CVSS 8.5
Blind SQL injection in NSquared Simply Schedule Appointments WordPress plugin versions ≤1.6.9.27 allows authenticated attackers with low-privilege access to extract sensitive database contents and potentially trigger denial-of-service conditions. The vulnerability stems from improper neutralization of SQL special elements in user-controlled input. Network-accessible exploitation requires valid credentials but no user interaction. CVSS 8.5 severity reflects high confidentiality impact with scope change, enabling cross-boundary data access. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%, 6th percentile).
SQLi
Simply Schedule Appointments
-
CVE-2026-39487
HIGH
CVSS 7.6
Blind SQL injection in Amelia WordPress plugin (ameliabooking) version 2.1.1 and earlier allows authenticated privileged users to extract database contents through improper input sanitization. The vulnerability requires high-privilege access (administrator-level) but permits cross-scope impact, enabling extraction of confidential data and potential service disruption. CVSS 7.6 severity reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
SQLi
Amelia
-
CVE-2026-39429
HIGH
CVSS 8.2
Unauthenticated access to kcp root shard cache server exposes cluster topology, RBAC policies, and API configurations to network-reachable attackers. The cache server at /services/cache/* bypasses authentication and authorization middleware, allowing any attacker with network access to the root shard (CVSS:3.1/AV:N/AC:L/PR:N) to read replicated resources including ClusterRoles, LogicalClusters, Shards, APIExports, and admission control policies. A secondary race condition permits temporary privilege escalation via injected RBAC objects, though the sub-second window and self-healing replication controller make practical exploitation challenging. Vendor-released patches available in kcp v0.29.3 and v0.30.3. No public exploit identified at time of analysis, though the straightforward network-based attack vector (documented curl example in advisory) enables trivial exploitation once discovered.
Authentication Bypass
Privilege Escalation
-
CVE-2026-39416
HIGH
CVSS 8.5
Stored cross-site scripting in AIL Framework <6.8 allows authenticated high-privilege attackers to inject malicious JavaScript through the modal item preview function. When processing item content exceeding 800 characters, the application returns attacker-controlled content without explicit text/plain content-type headers, enabling browser interpretation as HTML. Successful exploitation executes arbitrary JavaScript in victim browsers viewing crafted items, compromising confidentiality and integrity across system and user contexts. No public exploit identified at time of analysis.
XSS
Ail Framework
-
CVE-2026-39414
HIGH
CVSS 7.1
Memory exhaustion in MinIO S3 Select (RELEASE.2018-08-18T03-49-57Z through RELEASE.2025-12-20T04-58-37Z) allows authenticated users with s3:PutObject and s3:GetObject permissions to crash the server by uploading CSV files lacking newline characters. The vulnerable CSV reader buffers entire lines into memory without size limits, enabling attackers to trigger out-of-memory conditions. A ~2 MB compressed CSV can decompress to gigabytes without newlines, causing denial of service. No public exploit identified at time of analysis.
Denial Of Service
Minio
-
CVE-2026-39394
HIGH
CVSS 8.1
Environment variable injection in CI4MS CMS allows remote attackers to inject arbitrary configuration directives into the .env file during installation, potentially leading to full system compromise. Versions before 0.31.4.0 fail to sanitize newline characters in the host POST parameter, enabling attackers to bypass CSRF-disabled install routes and inject malicious configuration when InstallFilter validation fails. No public exploit identified at time of analysis, though EPSS exploitation probability warrants monitoring given the unauthenticated network attack vector.
CSRF
-
CVE-2026-39393
HIGH
CVSS 8.1
Remote attackers can achieve full application takeover in CI4MS (CodeIgniter 4 CMS skeleton) versions prior to 0.31.4.0 by exploiting a fail-open authentication bypass in the installation route guard. When cache expires or database connectivity fails, unauthenticated attackers can re-access the setup wizard to overwrite .env configuration with malicious database credentials, gaining complete control of the application. No public exploit identified at time of analysis, though the attack vector is network-accessible with high complexity (CVSS:3.1/AV:N/AC:H/PR:N). EPSS data not available; real-world risk depends on deployment environments with intermittent database connectivity.
Authentication Bypass
-
CVE-2026-35525
HIGH
CVSS 8.2
Path traversal via symlink in LiquidJS npm package allows authenticated template contributors to read arbitrary filesystem content outside configured template roots. The vulnerability affects applications where untrusted users can influence template directories (uploaded themes, extracted archives, repository-controlled templates). LiquidJS validates template paths using string-based directory containment checks but fails to resolve canonical filesystem paths before file access, enabling symlinks placed within allowed partials/layouts directories to reference external files. Publicly available exploit code exists. No EPSS score available, but impact is limited to information disclosure in specific deployment scenarios requiring attacker filesystem access.
Information Disclosure
Canonical
-
CVE-2026-35478
HIGH
CVSS 8.3
Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-35476
HIGH
CVSS 7.2
Privilege escalation in InvenTree Open Source Inventory Management System versions before 1.2.7 and 1.3.0 allows any authenticated user to elevate to staff-level permissions through improperly secured API endpoints. The vulnerability stems from misconfigured write permissions on user account endpoints, enabling unauthorized modification of staff status flags via POST requests. Exploitation requires only valid user credentials. No public exploit identified at time of analysis.
Authentication Bypass
-
CVE-2026-35455
HIGH
CVSS 7.3
Stored Cross-Site Scripting in Immich photo management platform versions prior to 2.7.0 enables authenticated attackers to execute arbitrary JavaScript when victims view malicious 360° panorama images with OCR overlay enabled. Attackers upload specially crafted equirectangular images containing malicious text that OCR extracts and the panorama viewer renders unsanitized via innerHTML. Exploitation permits session hijacking through persistent API key creation, exfiltration of private photos, GPS location history theft, and unauthorized access to facial biometric data. No public exploit identified at time of analysis.
XSS
-
CVE-2026-35446
HIGH
CVSS 7.7
Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated attackers to bypass directory restrictions in FilesDownloadHandler, enabling unauthorized access to files outside intended download directories. The vulnerability exploits incorrect operation ordering during file access validation, permitting low-privileged authenticated users to exfiltrate sensitive neuroimaging data and project files across organizational boundaries. CVSS 7.7 severity reflects cross-scope confidentiality breach with network accessibility and low attack complexity. No public exploit identified at time of analysis.
Information Disclosure
Path Traversal
-
CVE-2026-35401
HIGH
CVSS 7.5
GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-based or chained mutation requests. Attackers craft single API calls containing excessive GraphQL operations (mutations/queries) via aliasing or chaining, exhausting server resources and disrupting service availability. Affects Saleor versions 2.0.0 through 3.22.x, with no authentication required for exploitation. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis.
Denial Of Service
-
CVE-2026-35169
HIGH
CVSS 8.7
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior to 27.0.3 and 28.0.1. Improper input sanitization allows authenticated attackers with low privileges to execute malicious scripts in victim browsers (requiring user interaction) and exfiltrate markdown files from the server. Attack requires network access and social engineering to trick users into following crafted links. No public exploit identified at time of analysis.
XSS
-
CVE-2026-34724
HIGH
CVSS 8.7
Remote code execution in Zammad open-source helpdesk system versions prior to 7.0.1 through server-side template injection in AI Agent configuration. Attackers with high-privilege administrative access who can control or influence type_enrichment_data parameters can execute arbitrary code on the server. Exploitation requires authenticated administrative credentials and user interaction. No public exploit identified at time of analysis.
RCE
Code Injection
-
CVE-2026-34723
HIGH
CVSS 8.7
Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers to access sensitive internal entity data through exposed getting started endpoint. The vulnerability bypasses authentication controls, enabling unauthorized access to confidential system information post-setup. Attack vector is network-based with low complexity requiring no user interaction. No public exploit identified at time of analysis. CVSS 8.7 reflects high confidentiality impact.
Authentication Bypass
-
CVE-2026-34719
HIGH
CVSS 8.3
Server-side request forgery in Zammad webhook implementation allows authenticated administrators to retrieve confidential cloud provider metadata by exploiting insufficient validation of loopback and link-local addresses. Affects versions before 7.0.1 and 6.5.4. Attackers with privileged access can configure malicious webhook URLs targeting internal infrastructure endpoints, bypassing intended URL scheme restrictions. No public exploit identified at time of analysis. CVSS 8.3 reflects high confidentiality and availability impacts on vulnerable and subsequent systems.
SSRF
-
CVE-2026-34392
HIGH
CVSS 7.5
Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticated remote attackers to download arbitrary files outside intended directories via malicious requests to static file router endpoints (/static, /css, /js). Vulnerability permits high-impact information disclosure including sensitive research data, configuration files, and potentially database credentials. No public exploit identified at time of analysis. Affects self-hosted LORIS installations across academic and clinical neuroimaging research environments.
Information Disclosure
Path Traversal
-
CVE-2026-33756
HIGH
CVSS 7.5
Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching. Unauthenticated remote attackers can submit a single HTTP request containing an unbounded array of GraphQL operations, bypassing per-query complexity controls to exhaust server resources and render the platform unavailable. Vendor-released patches are available across all affected major versions (3.20.118, 3.21.54, 3.22.47, 3.23.0a3). No public exploit identified at time of analysis, though the attack vector is straightforward (CVSS AV:N/AC:L/PR:N).
Denial Of Service
-
CVE-2026-33466
HIGH
CVSS 8.1
Remote code execution in Elastic Logstash versions 8.0.0 through 8.19.13 allows unauthenticated network attackers to write arbitrary files and execute code via malicious compressed archives. The vulnerability exploits improper path validation in archive extraction utilities, enabling attackers who compromise or control update endpoints to deliver path traversal payloads. When automatic pipeline reloading is enabled, arbitrary file writes escalate to full RCE with Logstash process privileges. CVSS 8.1 (High) with network vector but high attack complexity. EPSS data and KEV status not provided; no public exploit confirmed at time of analysis, though the technical details disclosed increase weaponization risk for environments with exposed update mechanisms.
Path Traversal
RCE
-
CVE-2026-33461
HIGH
CVSS 7.7
Authorization bypass in Elastic Kibana allows authenticated users with limited Fleet privileges to retrieve sensitive configuration data including private keys and authentication tokens through an internal API endpoint. The vulnerability affects network-accessible instances and bypasses intended privilege boundaries by returning full configuration objects without proper authorization checks. CVSS score of 7.7 reflects high confidentiality impact with scope change. No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated users.
Authentication Bypass
Elastic
Information Disclosure
-
CVE-2026-33350
HIGH
CVSS 7.5
SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote attackers to extract or modify database contents via the MRI feedback popup window in the imaging browser module. The vulnerability permits unauthorized access to sensitive neuroimaging research data and project management information without authentication. CVSS 7.5 (High severity) reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis.
SQLi
-
CVE-2026-33229
HIGH
CVSS 8.6
Privilege escalation in XWiki Platform 17.x allows users with script rights to execute arbitrary Python code via an improperly protected scripting API, bypassing Velocity sandbox protections and gaining full system access. This affects XWiki Platform oldcore and legacy-oldcore components prior to versions 17.4.8 and 17.10.1. While requiring existing script-level privileges, the vulnerability enables complete compromise of confidentiality, integrity, and availability. Vendor-released patch available; no public exploit identified at time of analysis.
Authentication Bypass
Python
-
CVE-2026-32590
HIGH
CVSS 7.1
Arbitrary code execution in Red Hat Quay via unsafe deserialization during resumable container image uploads affects multiple Quay 3.x deployments and Mirror Registry instances. An authenticated attacker with low privileges can tamper with intermediate upload data stored in the database to execute code on the Quay server, though exploitation requires high attack complexity and user interaction (CVSS 7.1). EPSS data not available; no public exploit identified at time of analysis, but the deserialization vulnerability class (CWE-502) is well-understood and frequently targeted.
Redhat
Deserialization
RCE
-
CVE-2026-32589
HIGH
CVSS 7.1
Red Hat Quay container registry allows authenticated users with push access to interfere with other users' image uploads across repositories, including those they cannot access. An authenticated attacker (PR:L) can read, modify, or cancel in-progress uploads in any repository on the registry, bypassing authorization boundaries. Attack complexity is high (AC:H) and requires user interaction (UI:R), but enables cross-scope integrity compromise. EPSS and KEV data not available; no public exploit identified at time of analysis. This represents an authorization flaw affecting Red Hat Quay 3.x and Mirror Registry deployments.
Authentication Bypass
Redhat
-
CVE-2026-32280
HIGH
CVSS 7.5
Denial of service in Go's crypto/x509 chain builder allows remote attackers to exhaust server resources by submitting a large number of intermediate certificates during TLS handshake or direct certificate verification. Affects crypto/x509 versions prior to 1.25.9 and 1.26.0-1.26.1. No public exploit identified at time of analysis, though SSVC assessment indicates the attack is automatable. EPSS exploitation probability is minimal (0.01%), suggesting low observed attacker interest despite the network-accessible attack surface and lack of authentication requirements.
Denial Of Service
-
CVE-2026-30818
HIGH
CVSS 8.5
OS command injection in TP-Link Archer AX53 v1.0 dnsmasq module allows authenticated adjacent attackers to execute arbitrary code through maliciously crafted configuration files. Successful exploitation enables device configuration modification, sensitive data access, and complete system compromise. Affects TP-Link Archer AX53 v1.0 firmware versions prior to 1.7.1 Build 20260213. Requires high-privilege adjacent network access (CVSS:4.0 AV:A/PR:H). No public exploit identified at time of analysis.
TP-Link
RCE
Command Injection
-
CVE-2026-30815
HIGH
CVSS 8.5
OS command injection in TP-Link Archer AX53 v1.0 OpenVPN module allows authenticated adjacent attackers to execute arbitrary system commands through maliciously crafted configuration files. Exploitation requires high-privilege adjacency access but enables complete device compromise including configuration modification, credential disclosure, and persistent backdoor installation. Affects AX53 v1.0 firmware prior to 1.7.1 Build 20260213. No public exploit identified at time of analysis.
TP-Link
Command Injection
-
CVE-2026-30814
HIGH
CVSS 7.3
Stack-based buffer overflow in TP-Link Archer AX53 v1.0 tmpServer module enables authenticated adjacent attackers to execute arbitrary code via malicious configuration file. Exploitation triggers segmentation fault, permits device state modification, sensitive data exposure, and integrity compromise. Affects firmware versions before 1.7.1 Build 20260213. Requires high privileges and adjacent network access. No public exploit identified at time of analysis.
Information Disclosure
Stack Overflow
RCE
Buffer Overflow
TP-Link
-
CVE-2026-30080
HIGH
CVSS 7.5
Integrity protection bypass in OpenAirInterface v2.2.0 allows unauthenticated network attackers to downgrade 5G security context by forcing acceptance of IA0-only capability during initial UE registration, despite NIA1/NIA2 being configured. Exploitation enables replay attacks against mobile network infrastructure through manipulation of Security Mode Complete messages, compromising session integrity without confidentiality impact. No public exploit identified at time of analysis.
Information Disclosure
N A
-
CVE-2026-30075
HIGH
CVSS 7.5
Buffer overflow in OpenAirInterface 2.2.0 AUSF component crashes service when processing oversized NAS PDU Authentication Response via UplinkNASTransport messages. Unauthenticated remote attackers can send malformed authentication responses (e.g., 100-byte payloads exceeding expected bounds) triggering AUSF component crash, preventing legitimate user registration and verification. Affects 5G core network deployments using OpenAirInterface AUSF. No public exploit identified at time of analysis. CVSS 7.5 High severity due to network-accessible denial of service without authentication requirements.
Buffer Overflow
N A
-
CVE-2026-28261
HIGH
CVSS 7.8
Local privilege escalation in Dell Elastic Cloud Storage (≤3.8.1.7) and ObjectScale (<4.1.0.3, =4.2.0.0) allows authenticated users with low privileges to extract credentials from log files and escalate to compromised account privileges. CVSS 7.8 (High). No public exploit identified at time of analysis. EPSS data not available, but local access requirement and low attack complexity suggest moderate exploitation likelihood in multi-tenant or shared administrative environments.
Dell
Information Disclosure
Elastic
-
CVE-2026-27806
HIGH
CVSS 7.8
Local privilege escalation to root in Fleet Orbit agent (macOS) allows authenticated local users to inject arbitrary Tcl commands via malformed FileVault password input. The vulnerability stems from unsafe interpolation of user-supplied passwords into expect scripts executed as root. CVSS 7.8 (High) with EPSS data unavailable; no public exploit identified at time of analysis, though exploitation requires only a specially crafted password containing closing brace characters. Impacts organizations using Fleet's macOS disk encryption management.
Command Injection
Privilege Escalation
-
CVE-2026-24913
HIGH
CVSS 8.7
SQL injection in MATCHA INVOICE 2.6.6 and earlier allows authenticated users with low-level privileges to extract or modify database contents via network access. With CVSS 8.8 (High severity), low attack complexity, and no user interaction required, authenticated attackers can achieve full confidentiality, integrity, and availability impact on the application database. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.
SQLi
-
CVE-2026-23869
HIGH
CVSS 7.5
Denial of service in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0-19.0.4, 19.1.0-19.1.5, 19.2.0-19.2.4) allows unauthenticated remote attackers to cause excessive CPU consumption lasting up to one minute via specially crafted HTTP requests to Server Function endpoints. The malicious payload triggers resource exhaustion without requiring authentication or user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS unavailable).
Denial Of Service
-
CVE-2026-5915
HIGH
CVSS 8.1
Out-of-bounds memory write in Google Chrome's WebML component (versions prior to 147.0.7727.55) allows remote attackers to corrupt memory via malicious HTML pages, enabling potential code execution or denial of service. Exploitation requires user interaction to visit a crafted webpage. CVSS 8.1 severity reflects unauthenticated network-based attack with high integrity and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.04%).
Google
Information Disclosure
-
CVE-2026-5914
HIGH
CVSS 8.8
Type confusion vulnerability in Google Chrome CSS engine (versions prior to 147.0.7727.55) enables heap corruption through malicious extensions. Attacker must convince user to install crafted Chrome extension, then exploit triggers memory corruption allowing high-severity impacts: arbitrary code execution, information disclosure, and denial of service. CVSS 8.8 rating reflects unauthenticated network vector requiring only user interaction. No public exploit identified at time of analysis. Chromium project classifies severity as Low despite critical CVSS score, indicating successful exploitation barriers beyond user interaction.
Memory Corruption
Information Disclosure
Google
-
CVE-2026-5912
HIGH
CVSS 8.8
Integer overflow in Google Chrome's WebRTC component (versions prior to 147.0.7727.55) enables remote attackers to trigger out-of-bounds memory writes through specially crafted HTML pages. Exploitation requires user interaction (visiting malicious page) but no authentication, potentially allowing arbitrary code execution, data corruption, or information disclosure. Vendor-assigned security severity: Low; CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Google
Buffer Overflow
-
CVE-2026-5910
HIGH
CVSS 8.8
Integer overflow in Google Chrome's media handling (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption through specially crafted video files, achieving potential arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires user interaction to open malicious media content. Exploitation is unauthenticated (network-accessible). No public exploit identified at time of analysis. Classified as low severity by Chromium project despite CVSS 8.8 rating.
Google
Buffer Overflow
-
CVE-2026-5909
HIGH
CVSS 8.8
Integer overflow in Google Chrome's Media component enables remote heap corruption through malicious video files. Affects Chrome versions prior to 147.0.7727.55 on all desktop platforms. Unauthenticated attackers can achieve arbitrary code execution, data theft, or denial of service by convincing users to open specially crafted video content. CVSS 8.8 severity reflects network-based attack requiring user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
Google
Buffer Overflow
-
CVE-2026-5908
HIGH
CVSS 8.8
Integer overflow in Google Chrome's Media component allows remote attackers to trigger heap corruption via specially crafted video files. Affects Chrome versions prior to 147.0.7727.55. Attack requires user interaction (opening malicious video file) but no authentication. Successful exploitation enables arbitrary code execution with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. Chromium project rates severity as Low despite CVSS 8.8 score.
Google
Buffer Overflow
-
CVE-2026-5907
HIGH
CVSS 8.1
Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).
Information Disclosure
Buffer Overflow
Google
-
CVE-2026-5886
HIGH
CVSS 7.5
Out-of-bounds read in Google Chrome WebAudio (Mac) prior to version 147.0.7727.55 enables remote information disclosure via crafted HTML. Unauthenticated network-based attacker can extract sensitive process memory without user interaction. CVSS 7.5 (High confidentiality impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%). Patch available from vendor.
Information Disclosure
Google
Buffer Overflow
-
CVE-2026-5866
HIGH
CVSS 8.8
Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.
Google
RCE
Memory Corruption
Denial Of Service
Use After Free
-
CVE-2026-5815
HIGH
CVSS 7.4
Stack-based buffer overflow in D-Link DIR-645 router (versions 1.01, 1.02, 1.03) via hedwigcgi_main function in /cgi-bin/hedwig.cgi allows authenticated remote attackers to achieve complete system compromise. Exploitation requires low-privilege credentials but no user interaction. Publicly available exploit code exists. Product is end-of-life with no vendor support, making remediation limited to device replacement or network isolation.
D-Link
Buffer Overflow
Stack Overflow
Dir 645
-
CVE-2026-5795
HIGH
CVSS 7.4
Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via ThreadLocal variable pollution in JASPIAuthenticator. Early returns from authentication checks fail to clear ThreadLocal values, causing subsequent requests on the same thread to inherit elevated privileges. CVSS 7.4 with high complexity but no authentication required. EPSS and KEV status not provided; no public exploit identified at time of analysis. Affects all major Jetty versions from 9.x through 12.x.
Privilege Escalation
-
CVE-2026-5747
HIGH
CVSS 8.7
Memory corruption in Amazon Firecracker's virtio PCI transport (versions 1.13.0-1.14.3, 1.15.0) enables guest root users to crash the host VMM process or achieve host code execution through malicious virtio queue register modifications post-device activation. Affects x86_64 and aarch64 architectures. While exploitation requires guest root privileges and high attack complexity (CVSS AC:H, PR:H), successful compromise breaches VM isolation boundaries with high impact to host confidentiality, integrity, and availability (CVSS 8.7). No public exploit identified at time of analysis; vendor-released patches available in versions 1.14.4 and 1.15.1.
Buffer Overflow
RCE
-
CVE-2026-5726
HIGH
CVSS 7.8
Stack-based buffer overflow in Delta Electronics ASDA-Soft allows local attackers with no privileges to execute arbitrary code by tricking users into opening a malicious file. The vulnerability achieves complete system compromise (confidentiality, integrity, availability all rated High in CVSS) through user interaction with crafted input. No public exploit identified at time of analysis, though the low attack complexity and lack of required privileges increase realistic exploitation risk once details emerge.
Buffer Overflow
Stack Overflow
-
CVE-2026-5436
HIGH
CVSS 8.1
Arbitrary file manipulation in MW WP Form plugin (WordPress) versions ≤5.1.1 allows unauthenticated attackers to move sensitive server files into web-accessible directories, enabling remote code execution. The vulnerability stems from insufficient validation of upload field keys in generate_user_file_dirpath(), exploiting WordPress's path_join() behavior with absolute paths. Attackers inject malicious keys via mwf_upload_files[] POST parameter to relocate critical files like wp-config.php. Exploitation requires forms with enabled file upload fields and 'Saving inquiry data in database' option. No public exploit identified at time of analysis.
PHP
Path Traversal
WordPress
File Upload
RCE
-
CVE-2026-5301
HIGH
CVSS 7.6
Stored cross-site scripting (XSS) in CoolerControl UI log viewer enables complete service takeover when unauthenticated remote attackers inject malicious JavaScript into log entries, which execute when viewed by administrators or users. Affects coolercontrol-ui versions 2.0.0 through 3.x, patched in version 4.0.0. No public exploit identified at time of analysis, but CVSS score of 7.6 reflects network accessibility without authentication requirements (PR:N) and high integrity impact, making this a realistic attack vector for targeted environments where attackers can influence log content.
XSS
-
CVE-2026-5208
HIGH
CVSS 8.2
Command injection in CoolerControl/coolercontrold versions prior to 4.0.0 allows high-privileged local attackers to escalate privileges to root by injecting malicious bash commands into alert names. The vulnerability affects the alerts functionality where user-controlled input is passed unsanitized to shell execution contexts. With CVSS 8.2 and local attack vector requiring high privileges, exploitation demands existing administrative access but enables full system compromise. No public exploit identified at time of analysis.
Command Injection
RCE
-
CVE-2026-5173
HIGH
CVSS 8.5
Improper access control in GitLab CE/EE 16.9.6-18.10.2 enables authenticated attackers to invoke unauthorized server-side methods via websocket connections, achieving high-severity information disclosure with changed scope. Affects continuous integration/deployment platforms running vulnerable GitLab instances. Exploitation requires low-privilege authentication but no user interaction, enabling lateral information access across security boundaries.
Information Disclosure
Gitlab
-
CVE-2026-4808
HIGH
CVSS 7.2
Arbitrary file upload in Gerador de Certificados - DevApps plugin for WordPress (all versions ≤1.3.6) enables authenticated administrators to upload files without type validation, creating remote code execution opportunities. The vulnerability stems from missing file type validation in the moveUploadedFile() function. CVSS 7.2 (High) reflects network-accessible attack requiring high privileges; EPSS data not provided, no public exploit identified at time of analysis, not listed in CISA KEV.
WordPress
RCE
File Upload
-
CVE-2026-4788
HIGH
CVSS 8.4
Sensitive information disclosure in IBM Tivoli Netcool Impact versions 7.1.0.0 through 7.1.0.37 allows local attackers with no authentication required to extract credentials and configuration secrets from application log files. With CVSS 8.4 and High impact to confidentiality, integrity, and availability, the CWE-532 flaw enables privilege escalation through exposed secrets. No public exploit identified at time of analysis, with EPSS data unavailable, though the low attack complexity (AC:L) suggests straightforward exploitation once local access is obtained.
IBM
Information Disclosure
-
CVE-2026-4498
HIGH
CVSS 7.7
Authenticated Kibana users with Fleet management privileges can read Elasticsearch index data beyond their intended RBAC permissions through debug route handlers in the Fleet plugin. This scope bypass affects Elastic Kibana deployments where users hold Fleet sub-feature privileges (agent policies, settings management). The vulnerability requires low-privilege authentication (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), enabling cross-scope data confidentiality breach (S:C/C:H). No public exploit identified at time of analysis. EPSS data not available, but the specific privilege escalation vector and remote exploitability warrant prioritization in Kibana Fleet deployments.
Privilege Escalation
Elastic
-
CVE-2026-4483
HIGH
CVSS 7.0
Moxa MxGeneralIo utility versions prior to 1.4.0/1.5.0 expose IOCTL interfaces allowing authenticated high-privilege local attackers to directly access Model-Specific Registers (MSR) and system memory, enabling privilege escalation on Windows 7 or denial-of-service crashes (BSoD) on Windows 10/11. While CVSS 7.0 reflects high availability impact and network attack vector classification, the actual exploit requires local high-privilege access (PR:H), significantly reducing practical risk. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept has been identified at time of analysis, though vendor advisory confirms patch availability.
Microsoft
Privilege Escalation
-
CVE-2026-4338
HIGH
CVSS 7.5
Improper access control in the ActivityPub WordPress plugin before 8.0.2 exposes draft, scheduled, and pending posts to unauthenticated remote users, resulting in confidentiality breach. This information disclosure vulnerability (CVSS 7.5) allows network-based attackers to access unpublished content without authentication or user interaction. Publicly available exploit code exists, though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% (6th percentile) suggests low current exploitation probability despite POC availability, but SSVC framework marks it as automatable with partial technical impact.
WordPress
Information Disclosure
-
CVE-2026-3499
HIGH
CVSS 8.8
Cross-Site Request Forgery (CSRF) in Product Feed PRO for WooCommerce by AdTribes versions 13.4.6 through 13.5.2.1 allows unauthenticated attackers to manipulate critical feed management functions by tricking authenticated WordPress administrators into executing malicious requests. Exploitation enables attackers to trigger feed migrations, clear custom-attribute caches, modify feed file URLs, alter legacy filter settings, and delete feed posts without proper authorization. EPSS exploitation probability data not available; no confirmed active exploitation (not in CISA KEV) identified at time of analysis. Wordfence reported this vulnerability with patches available via WordPress plugin repository.
WordPress
CSRF
-
CVE-2026-3396
HIGH
CVSS 7.5
Time-based SQL injection in WCAPF (WooCommerce Ajax Product Filter) WordPress plugin versions up to 4.2.3 allows unauthenticated remote attackers to extract sensitive database information via the 'post-author' parameter. The vulnerability stems from inadequate input sanitization and SQL query preparation, enabling attackers to append malicious SQL commands to existing queries. EPSS data not provided, but the unauthenticated network-accessible attack vector and public disclosure via Wordfence Threat Intelligence create immediate exploitation risk for WordPress sites using this e-commerce filtering plugin. No active exploitation confirmed (not in CISA KEV), though publicly available proof-of-concept code exists in security advisories.
WordPress
SQLi
-
CVE-2026-3357
HIGH
CVSS 8.8
Remote code execution in IBM Langflow Desktop versions 1.6.0 through 1.8.2 allows authenticated attackers to execute arbitrary code via unsafe deserialization in the FAISS component. The vulnerability stems from an insecure default configuration that permits deserialization of untrusted data. With CVSS 8.8 (High) reflecting network accessibility, low complexity, and full impact on confidentiality, integrity, and availability, this represents a critical risk for organizations running affected versions. Vendor-released patch available through IBM security advisory. No public exploit identified at time of analysis, though the attack path is well-understood given the CWE-502 deserialization vulnerability class.
Deserialization
RCE
IBM
-
CVE-2026-3243
HIGH
CVSS 8.8
Arbitrary file deletion in DanbiLabs Advanced Members for ACF plugin for WordPress (versions ≤1.2.5) allows authenticated attackers with Subscriber-level privileges to delete critical server files via path traversal, enabling remote code execution by removing wp-config.php or similar critical files. The vulnerability stems from insufficient path validation in the create_crop function and was only partially patched in version 1.2.5, leaving residual risk. CVSS 8.8 (High) reflects network accessibility with low attack complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, though the attack path is straightforward for authenticated users.
WordPress
PHP
RCE
Path Traversal
-
CVE-2026-1343
HIGH
CVSS 7.2
Server-Side Request Forgery (SSRF) in IBM Verify Identity Access and Security Verify Access products (versions 10.0-11.0.2) allows unauthenticated remote attackers to contact internal authentication endpoints that should be protected by the Reverse Proxy component. This bypass enables attackers to interact with restricted internal services, potentially leading to unauthorized information disclosure and limited integrity impact. EPSS data not provided, but CVSS 7.2 (High) with network-accessible, low-complexity attack vector indicates moderate real-world risk. No evidence of active exploitation (not in CISA KEV) or public exploit code at time of analysis.
IBM
SSRF
-
CVE-2026-1342
HIGH
CVSS 8.5
Local code execution in IBM Security Verify Access 10.0-10.0.9.1 and 11.0-11.0.2 (both container and non-container deployments) allows unauthenticated local attackers to execute malicious scripts from outside the application's control sphere. This CWE-829 inclusion of functionality from untrusted control sphere vulnerability achieves container escape (scope change to C in CVSS vector), enabling high confidentiality impact and limited integrity/availability impact. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity (AC:L) and lack of required privileges (PR:N) make this readily exploitable by local users.
IBM
Information Disclosure
-
CVE-2026-1092
HIGH
CVSS 7.5
Denial of service in GitLab CE/EE versions 12.10 through 18.8.8, 18.9 through 18.9.4, and 18.10 through 18.10.2 allows unauthenticated remote attackers to crash GitLab services via malformed JSON payloads. Improper input validation (CWE-1284) enables resource exhaustion attacks without authentication. CVSS 7.5 (High) reflects network-accessible attack with low complexity requiring no user interaction. No public exploit identified at time of analysis. EPSS data unavailable; not listed in CISA KEV.
Denial Of Service
Gitlab
-
CVE-2025-52222
HIGH
CVSS 7.5
Buffer overflow in D-Link enterprise VPN router series (DI-8003, DI-8500, DI-8003G, DI-8200G, DI-8200, DI-8400, DI-8004w, DI-8100, DI-8100G) firmware versions 16.07.26A1 and 17.12.20A1/17.12.21A1 allows unauthenticated remote attackers to trigger denial of service via crafted HTTP requests exploiting rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip parameters in radius_asp function. Attack requires no user interaction or authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.
Denial Of Service
D-Link
Buffer Overflow
N A
-
CVE-2025-52221
HIGH
CVSS 7.5
Buffer overflow in Tenda AC6 router firmware version 15.03.05.16_multi enables unauthenticated remote denial-of-service attacks via crafted HTTP requests to formSetCfm function. Attackers can trigger service disruption by sending malicious funcname, funcpara1, or funcpara2 parameters without authentication. The network-accessible attack vector with low complexity makes this exploitable from the internet. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Buffer Overflow
Tenda
N A
-
CVE-2025-50673
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 allows unauthenticated remote attackers to trigger denial-of-service conditions by sending malformed http_lanport parameter values to the /webgl.asp endpoint. Network-accessible attack requires no user interaction or privileges. Exploitation causes availability impact only with no confidentiality or integrity compromise. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis.
D-Link
Buffer Overflow
-
CVE-2025-50672
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 via /yyxz_dlink.asp endpoint enables unauthenticated network-based denial of service attacks. Improper parameter validation allows remote attackers to crash the device or trigger service interruption without authentication, user interaction, or elevated privileges. CVSS 7.5 (High) severity reflects network accessibility and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
D-Link
Buffer Overflow
-
CVE-2025-50671
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial of service through the /xwgl_ref.asp endpoint. Attackers exploit improper input validation by sending HTTP GET requests with excessively long strings in eight parameters (name, en, user_id, shibie_name, time, act, log, rpri), causing stack buffer overflow and device crash. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis. Affects network-accessible management interface without authentication requirements.
D-Link
Buffer Overflow
Stack Overflow
-
CVE-2025-50670
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via crafted HTTP GET requests to /xwgl_bwr.asp endpoint. Exploitation occurs through oversized name, qq, or time parameters causing memory corruption. CVSS score 7.5 reflects high availability impact without confidentiality or integrity compromise. No public exploit identified at time of analysis, with low observed exploitation activity (EPSS <1%).
D-Link
Buffer Overflow
-
CVE-2025-50669
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 (16.07.26A1) and DI-8003G (19.12.10A1) routers enables unauthenticated remote denial-of-service through improper handling of the wan_ping parameter at the /wan_ping.asp endpoint. Network-accessible attack requires no user interaction or privileges. CVSS:3.1 score 7.5 (High) reflects availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
D-Link
Buffer Overflow
-
CVE-2025-50668
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed 's' parameter input to the /web_list_opt.asp endpoint. The vulnerability requires no user interaction and is exploitable over the network with low attack complexity. CVSS 7.5 (High) reflects network-accessible DoS impact. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).
D-Link
Buffer Overflow
-
CVE-2025-50667
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial of service via malicious iface parameter to /wan_line_detection.asp endpoint. Attack requires no user interaction and exploits improper input validation in network-accessible web management interface. CVSS 7.5 (High) severity reflects availability impact; no public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
D-Link
Buffer Overflow
-
CVE-2025-50666
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via crafted HTTP GET requests to /web_post.asp endpoint. Vulnerable parameters include name, en, user_id, log, and time fields. Attack requires no user interaction and exploits improper input validation in web management interface. CVSS 7.5 (High) severity with network-accessible attack vector. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
D-Link
Buffer Overflow
-
CVE-2025-50665
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through crafted HTTP GET requests to /web_keyword.asp endpoint. Attackers exploit improper input validation in name, en, time, mem_gb2312, and mem_utf8 parameters to trigger memory corruption, causing device unavailability. CVSS 7.5 (High) severity reflects network-accessible attack vector requiring no user interaction or privileges. No public exploit identified at time of analysis; low observed exploitation activity.
D-Link
Buffer Overflow
-
CVE-2025-50664
HIGH
CVSS 7.5
Stack-based buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service via malformed HTTP GET request to /user_group.asp endpoint. Attacker sends crafted name, mem, pri, or attr parameters triggering memory corruption and device crash. CVSS 7.5 High severity reflects network-accessible attack requiring no privileges or user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
D-Link
Buffer Overflow
Stack Overflow
-
CVE-2025-50663
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks via crafted name parameter to /usb_paswd.asp endpoint. Stack-based buffer overflow (CWE-121) triggers memory corruption leading to service disruption. Affects network-accessible administrative interfaces without authentication barrier (CVSS AV:N/PR:N). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
D-Link
Buffer Overflow
Stack Overflow
-
CVE-2025-50662
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks via crafted name parameter to /url_group.asp endpoint. Attackers can trigger stack-based buffer overflow remotely over network without user interaction, causing high availability impact through service disruption or device crash. No public exploit identified at time of analysis. CVSS 7.5 severity reflects network-accessible attack vector with low complexity.
D-Link
Buffer Overflow
Stack Overflow
-
CVE-2025-50661
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via crafted HTTP GET requests to the /url_rule.asp endpoint. Exploitation requires no user interaction and succeeds over network access with low complexity. Eight vulnerable parameters (name, en, ips, u, time, act, rpri, log) accept unbounded input causing stack memory corruption. CVSS 7.5 HIGH severity reflects network-accessible availability impact. No public exploit identified at time of analysis. EPSS 0.01% indicates low observed exploitation activity.
D-Link
Buffer Overflow
Stack Overflow
-
CVE-2025-50660
HIGH
CVSS 7.5
Stack-based buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 allows unauthenticated remote attackers to trigger denial-of-service conditions by sending malformed name parameter values to the /url_member.asp endpoint. The vulnerability enables network-accessible attackers to crash the device without authentication or user interaction, disrupting availability of routing services. No public exploit identified at time of analysis.
D-Link
Buffer Overflow
Stack Overflow
-
CVE-2025-50659
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service via malformed custom_error parameter to /user.asp endpoint. Attackers can crash device remotely without credentials by exploiting stack-based buffer overflow (CWE-121). CVSS 7.5 reflects network-accessible, low-complexity attack requiring no user interaction. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%).
D-Link
Buffer Overflow
Stack Overflow
-
CVE-2025-50657
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed pid parameter values in the /trace.asp endpoint. The vulnerability requires no user interaction and is exploitable over the network with low attack complexity, affecting network availability for enterprise routing infrastructure. No public exploit identified at time of analysis.
D-Link
Buffer Overflow
Stack Overflow
-
CVE-2025-50655
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through malformed name parameter in /thd_group.asp endpoint. Improper input validation triggers stack-based buffer overflow, causing device crashes or service disruption without requiring user interaction. Attack vector is network-accessible with low complexity. No public exploit identified at time of analysis.
D-Link
Buffer Overflow
Stack Overflow
-
CVE-2025-50654
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through malformed id parameter in /thd_member.asp endpoint. Exploiting this CWE-120 flaw requires no authentication (CVSS:PR:N) and permits network-based attackers to crash device availability with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%). Affects D-Link network infrastructure devices running vulnerable firmware version.
D-Link
Buffer Overflow
-
CVE-2025-50653
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via malformed name and mem parameters submitted to the /time_group.asp endpoint. The vulnerability requires no user interaction and permits network-based exploitation with low attack complexity. No public exploit identified at time of analysis. EPSS score of 0.02% indicates low observed exploitation activity.
D-Link
Buffer Overflow
-
CVE-2025-50652
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed id parameter input to /saveparm_usb.asp endpoint. Exploitation requires network access to administrative interface without authentication. CWE-120 classification indicates classic buffer overflow allowing memory corruption. CVSS vector confirms network-exploitable, unauthenticated attack path with high availability impact but no data confidentiality or integrity compromise. No public exploit identified at time of analysis.
D-Link
Buffer Overflow
-
CVE-2025-50650
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks via malformed routes_static parameter to /router.asp endpoint. The vulnerability permits network-accessible attackers to crash the device without credentials or user interaction. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects complete availability impact with network attack vector and low complexity.
D-Link
Buffer Overflow
-
CVE-2025-50649
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed vlan_name parameter submitted to /shut_set.asp endpoint. Improper input validation in VLAN configuration interface permits memory corruption leading to system availability disruption. CVSS 7.5 reflects network-accessible attack requiring no user interaction or credentials. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%).
D-Link
Buffer Overflow
-
CVE-2025-50648
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via malformed input to the /tggl.asp endpoint. The vulnerability stems from inadequate input validation, allowing network-accessible exploitation without authentication or user interaction. Exploitation results in high-impact availability loss with no confidentiality or integrity compromise. No public exploit identified at time of analysis. EPSS score indicates low observed exploitation activity.
D-Link
Buffer Overflow
-
CVE-2025-50647
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed wans parameter input to the qos.asp Quality-of-Service configuration endpoint. Exploitation requires no user interaction and achieves complete availability impact against network infrastructure device. Low observed exploitation activity (EPSS 0.02%, 5th percentile); no public exploit identified at time of analysis.
D-Link
Buffer Overflow
-
CVE-2025-50646
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through malformed input to the name parameter at /qos_type_asp.asp endpoint. Attackers can trigger service disruption without authentication or user interaction by exploiting insufficient input validation in the QoS management interface. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis.
D-Link
Buffer Overflow
-
CVE-2025-50645
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial of service attacks. Attackers can trigger memory corruption by submitting oversized 's' parameter values to the pppoe_list_opt.asp endpoint without authentication, causing device unavailability. CVSS 7.5 severity reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
D-Link
Buffer Overflow
-
CVE-2025-50644
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 qj.asp endpoint enables unauthenticated remote denial-of-service attacks through malformed HTTP requests. Insufficient input validation allows attackers to trigger memory corruption, crashing the device and disrupting network services. Confidentiality and integrity remain intact per CVSS scoring, but availability impact is severe. No public exploit identified at time of analysis. EPSS indicates low observed exploitation activity.
D-Link
Buffer Overflow
-
CVE-2025-45059
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8300 router firmware v16.07.26A1 enables unauthenticated remote attackers to trigger denial of service conditions via malformed input to the fn parameter in tgfile_htm function. Network-accessible attack vector requires no privileges or user interaction. CVSS 7.5 (High) reflects availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Denial Of Service
D-Link
Buffer Overflow
-
CVE-2025-45058
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8300 router firmware v16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed fx parameter input to the jingx_asp function. Network-accessible exploitation requires no authentication or user interaction (CVSS AV:N/PR:N/UI:N). Impact limited to availability disruption; no data confidentiality or integrity compromise. No public exploit identified at time of analysis. EPSS 0.02% indicates low observed exploitation activity.
D-Link
Buffer Overflow
Denial Of Service
-
CVE-2025-45057
HIGH
CVSS 7.5
Buffer overflow in D-Link DI-8300 router firmware v16.07.26A1 ip_position_asp function enables unauthenticated remote attackers to trigger denial of service through crafted input to the ip parameter. Network-accessible vulnerability requires no user interaction. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network attack vector with complete availability impact.
D-Link
Buffer Overflow
Denial Of Service
-
CVE-2025-30650
HIGH
CVSS 8.4
Privilege escalation in Juniper Networks Junos OS allows high-privileged local attackers to gain root access on Linux-based line cards running Junos OS Evolved. Missing authentication in critical command processing functions enables authenticated administrators with elevated privileges to bypass access controls and execute commands as root on affected hardware modules including MPC7-11, LC2101/2103, LC480/4800/9600, MX304 built-in FPC, MX-SPC3, SRX5K-SPC3, EX9200-40XS, and PTX-series line cards. No public exploit identified at time of analysis.
Authentication Bypass
Juniper
-
CVE-2025-12664
HIGH
CVSS 7.5
Denial of service in GitLab CE/EE versions 13.0 through 18.10.2 allows unauthenticated remote attackers to exhaust server resources via repeated GraphQL queries. Affects all installations from version 13.0 before patched releases 18.8.9, 18.9.5, and 18.10.3. Attackers can degrade or halt GitLab service availability without authentication, impacting development workflows and CI/CD pipelines. No public exploit identified at time of analysis.
Denial Of Service
Gitlab
-
CVE-2026-40087
MEDIUM
CVSS 5.3
LangChain's f-string prompt-template validation allows information disclosure through attribute access and nested format-specifier injection in DictPromptTemplate and ImagePromptTemplate classes. Unauthenticated remote attackers can craft malicious template strings to expose internal object state, model context, or logs when templates are formatted with rich Python objects. Practical impact is limited to applications that accept untrusted template strings (not just variable values) and pass complex objects into template formatting; hardcoded templates and value-only user input are unaffected. Vendor-released patch available in langchain-core 0.3.84 and 1.2.28.
Python
Deserialization
-
CVE-2026-40028
MEDIUM
CVSS 5.1
Hayabusa versions before 3.8.0 contain a stored cross-site scripting (XSS) vulnerability in HTML report generation that allows authenticated attackers to inject arbitrary JavaScript into the Computer field of JSON-exported logs, which executes in a forensic examiner's browser when viewing the generated HTML report. The vulnerability requires user interaction (report viewing) and results in information disclosure or session compromise, affecting forensic analysis workflows that process untrusted or adversary-controlled log data.
RCE
Information Disclosure
XSS
Hayabusa
-
CVE-2026-40026
MEDIUM
CVSS 4.8
Out-of-bounds read in The Sleuth Kit through 4.14.0 allows local attackers with user interaction to disclose sensitive information via a crafted ISO9660 image, exploiting the parse_susp() function's failure to validate field lengths before copying SUSP extension data into stack buffers. The vulnerability can also trigger infinite parsing loops with malformed zero-length SUSP entries. Patch available from upstream repository.
Information Disclosure
Buffer Overflow
Sleuthkit
-
CVE-2026-40025
MEDIUM
CVSS 4.8
Out-of-bounds read in Sleuth Kit through version 4.14.0 allows local attackers to disclose heap memory or crash the application via a malicious APFS disk image with crafted length fields in the keybag parser. The vulnerability requires user interaction to process the malicious image but affects all Sleuth Kit tools that parse APFS volumes, with a public fix available on GitHub.
Information Disclosure
Buffer Overflow
Sleuthkit
-
CVE-2026-39901
MEDIUM
CVSS 5.7
Monetr allows authenticated tenant users to soft-delete protected synced transactions through the PUT update endpoint by directly setting the deletedAt field, bypassing the explicit DELETE protection that prevents such operations. This authorization bypass compromises transaction history integrity and audit trail reliability for imported transactions that should be immutable. The vulnerability requires authentication and user interaction but enables attackers to hide critical financial records from normal views while the soft-deleted data remains accessible via direct retrieval, affecting any Monetr deployment relying on synced transaction immutability.
Authentication Bypass
-
CVE-2026-39892
MEDIUM
CVSS 6.9
Buffer overflow in pyca/cryptography library allows reading past allocated memory when non-contiguous Python buffers (such as reversed slices) are passed to cryptographic APIs like Hash.update() on Python 3.11+. Attackers can trigger memory disclosure or denial of service by crafting malformed buffer objects, affecting any application using the cryptography package with vulnerable buffer handling.
Buffer Overflow
Python
-
CVE-2026-39882
MEDIUM
CVSS 5.3
OpenTelemetry Go OTLP HTTP exporters allow memory exhaustion when sending telemetry to attacker-controlled or network-intercepted collector endpoints. The trace, metric, and log exporters read unbounded HTTP response bodies into in-memory buffers without size limits, enabling an attacker to force large transient heap allocations and crash the instrumented process via out-of-memory conditions. Attack requires network control of the collector endpoint or man-in-the-middle position (CVSS 5.3, CVSS:3.1/AV:A/AC:H). Upstream fix available (PR #8108); no active exploitation confirmed.
Canonical
Denial Of Service
-
CVE-2026-39881
MEDIUM
CVSS 5.0
Vim 9.2.0315 and earlier contains a command injection vulnerability in the netbeans interface that allows a malicious netbeans server to execute arbitrary Ex commands via unsanitized strings in defineAnnoType and specialKeys protocol messages. An authenticated local attacker with user-level privileges and ability to interact with a netbeans connection can achieve code execution with the privileges of the Vim process. The vulnerability is fixed in Vim 9.2.0316.
RCE
Command Injection
Code Injection
Vim
-
CVE-2026-39880
MEDIUM
CVSS 5.0
Remnawave Backend prior to version 2.7.5 allows authenticated users to bypass HWID device registration limits through a race condition in the device registration logic, enabling subscription resale and excessive traffic consumption. The vulnerability requires valid authentication credentials but affects the integrity of subscription management controls across the system. A vendor-released patch is available in version 2.7.5.
Authentication Bypass
Race Condition
-
CVE-2026-39865
MEDIUM
CVSS 5.9
Denial of service in Axios HTTP/2 client before version 1.13.2 allows unauthenticated remote attackers to crash Node.js applications through malicious HTTP/2 server responses that trigger state corruption during concurrent session closures. The vulnerability exploits a control flow error in session cleanup logic with high attack complexity, making real-world exploitation require specific server-side conditions but posing significant risk to applications relying on HTTP/2.
Node.js
Denial Of Service
-
CVE-2026-39864
MEDIUM
CVSS 4.4
Kamailio versions prior to 6.0.5 and 5.8.7 contain an out-of-bounds read in the auth module that allows remote attackers with high privileges to trigger a denial of service via a specially crafted SIP packet when successful user authentication without a database backend is followed by additional identity checks. The vulnerability requires high privilege level and high attack complexity but can reliably crash the Kamailio process, impacting SIP service availability.
Information Disclosure
Buffer Overflow
Denial Of Service
-
CVE-2026-39862
MEDIUM
CVSS 6.3
Remote code execution in Tophat mobile testing harness prior to 2.5.1 allows authenticated network attackers to execute arbitrary commands on a developer's macOS workstation via unsanitized URL query parameters passed directly to bash. The vulnerability affects any developer with Tophat installed, with commands executing under the user's permissions and no confirmation dialog for previously trusted build hosts. This was fixed in version 2.5.1.
RCE
Apple
Command Injection
-
CVE-2026-39859
MEDIUM
CVSS 6.3
Path traversal in liquidjs 10.25.0 allows local file disclosure when renderFile() or parseFile() receives absolute paths or traversal sequences, despite the root parameter being documented as a sandbox boundary. An attacker controlling template filenames passed to these APIs can read arbitrary files accessible to the Node.js process, such as /etc/hosts or sensitive configuration files. The vulnerability affects liquidjs versions prior to 10.25.5; a vendor-released patch is available. No public exploit code or active exploitation has been identified at the time of analysis.
Node.js
Path Traversal
-
CVE-2026-39851
MEDIUM
CVSS 5.3
Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestEmailChange() GraphQL mutation, allowing authenticated attackers to enumerate valid email addresses in the system. The vulnerability affects multiple version branches and is resolved in patched versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. CVSS 5.3 reflects low confidentiality impact with authentication requirement.
Information Disclosure
-
CVE-2026-39844
MEDIUM
CVSS 5.9
Path traversal via backslash bypass in NiceGUI file upload sanitization allows arbitrary file write on Windows systems. The vulnerability exploits a cross-platform path handling inconsistency where PurePosixPath fails to strip backslash-based path traversal sequences, enabling attackers to write files outside the intended upload directory when applications construct paths using the sanitized filename. Windows deployments are exclusively affected; potential remote code execution is possible if executables or application files can be overwritten. No public exploit code identified at time of analysis, though the vulnerability is confirmed in NiceGUI versions prior to 3.10.0.
Python
Path Traversal
Apple
RCE
Microsoft
-
CVE-2026-39716
MEDIUM
CVSS 5.3
CKThemes Flipmart theme through version 2.8 contains a missing authorization vulnerability enabling unauthenticated remote attackers to bypass access control restrictions and gain limited read access to sensitive information. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before exposing restricted functionality. While the CVSS score of 5.3 reflects moderate severity, the EPSS score of 0.02% and SSVC assessment indicating no known exploitation suggest this is a lower-priority issue in practice, though the automatable nature of exploitation makes it a candidate for proactive remediation in shared hosting environments.
Authentication Bypass
-
CVE-2026-39714
MEDIUM
CVSS 5.3
G5Plus April WordPress theme versions up to 6.8 contain a missing authorization vulnerability allowing unauthenticated remote attackers to access resources with restricted access control levels, resulting in limited information disclosure. The vulnerability affects the theme's broken access control mechanism and has a low exploitation probability (EPSS 0.02%, percentile 4%) with no public exploit identified at time of analysis, though CISA SSVC assessment indicates partial technical impact from non-automatable exploitation.
Authentication Bypass
-
CVE-2026-39712
MEDIUM
CVSS 5.3
Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote attackers to inject arbitrary code through shortcode execution, resulting in stored cross-site scripting (XSS). The vulnerability exploits insufficient input sanitization in the plugin's composer functionality, enabling attackers to inject malicious scripts that execute in the context of affected web pages. While EPSS scoring indicates low real-world exploitation probability (0.03%, 8th percentile), the CISA SSVC framework notes the attack is automatable and results in partial technical impact; no public exploit code or active exploitation has been identified at time of analysis.
XSS
-
CVE-2026-39710
MEDIUM
CVSS 5.4
Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated remote attackers to perform unintended actions on behalf of authenticated users through crafted requests, requiring user interaction. EPSS exploitation probability is minimal at 0.01%, and no public exploit code or active exploitation has been identified; however, the vulnerability carries real-world risk due to the low technical bar for CSRF attacks and the plugin's web-accessible attack surface.
CSRF
-
CVE-2026-39708
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in UiCore Elements WordPress plugin versions 1.3.14 and earlier allows authenticated users to inject malicious scripts into web pages, which execute in the browsers of other users viewing affected content. The vulnerability stems from improper input neutralization during page generation, affecting any WordPress installation using the plugin. No active exploitation has been confirmed, and the EPSS score of 0.03% indicates very low real-world exploitation probability despite the CVSS 6.5 score.
XSS
-
CVE-2026-39706
MEDIUM
CVSS 5.3
Netro Systems Make My Trivia plugin through version 1.1.0 fails to properly enforce access controls, allowing unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured security levels. This missing authorization vulnerability (CWE-862) has a CVSS base score of 5.3 with low real-world exploitation risk (EPSS 0.02%, CISA SSVC exploitation status 'none') despite being automatable, suggesting the flaw requires specific misconfiguration to be exploitable in practice.
Authentication Bypass
-
CVE-2026-39704
MEDIUM
CVSS 5.3
Missing authorization in nfusionsolutions Precious Metals Automated Product Pricing Pro plugin (versions <= 4.0.5) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability affects WordPress installations using this e-commerce plugin and enables information disclosure with low CVSS severity (5.3), though exploitation requires no authentication and is automatable according to CISA SSVC assessment. No public exploit code or active exploitation has been confirmed.
Authentication Bypass
-
CVE-2026-39702
MEDIUM
CVSS 6.5
DOM-based cross-site scripting (XSS) in Wealcoder Animation Addons for Elementor through version 2.6.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the click of a link. The vulnerability stems from improper input neutralization during web page generation and affects all versions of the plugin up to and including 2.6.1. With an EPSS score of 0.03% and no confirmed active exploitation, this represents a lower-priority vulnerability despite the authenticated attack requirement.
XSS
-
CVE-2026-39700
MEDIUM
CVSS 5.3
Missing authorization in WPXPO WowOptin plugin through version 1.4.32 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control on plugin endpoints. The vulnerability carries a low CVSS score (5.3) and extremely low EPSS exploitation probability (0.02%, percentile 4%), indicating limited real-world attack incentive despite network-accessible exposure. No public exploit code or active exploitation has been confirmed.
Authentication Bypass
-
CVE-2026-39698
MEDIUM
CVSS 5.3
Missing authorization in The Publisher Desk ads.txt WordPress plugin versions 1.5.0 and earlier allows unauthenticated remote attackers to bypass access controls and read sensitive configuration data through incorrectly configured access control levels. The vulnerability has a CVSS score of 5.3 (medium) with low real-world exploitation risk (EPSS 0.02%, percentile 4%). No public exploit code or active exploitation has been identified at the time of analysis.
Authentication Bypass
-
CVE-2026-39696
MEDIUM
CVSS 6.5
DOM-Based cross-site scripting (XSS) in Elfsight WhatsApp Chat CC WordPress plugin versions up to 1.2.0 allows authenticated attackers with limited privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R per CVSS vector) and affects the plugin's DOM manipulation during web page generation. Real-world exploitation risk is low: EPSS score of 0.03% (8th percentile) reflects minimal demonstrated exploitation likelihood, no public proof-of-concept has been identified, and CISA SSVC assessment indicates exploitation is not yet observed and attack automation is infeasible.
XSS
-
CVE-2026-39694
MEDIUM
CVSS 5.3
Missing authorization in NSquared Simply Schedule Appointments WordPress plugin through version 1.6.10.2 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 (low-moderate) and EPSS probability of 0.02%, placing it in the lower-risk percentile despite public awareness. No active exploitation has been confirmed, and SSVC decision data indicates the issue is automatable but non-critical due to partial technical impact.
Authentication Bypass
-
CVE-2026-39692
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS exploitation probability is very low at 0.03% (8th percentile), and CISA SSVC assessment indicates no known exploitation, non-automatable attacks, and partial technical impact, suggesting this is a lower-priority vulnerability despite the CVSS 6.5 rating.
XSS
-
CVE-2026-39690
MEDIUM
CVSS 5.3
Missing authorization in Paul Bearne Author Avatars List/Block plugin (versions up to 2.1.25) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, resulting in partial disclosure of confidential data. The vulnerability has low exploitation probability (EPSS 0.02%) and no public exploit identified, but the automatable nature and broken access control classification warrant attention for WordPress installations using this plugin.
Authentication Bypass
-
CVE-2026-39688
MEDIUM
CVSS 5.3
Missing authorization in Glowlogix WP Frontend Profile plugin through version 1.3.9 allows unauthenticated remote attackers to bypass access controls and access restricted user profile information, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control security levels in the plugin's frontend profile functionality. While CVSS is rated 5.3 (medium) and EPSS probability is very low at 0.02%, CISA SSVC assessment indicates exploitation is automatable, elevating real-world risk for affected WordPress installations running this plugin.
Authentication Bypass
-
CVE-2026-39682
MEDIUM
CVSS 5.3
Unauthenticated remote attackers can access sensitive information in linkPizza-Manager WordPress plugin through incorrectly configured access controls that fail to enforce proper authorization checks. The vulnerability affects linkPizza-Manager versions up to 5.5.5 and allows an unauthenticated attacker to obtain partial confidentiality impact with no modification or availability impact. No public exploit code has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-39680
MEDIUM
CVSS 5.3
Missing authorization in MWP Development Diet Calorie Calculator plugin through version 1.1.1 allows unauthenticated remote attackers to gain unauthorized read access to sensitive data via improperly configured access control. The vulnerability affects all versions from inception through 1.1.1, with a network attack vector and minimal complexity. Although the CVSS base score is 5.3 (moderate), real-world risk is substantially lower: EPSS exploitation probability is only 0.02% (fourth percentile), no public exploit code or active exploitation has been identified, and the vulnerability is limited to information disclosure without integrity or availability impact.
Authentication Bypass
-
CVE-2026-39678
MEDIUM
CVSS 5.3
Unauthenticated remote attackers can bypass access control in DOTonPAPER Pinpoint Booking System versions up to 2.9.9.6.5 to view sensitive booking data due to missing authorization checks on API endpoints. The vulnerability allows information disclosure with low confidentiality impact, and while CVSS rates it 5.3 (medium), the 0.02% EPSS score indicates minimal real-world exploitation probability despite the straightforward network-based attack vector.
Authentication Bypass
-
CVE-2026-39676
MEDIUM
CVSS 5.3
Remote unauthenticated attackers can bypass access controls in Shahjada Download Manager through version 3.3.52, gaining unauthorized read access to restricted download content due to missing authorization checks. The vulnerability affects all versions up to and including 3.3.52, with an EPSS exploitation probability of 0.02% (4th percentile) indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.
Authentication Bypass
-
CVE-2026-39674
MEDIUM
CVSS 6.5
DOM-based cross-site scripting in MK Google Directions WordPress plugin versions up to 3.1.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper sanitization of user-supplied input during web page generation, enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or deface plugin interface elements. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is minimal despite the medium CVSS score of 6.5.
Google
XSS
-
CVE-2026-39672
MEDIUM
CVSS 5.3
Missing authorization in ShipTime: Discounted Shipping Rates WordPress plugin (versions ≤1.1.1) allows unauthenticated remote attackers to access sensitive shipping rate information and configuration via incorrectly configured access control, resulting in limited confidentiality compromise. CVSS 5.3 with 0.02% EPSS indicates low real-world exploitation probability despite network-accessible attack vector. CISA SSVC framework rates this as non-exploited with partial technical impact, suggesting this is a configuration weakness rather than an actively weaponized vulnerability.
Authentication Bypass
Shiptime
-
CVE-2026-39670
MEDIUM
CVSS 6.0
Server-Side Request Forgery (SSRF) in Brecht Visual Link Preview WordPress plugin versions through 2.3.0 allows authenticated attackers with low privileges to make arbitrary network requests from the affected server, potentially accessing internal resources, metadata services, or performing actions on behalf of the server. No public exploit code identified at time of analysis, though the vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite moderate CVSS scoring.
SSRF
Visual Link Preview
-
CVE-2026-39668
MEDIUM
CVSS 5.3
Book Previewer for WooCommerce plugin versions up to 1.0.6 fail to enforce authorization checks on sensitive functionality, allowing unauthenticated remote attackers to access restricted content with low-complexity exploitation. The vulnerability stems from missing access control validation, enabling attackers to bypass intended security boundaries without user interaction. While CVSS rates this as moderate (5.3), EPSS exploitation probability remains minimal at 0.02% percentile, and no public exploit code or active exploitation has been confirmed.
WordPress
Authentication Bypass
Book Previewer For Woocommerce
-
CVE-2026-39666
MEDIUM
CVSS 6.5
DOM-Based XSS in Hello Bar Popup Builder WordPress plugin versions up to 1.5.1 allows authenticated attackers with low privileges to inject arbitrary scripts that execute in users' browsers with the affected site's context. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS score of 0.03% (8th percentile) and CISA SSVC assessment of non-automatable exploitation with partial technical impact indicate this is a low real-world priority despite moderate CVSS score, though authenticated access and user interaction requirements limit immediate threat surface.
XSS
Hello Bar Popup Builder
-
CVE-2026-39664
MEDIUM
CVSS 5.3
Leadrebel plugin version 1.0.2 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, exposing confidential data without authorization. The vulnerability stems from missing authorization checks on functionality that should be restricted, enabling attackers to bypass authentication mechanisms and retrieve non-public information. While the CVSS score is moderate (5.3) and real-world exploitation probability is low (EPSS 0.02%), the issue represents a fundamental authentication bypass in access control logic.
Authentication Bypass
Leadrebel
-
CVE-2026-39662
MEDIUM
CVSS 5.3
Missing authorization in ProWCPlugins Product Price by Formula for WooCommerce plugin (versions up to 2.5.6) allows unauthenticated remote attackers to read sensitive configuration data through incorrectly configured access control. The vulnerability exposes limited information confidentiality without enabling modification or denial of service, and carries a low real-world exploitation probability (EPSS 0.02%) despite a moderate CVSS score.
WordPress
Authentication Bypass
Product Price By Formula For Woocommerce
-
CVE-2026-39659
MEDIUM
CVSS 5.3
Missing authorization in Ultimate Member WordPress plugin versions up to 2.11.3 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured security levels. The vulnerability has a low CVSS score (5.3) with minimal real-world exploitation risk (EPSS 0.02%), though it enables confidentiality impact through access control circumvention.
Authentication Bypass
Ultimate Member
-
CVE-2026-39657
MEDIUM
CVSS 5.3
Leadlovers Forms WordPress plugin versions 1.0.2 and earlier allow unauthenticated remote attackers to bypass access controls and read sensitive information through incorrectly configured authorization checks. The vulnerability exposes confidential data without requiring authentication or user interaction, affecting the forms plugin deployed across WordPress installations. While the EPSS score of 0.02% suggests minimal exploitation probability, the unauthenticated attack vector and lack of user interaction make this a straightforward access control flaw that could enable information disclosure.
Authentication Bypass
Leadlovers Forms
-
CVE-2026-39652
MEDIUM
CVSS 5.3
Missing authorization in iGMS Direct Booking WordPress plugin versions 1.3 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, affecting confidentiality but not integrity or availability. The vulnerability carries a CVSS score of 5.3 with network-based remote access and no authentication required, though EPSS exploitation probability is very low at 0.02% percentile, suggesting minimal real-world threat despite the authorization flaw.
Authentication Bypass
Igms Direct Booking
-
CVE-2026-39650
MEDIUM
CVSS 5.3
Missing authorization in Unitech Web UnitechPay WordPress plugin through version 1.0.2 permits unauthenticated remote attackers to read sensitive information via incorrectly configured access controls, exposing data confidentiality without enabling modification or service disruption. The vulnerability carries a CVSS score of 5.3 with near-zero measured exploitation probability (EPSS 0.02%), indicating low real-world risk despite network-accessible attack surface.
Authentication Bypass
Unitechpay
-
CVE-2026-39648
MEDIUM
CVSS 5.3
Missing authorization in themebeez Cream Blog WordPress theme versions up to 2.1.7 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access control security levels. With a CVSS score of 5.3 and EPSS exploitation probability of 0.02% (4th percentile), this represents a low real-world exploitation risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed at the time of analysis.
Authentication Bypass
Cream Blog
-
CVE-2026-39646
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in bozdoz Leaflet Map WordPress plugin versions up to 3.4.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability has a low EPSS score (0.03%, 8th percentile) suggesting minimal real-world exploitation likelihood despite moderate CVSS severity, and no public exploit code or active exploitation has been confirmed.
XSS
Leaflet Map
-
CVE-2026-39644
MEDIUM
CVSS 5.3
Missing authorization in Roxnor Wp Ultimate Review plugin versions up to 2.3.8 allows unauthenticated remote attackers to access restricted functionality through incorrectly configured access control security levels, resulting in limited information disclosure. The vulnerability carries a low EPSS exploitation probability (0.02%, 4th percentile) and has not been confirmed as actively exploited, though the simple attack vector (network-accessible, no complexity, no authentication required) means opportunistic exploitation is feasible.
Authentication Bypass
Wp Ultimate Review
-
CVE-2026-39641
MEDIUM
CVSS 6.5
Cross-Site Request Forgery (CSRF) vulnerability in Skywarrior Blackfyre theme versions up to 2.5.4 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through maliciously crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries a high integrity impact (CVSS 6.5). Despite a high CVSS score, the extremely low EPSS score (0.01%) suggests minimal real-world exploitation probability at time of analysis.
CSRF
Blackfyre
-
CVE-2026-39639
MEDIUM
CVSS 6.5
RPS Include Content WordPress plugin through version 1.2.2 fails to properly enforce access control, allowing authenticated users to modify content they should not have permission to alter. The vulnerability stems from missing authorization checks that validate user permissions before allowing content modifications, affecting all installations of the plugin up to and including version 1.2.2. While the CVSS score of 6.5 reflects moderate severity, the low EPSS score (0.02% percentile 4%) suggests limited real-world exploitation probability, likely due to the requirement for authenticated access and the plugin's relatively narrow user base.
Authentication Bypass
Rps Include Content
-
CVE-2026-39637
MEDIUM
CVSS 5.3
SpabRice Mogi theme versions through 1.2.3 fail to properly enforce authorization controls, allowing unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 with low confidentiality impact but no integrity or availability impact. EPSS exploitation probability is minimal at 0.02%, and no public exploit code or active exploitation has been identified.
Authentication Bypass
Mogi
-
CVE-2026-39635
MEDIUM
CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine WordPress theme versions up to 3.5.5 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users via crafted malicious web pages. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but carries low real-world exploitation probability despite the moderate CVSS score, as reflected by an EPSS score of 0.01% (1st percentile). No public exploit code or active exploitation has been confirmed at time of analysis.
CSRF
Grand Magazine
-
CVE-2026-39633
MEDIUM
CVSS 6.5
Cross-site request forgery (CSRF) in ThemeGoods Grand Car Rental WordPress theme versions up to 3.6.9 allows authenticated attackers to perform unauthorized actions on behalf of users through malicious web pages. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with low impact. EPSS exploitation probability is 0.01% (1st percentile), indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 6.5.
CSRF
Grand Car Rental
-
CVE-2026-39631
MEDIUM
CVSS 4.9
WPSchoolPress plugin through version 2.2.35 allows authenticated high-privilege users to bypass authorization controls and access sensitive information they should not be able to view due to incorrectly configured access control security levels. The CVSS score of 4.9 reflects the confidentiality impact limited to authenticated high-privilege attackers with no integrity or availability risk, though the EPSS score of 0.02% suggests exploitation in real-world scenarios remains minimal at time of analysis. No public exploit code or active exploitation has been identified.
Authentication Bypass
Wpschoolpress
-
CVE-2026-39629
MEDIUM
CVSS 5.3
Improper neutralization of script-related HTML tags in the kutethemes Uminex WordPress theme version 1.0.9 and earlier enables unauthenticated remote attackers to inject arbitrary code via cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating minimal real-world exploitation probability despite a CVSS base score of 5.3; no public exploit code or active exploitation has been identified.
XSS
Uminex
-
CVE-2026-39627
MEDIUM
CVSS 4.3
Missing authorization in the Ashe WordPress theme through version 2.266 allows unauthenticated remote attackers to access restricted functionality through incorrectly configured access control security levels. The vulnerability requires user interaction and is limited to low-impact information disclosure, with a CVSS score of 4.3 and minimal exploitation probability (EPSS 0.02%), indicating this is a low-priority authorization bypass rather than a critical vulnerability.
Authentication Bypass
Ashe
-
CVE-2026-39625
MEDIUM
CVSS 5.3
Improper neutralization of script-related HTML tags in kutethemes TechOne WordPress theme versions up to 3.0.3 enables unauthenticated attackers to inject malicious code through basic cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an exceptionally low EPSS score (0.03%, percentile 8%) despite the moderate CVSS rating, suggesting minimal real-world exploitation likelihood. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
XSS
Techone
-
CVE-2026-39615
MEDIUM
CVSS 5.9
Stored XSS in Shahjada Download Manager WordPress plugin versions up to 3.3.53 allows authenticated administrators with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (UI:R) and high administrative privileges (PR:H), limiting real-world attack surface; EPSS exploitation probability is exceptionally low at 0.03% (8th percentile), indicating minimal practical risk despite the stored nature of the vulnerability.
XSS
Download Manager
-
CVE-2026-39609
MEDIUM
CVSS 5.3
Wava Payment plugin for WordPress versions 0.3.7 and earlier allows unauthenticated remote attackers to access sensitive information through missing authorization controls on API endpoints. The vulnerability enables attackers to read confidential data by exploiting improperly configured access control levels without requiring authentication or user interaction. EPSS exploitation probability is minimal at 0.02%, but the ability to leak information without authentication warrants attention for WordPress sites using this payment plugin.
Authentication Bypass
Wava Payment
-
CVE-2026-39607
MEDIUM
CVSS 5.4
Wpbens Filter Plus plugin versions 1.1.17 and earlier allow authenticated users to bypass access controls and modify data they should not have permission to access, due to missing authorization checks on sensitive functionality. An authenticated attacker with low privileges can exploit incorrectly configured access control security levels to read or modify restricted information, impacting the confidentiality and integrity of protected content.
Authentication Bypass
Filter Plus
-
CVE-2026-39605
MEDIUM
CVSS 5.3
Missing authorization in Obadiah Super Custom Login WordPress plugin versions 1.1 and earlier allows unauthenticated remote attackers to bypass access controls and gain limited information disclosure. The vulnerability stems from incorrectly configured access control security levels that fail to enforce proper authorization checks, enabling attackers to exploit weak authentication mechanisms without requiring valid credentials or user interaction.
Authentication Bypass
Super Custom Login
-
CVE-2026-39603
MEDIUM
CVSS 5.4
Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Photography WordPress theme versions up to 5.7.8 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries low real-world exploitation risk, with an EPSS score of 0.01% indicating minimal practical likelihood of attack despite the moderate CVSS 5.4 rating.
CSRF
Grand Photography
-
CVE-2026-39592
MEDIUM
CVSS 4.3
Missing authorization controls in the DEPART WordPress plugin (versions up to 1.0.7) allow authenticated attackers to access sensitive functionality by exploiting incorrectly configured access control security levels. The vulnerability requires valid user credentials but grants low-confidentiality access through broken authorization checks. While EPSS scoring indicates minimal real-world exploitation probability (0.02%, 4th percentile), the flaw represents a critical architectural weakness in permission enforcement that could enable privilege escalation or data disclosure depending on plugin functionality.
Authentication Bypass
Depart
-
CVE-2026-39575
MEDIUM
CVSS 6.5
DOM-based cross-site scripting (XSS) in Ronald Huereca Custom Query Blocks WordPress plugin version 5.5.0 and earlier allows authenticated users to inject malicious scripts via the post-type-archive-mapping functionality. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability across site boundaries (S:C). With EPSS at 0.03% and no confirmed active exploitation, this is a low-probability risk despite the medium CVSS score, indicating exploitation requires specific preconditions unlikely to occur in typical deployments.
XSS
Custom Query Blocks
-
CVE-2026-39569
MEDIUM
CVSS 6.5
Broken access control in AA Web Servant 12 Step Meeting List plugin version 3.19.9 and earlier allows authenticated users to view sensitive information by exploiting misconfigured access control security levels. An attacker with low-level privileges can enumerate or access data they should not be permitted to view, exposing confidential meeting or user information. The vulnerability has an EPSS score of 0.02% (4th percentile), indicating low real-world exploitation probability despite the moderate CVSS score of 6.5.
Authentication Bypass
12 Step Meeting List
-
CVE-2026-39565
MEDIUM
CVSS 4.3
WpTravelly tour-booking-manager plugin through version 2.1.7 allows authenticated users to access sensitive information via broken access control, enabling privilege escalation within WordPress sites. The vulnerability requires user authentication and network access but does not permit modification or denial of service, affecting all WpTravelly installations up to the specified version. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified.
Authentication Bypass
Wptravelly
-
CVE-2026-39563
MEDIUM
CVSS 5.3
Missing authorization in ILLID Share This Image WordPress plugin through version 2.12 allows unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control, resulting in low-impact information disclosure. The vulnerability carries a moderate CVSS score of 5.3 but very low real-world exploitation probability (EPSS 0.02%, percentile 4%), suggesting this is a configuration or design flaw with limited practical impact rather than a critical security issue.
Authentication Bypass
Share This Image
-
CVE-2026-39561
MEDIUM
CVSS 5.3
Missing authorization in WP Chill Revive.so plugin versions up to 2.0.7 allows unauthenticated remote attackers to bypass access controls and read sensitive information via incorrectly configured access control security levels. The vulnerability has an EPSS score of 0.02% (4th percentile), indicating minimal real-world exploitation probability despite the moderate CVSS 5.3 score. No public exploit code or active exploitation has been confirmed.
Authentication Bypass
Revive So
-
CVE-2026-39543
MEDIUM
CVSS 5.3
Missing authorization in Themefic Tourfic WordPress plugin versions up to 2.21.4 allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability exposes data confidentiality without enabling modification or denial of service, affecting WordPress sites running the vulnerable plugin. Despite a moderate CVSS score of 5.3, the extremely low EPSS score of 0.02% indicates minimal real-world exploitation probability.
Authentication Bypass
Tourfic
-
CVE-2026-39541
MEDIUM
CVSS 5.9
Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.
XSS
Hydra Booking
-
CVE-2026-39528
MEDIUM
CVSS 5.3
Missing authorization in WP Delicious WordPress plugin versions up to 1.9.5 enables unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access restrictions. The vulnerability allows unauthorized information disclosure with low CVSS impact (5.3) but affects a widely deployed WordPress plugin; exploitation likelihood is minimal (EPSS 0.02%, percentile 4%) and no public exploit code has been identified.
Authentication Bypass
Wp Delicious
-
CVE-2026-39517
MEDIUM
CVSS 6.5
DOM-Based Cross-Site Scripting (XSS) in A WP Life Blog Filter WordPress plugin versions 1.7.6 and earlier allows authenticated attackers with low privileges to inject malicious scripts that execute in victims' browsers when they interact with crafted web pages. The vulnerability stems from improper neutralization of user input during page generation and requires user interaction to trigger. No public exploit code or active exploitation has been identified at the time of analysis, with an EPSS score of 0.03% indicating low exploitation probability.
XSS
Blog Filter
-
CVE-2026-39508
MEDIUM
CVSS 6.5
DOM-based cross-site scripting (XSS) in Advanced Coupons for WooCommerce Coupons plugin (versions up to 4.7.1.1) allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the same privileges as the site context, affecting confidentiality, integrity, and availability of the WordPress installation. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating low real-world exploitation probability despite the moderate CVSS 6.5 rating.
XSS
WordPress
Advanced Coupons For Woocommerce Coupons
-
CVE-2026-39505
MEDIUM
CVSS 5.3
Missing authorization in Craig Hewitt Seriously Simple Podcasting plugin allows unauthenticated attackers to read sensitive podcast information through incorrectly configured access controls. The vulnerability affects versions 3.14.2 and earlier of the WordPress plugin. CVSS 5.3 with 0.02% EPSS score indicates limited real-world exploitation likelihood despite the network-accessible attack vector. No public exploit code or active CISA KEV listing confirms this as a lower-priority authorization disclosure issue.
Authentication Bypass
Seriously Simple Podcasting
-
CVE-2026-39501
MEDIUM
CVSS 5.3
Missing authorization in RealMag777 FOX woocommerce-currency-switcher plugin for WordPress allows unauthenticated remote attackers to bypass access controls and gain read access to sensitive data through incorrectly configured security levels. The vulnerability affects FOX versions up to and including 1.4.5, with a CVSS score of 5.3 and extremely low exploitation probability (EPSS 0.02%), suggesting limited real-world attack incentive despite the missing authorization flaw.
WordPress
Authentication Bypass
Fox
-
CVE-2026-39485
MEDIUM
CVSS 4.3
Missing authorization in embedplus Youtube Embed Plus plugin versions up to 14.2.4 allows authenticated users to access restricted functionality through incorrectly configured access controls, resulting in limited information disclosure. The vulnerability affects all installations of Youtube Embed Plus from version 0 through 14.2.4, requires authenticated access (PR:L), and carries low real-world risk with EPSS score of 0.02% (4th percentile) despite CVSS 4.3 rating.
Authentication Bypass
Youtube Embed Plus
-
CVE-2026-39415
MEDIUM
CVSS 5.3
Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores via client-side manipulation using browser developer tools before submission. This vulnerability compromises the integrity of quiz results and academic reliability without enabling privilege escalation, unauthorized account access, or exposure of confidential information. The fix is available in version 2.46.0, and no public exploit code or active exploitation has been identified at the time of analysis.
Privilege Escalation
Authentication Bypass
Lms
-
CVE-2026-39413
MEDIUM
CVSS 4.2
LightRAG API authentication can be bypassed via JWT algorithm confusion attack, where an attacker forges tokens by specifying 'alg': 'none' in the JWT header to impersonate any user including administrators. The vulnerability exists in the validate_token() method in lightrag/api/auth.py (line 128), which accepts the unsigned 'none' algorithm despite not explicitly permitting it, allowing unauthenticated remote attackers to gain unauthorized access to protected resources. Publicly available proof-of-concept code demonstrates the attack; vendor has released a patch addressing the root cause of improper algorithm validation.
Python
Jwt Attack
Authentication Bypass
-
CVE-2026-39412
MEDIUM
CVSS 5.3
LiquidJS `sort_natural` and `sort` filters bypass the `ownPropertyOnly` security option, enabling prototype property extraction through a sorting side-channel attack. Applications using LiquidJS with `ownPropertyOnly: true` (default since v10.x) where untrusted users write templates are vulnerable to information disclosure of sensitive prototype-inherited properties such as API keys and tokens. A working proof-of-concept demonstrates extraction of prototype secrets via binary search on filter-induced sort ordering.
Information Disclosure
-
CVE-2026-39411
MEDIUM
CVSS 5.0
Authentication bypass in LobeHub webapi allows unauthenticated attackers to forge X-lobe-chat-auth headers using a publicly disclosed XOR key, gaining unauthorized access to protected routes including chat, model listing, and image generation endpoints. The vulnerability affects LobeHub versions up to 2.1.47 and has a confirmed proof-of-concept; however, the CVSS vector indicates PR:L (low privilege required), suggesting the advertised attack may require some initial authentication. Vendor-released patch version 2.1.48 is available.
Node.js
Authentication Bypass
-
CVE-2026-39410
MEDIUM
CVSS 4.8
Cookie prefix protections can be bypassed in Hono's parse() function due to overly aggressive character trimming that diverges from RFC 6265bis browser behavior. An attacker who can set cookies (via MITM, injection, or other means) can use non-breaking space (U+00A0) prefixed cookie names to shadow legitimate cookies, potentially overriding security-sensitive cookies including those protected by __Secure- and __Host- prefixes. Patch available in Hono v4.12.12.
Information Disclosure
-
CVE-2026-39409
MEDIUM
CVSS 6.3
IPv4 access control bypass in Hono middleware allows IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) to bypass IPv4-based ipRestriction() rules due to failure to canonicalize addresses before matching. Denied IPv4 clients can circumvent access restrictions in Node.js dual-stack environments by presenting as IPv6-formatted addresses, and legitimate IPv4 clients may be incorrectly rejected when allowlists are used. No public exploit code identified at time of analysis, but the vulnerability enables straightforward authentication bypass with minimal complexity.
Node.js
Authentication Bypass
-
CVE-2026-39408
MEDIUM
CVSS 5.9
Path traversal in Hono's toSSG() function allows attackers to write files outside the configured output directory during static site generation by injecting traversal sequences into ssgParams dynamic route values. The vulnerability is limited to build-time operations and does not affect runtime request handling. A vendor-released patch is available in Hono v4.12.12.
Path Traversal
-
CVE-2026-39407
MEDIUM
CVSS 5.3
Middleware bypass in Hono's serveStatic allows unauthenticated remote attackers to access protected static files by using repeated slashes in request paths, exploiting inconsistent path handling between the routing layer and static file resolution. The vulnerability affects Hono applications that rely on route-based middleware for access control, enabling unauthorized disclosure of sensitive files. Vendor-released patch available in version 4.12.12.
Path Traversal
Authentication Bypass
-
CVE-2026-39406
MEDIUM
CVSS 5.3
Path normalization inconsistency in Hono's node-server serveStatic middleware allows unauthenticated attackers to bypass route-based authorization middleware by using repeated slashes (e.g., //admin/secret.txt) to access protected static files, exposing sensitive information with low confidentiality impact (CVSS 5.3).
Path Traversal
Authentication Bypass
-
CVE-2026-39398
MEDIUM
openclaw-claude-bridge v1.1.0 incorrectly disables CLI tool access by passing --allowed-tools "" to the Claude Code subprocess, when the correct flag to disable tools is --tools. The --allowed-tools flag only controls which tools auto-approve without prompts; all CLI tools (Read, Write, Bash, WebFetch, etc.) remain nominally available. Users deploying the bridge to handle untrusted prompts or in gateway contexts may unknowingly operate without the sandboxing protections claimed in the README, exposing systems to prompt-injection attacks that could trigger arbitrary code execution in the process context. Vendor-released patch: v1.1.1 (commit 8a296f5).
AI / ML
RCE
-
CVE-2026-39392
MEDIUM
CVSS 5.5
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with page-editing privileges to inject arbitrary JavaScript into page content that executes in the browsers of all public visitors. The Pages module fails to apply HTML sanitization during content creation and updates, storing unsanitized HTML directly in the database and rendering it without escaping on the frontend, whereas the Blog module correctly implements this protection. An attacker with admin credentials can compromise the integrity and confidentiality of visitor sessions. CVSS 5.5, no public exploit code identified at time of analysis.
XSS
-
CVE-2026-39391
MEDIUM
CVSS 4.8
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with blacklist privileges to inject arbitrary JavaScript through unsanitized note parameters, which executes in the browsers of other administrators viewing the user management page. The vulnerability requires high-privilege authenticated access and user interaction (admin viewing the affected page), limiting real-world impact despite the network-accessible attack vector.
XSS
-
CVE-2026-39390
MEDIUM
CVSS 5.5
Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators to inject malicious JavaScript via the Google Maps iframe setting (cMap field) using the srcdoc attribute, which bypasses existing sanitization filters. The injected payload executes in the browser context of unauthenticated frontend visitors, enabling session hijacking, credential theft, or malware distribution. This vulnerability requires admin-level access to the settings panel but affects all unauthenticated site visitors who view pages with the malicious iframe.
XSS
Google
-
CVE-2026-39389
MEDIUM
CVSS 6.7
CI4MS (CodeIgniter 4 CMS) versions prior to 0.31.4.0 contain an authentication bypass vulnerability (CWE-285) that allows high-privileged users to escalate or circumvent authorization controls. The vulnerability affects the role-based access control (RBAC) system in CI4MS, enabling authenticated administrators to gain unauthorized access to protected resources or functions. With a CVSS score of 6.7 and EPSS exploitation probability indicating moderate real-world risk, this requires immediate patching in production deployments.
Authentication Bypass
-
CVE-2026-39362
MEDIUM
CVSS 5.3
Server-side request forgery (SSRF) in InvenTree prior to versions 1.2.7 and 1.3.0 allows authenticated users to request arbitrary internal URLs when the INVENTREE_DOWNLOAD_FROM_URL feature is enabled, bypassing URL validation through HTTP redirect chains. An attacker with valid credentials can probe internal networks, access cloud metadata endpoints, or interact with backend services not exposed to the public internet by supplying crafted remote_image URLs that are fetched server-side without IP-range restrictions.
SSRF
Python
-
CVE-2026-35479
MEDIUM
CVSS 6.6
InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without requiring superuser privileges, enabling privilege escalation and potential code execution. The vulnerability exists because plugin installation permissions are inconsistently enforced compared to other plugin operations (such as uninstallation) that correctly require superuser access. Staff users, typically considered lower-trust accounts than superusers, can exploit this to deploy malicious plugins with full application context. No public exploit code or active exploitation has been identified at time of analysis.
Authentication Bypass
-
CVE-2026-35477
MEDIUM
CVSS 5.5
Remote code execution in InvenTree 1.2.3 through 1.2.6 allows staff users with settings access to execute arbitrary code by crafting malicious Jinja2 templates that bypass sandbox validation. The vulnerability exists because the PART_NAME_FORMAT validator uses a sandboxed Jinja2 environment, but the actual rendering engine in part/helpers.py uses an unsandboxed environment, combined with a validation bypass via dummy Part instances with pk=None that behave differently during validation versus production execution. No public exploit code or active exploitation confirmed at time of analysis.
Ssti
RCE
-
CVE-2026-35407
MEDIUM
CVSS 5.9
Saleor e-commerce platform (versions 2.10.0 through 3.23.0a2) contains an authentication bypass vulnerability in the account email change workflow that allows authenticated attackers to change another user's email address by replaying a valid email-change confirmation token issued for a different account. The flaw stems from the confirmation flow's failure to verify that the token was issued for the requesting user, enabling token reuse across accounts with low attack complexity. The vulnerability affects millions of potential e-commerce deployments and is fixed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118; no public exploit code or active exploitation in the wild has been identified at the time of analysis.
Authentication Bypass
-
CVE-2026-35403
MEDIUM
CVSS 6.5
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticated users with low privileges to inject malicious scripts via invalid visit labels. The vulnerability arises because responses are JSON-encoded but lack a proper Content-Type header, causing browsers to interpret the payload as HTML. An attacker can trick a victim into following a crafted link to execute arbitrary JavaScript in the victim's browser context, potentially compromising sensitive neuroimaging research data. Fixed in versions 27.0.3 and 28.0.1.
XSS
-
CVE-2026-35165
MEDIUM
CVSS 6.3
LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend endpoint, allowing authenticated users to bypass frontend restrictions and download files they should not have access to by knowing or brute-forcing filenames. CVSS 6.3 (medium severity) with confirmed patch availability in versions 27.0.3 and 28.0.1. No public exploit code or active exploitation confirmed.
Authentication Bypass
-
CVE-2026-35023
MEDIUM
CVSS 5.3
Wimi Teamwork On-Premises versions before 8.2.0 allow authenticated attackers to enumerate sequential item_id values in the preview.php endpoint to bypass authorization checks and access image previews from other users' private or group conversations, resulting in unauthorized information disclosure. The vulnerability requires valid user credentials (CVSS PR:L) but enables horizontal privilege escalation to retrieve sensitive conversation data. No public exploit code has been identified, though the IDOR vulnerability pattern is straightforward to exploit.
Authentication Bypass
PHP
-
CVE-2026-34985
MEDIUM
CVSS 6.3
LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated users to bypass backend access controls in the media module and access files they should not have permission to view, provided they know the filename. The vulnerability stems from missing server-side authorization checks that should prevent unauthorized file access, enabling confidentiality and integrity compromise of sensitive neuroimaging research data. The issue is fixed in versions 27.0.3 and 28.0.1.
Authentication Bypass
-
CVE-2026-34837
MEDIUM
CVSS 5.3
Zammad versions prior to 7.0.1 fail to validate user authorization for context data supplied to the REST endpoint POST /api/v1/ai_assistance/text_tools/:id, allowing authenticated agents to access and leak unauthorized information (such as group or organization data) through AI prompt injection. The vulnerability requires the attacker to possess ticket.agent permission but does not require additional user interaction; no public exploit code or active exploitation has been identified at the time of analysis.
Authentication Bypass
-
CVE-2026-34782
MEDIUM
CVSS 5.3
Bypass of access controls in Zammad REST API endpoint POST /api/v1/ai_assistance/text_tools/:id allows authenticated users to utilize AI text tools without proper privilege verification in versions prior to 7.0.1 and 6.5.4. An authenticated attacker can invoke AI assistance features regardless of their assigned permissions, leading to unauthorized consumption of text tool functionality and potential information disclosure through unrestricted tool access.
Authentication Bypass
-
CVE-2026-34722
MEDIUM
CVSS 6.9
Unauthenticated attackers can bypass authorization on Zammad's ticket creation endpoint when using the link parameter, allowing unauthorized ticket creation and modification in affected versions prior to 6.5.4 and 7.0.1. This authentication bypass (CWE-862) affects all versions of Zammad before the patched releases and requires only network access with no user interaction or special complexity.
Authentication Bypass
-
CVE-2026-34721
MEDIUM
CVSS 5.9
Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.
Google
CSRF
Microsoft
-
CVE-2026-34718
MEDIUM
CVSS 5.3
Improper HTML sanitization in Zammad ticket article processing prior to versions 7.0.1 and 6.5.4 allows unauthenticated remote attackers to inject malicious data URI schemes that persist in the database, potentially enabling stored cross-site scripting (XSS) attacks. While current Content Security Policy mitigations prevent immediate harm from link clicks, the vulnerability represents a persistent data integrity issue and stored XSS vector that could be exploited if CSP rules are modified or bypassed. No public exploit code has been identified, but the vulnerability affects all instances running unpatched versions.
XSS
-
CVE-2026-33753
MEDIUM
CVSS 6.2
Authorization bypass in rfc3161-client's TimeStamp Authority (TSA) verification allows remote attackers to impersonate any trusted TSA by exploiting a naive leaf certificate selection algorithm in the PKCS#7 certificate chain. The vulnerability enables an attacker to inject a forged certificate with a target TSA's common name and timeStamping EKU into an authentic timestamp response, causing the library to validate authorization checks against the fake certificate while the cryptographic signature remains valid under the real TSA. This completely defeats TSA pinning mechanisms (common_name, certificate constraints) that applications rely on to ensure timestamp authenticity. Publicly available proof-of-concept demonstrates successful exploitation against FreeTSA, and a vendor-released patch is available in version 1.0.6.
Authentication Bypass
OpenSSL
Python
-
CVE-2026-33460
MEDIUM
CVSS 4.3
Kibana's Fleet agent management endpoint fails to enforce space-scoped access controls, allowing authenticated users with Fleet privileges in one space to retrieve sensitive Fleet Server policy details from unauthorized spaces including policy names, operational identifiers, and infrastructure linkage information. The vulnerability affects Kibana across multiple versions and requires valid user authentication with Fleet agent management permissions, resulting in cross-space information disclosure without the ability to modify data.
Authentication Bypass
Elastic
Information Disclosure
-
CVE-2026-33459
MEDIUM
CVSS 6.5
Denial of service in Kibana's automatic import feature allows authenticated users to trigger uncontrolled resource consumption by submitting specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, backend services become unstable, resulting in service disruption across all users. CVSS 6.5 (medium severity) reflects the authenticated attack requirement and high availability impact without confidentiality or integrity compromise.
Elastic
Denial Of Service
-
CVE-2026-33458
MEDIUM
CVSS 6.3
Server-Side Request Forgery in Kibana One Workflow allows authenticated users with workflow privileges to bypass host allowlist restrictions in the Workflows Execution Engine, enabling unauthorized access to sensitive internal endpoints and data disclosure. Affects Kibana versions 9.3.0 through 9.3.2. No public exploit code or active exploitation has been confirmed at time of analysis.
Elastic
Information Disclosure
SSRF
-
CVE-2026-33273
MEDIUM
CVSS 5.1
Remote code execution in MATCHA INVOICE 2.6.6 and earlier allows authenticated administrators to upload arbitrary files with dangerous types, enabling arbitrary code execution on the affected server. The vulnerability affects ICZ Corporation's MATCHA INVOICE product across all versions up to and including 2.6.6. While CVSS 4.7 reflects the requirement for administrative authentication, the RCE impact and file upload mechanism present a significant post-authentication risk in environments where administrative accounts may be compromised or insider threats exist. No public exploit code or CISA KEV confirmation identified at time of analysis.
File Upload
RCE
-
CVE-2026-33088
MEDIUM
CVSS 6.9
SQL injection in Movable Type allows unauthenticated remote attackers to execute arbitrary SQL statements through unvalidated input, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects Movable Type versions prior to 9.07 with a CVSS score of 6.9 (medium-high severity); exploitation requires only network access and no user interaction, making it broadly exploitable despite limited scope of confidentiality and integrity impact.
SQLi
-
CVE-2026-32591
MEDIUM
CVSS 5.2
Server-Side Request Forgery (SSRF) in Red Hat Quay's Proxy Cache configuration allows authenticated organization administrators to force the Quay server to make unvalidated network requests to internal services, cloud infrastructure endpoints, or otherwise restricted resources by supplying a crafted upstream registry hostname. With CVSS 5.2 and high confidentiality impact, this vulnerability requires administrator privileges and user interaction but poses significant risk to internal network exposure; no public exploit code or active exploitation (KEV) confirmed at time of analysis.
Redhat
SSRF
-
CVE-2026-30817
MEDIUM
CVSS 6.8
External configuration control in TP-Link AX53 v1.0 OpenVPN module allows authenticated adjacent attackers to read arbitrary files by processing malicious configuration files, exposing sensitive device information. The vulnerability affects AX53 v1.0 prior to firmware build 1.7.1 Build 20260213 and requires high-level authentication and network adjacency to exploit. A vendor-released patch is available.
TP-Link
Authentication Bypass
-
CVE-2026-30816
MEDIUM
CVSS 6.8
External control of configuration in TP-Link Archer AX53 v1.0 OpenVPN module allows authenticated adjacent attackers with high privileges to read arbitrary files via malicious configuration file processing, exposing sensitive device information. CVSS 6.8 reflects high confidentiality impact; no public exploit code or active exploitation confirmed. Patch available: firmware version 1.7.1 Build 20260213 or later.
TP-Link
Authentication Bypass
-
CVE-2026-27787
MEDIUM
CVSS 5.1
Stored cross-site scripting (XSS) in MATCHA SNS 1.3.9 and earlier allows authenticated users to inject arbitrary scripts that execute in the browsers of other users accessing affected pages, potentially leading to session hijacking, credential theft, or malware distribution. CVSS 5.4 reflects the requirement for user interaction and authenticated access; no public exploit code or active exploitation has been identified at the time of analysis.
XSS
-
CVE-2026-27102
MEDIUM
CVSS 6.6
Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.6 and 9.11.0.0 through 9.13.0.1 contain an incorrect privilege assignment vulnerability allowing local authenticated attackers to escalate privileges with low complexity, potentially achieving partial confidentiality and integrity compromise alongside high availability impact. No public exploit code or active exploitation has been identified at the time of analysis, though the local attack vector and straightforward exploitation path (AC:L) indicate moderate real-world risk for environments where local access controls are weak.
Dell
Information Disclosure
-
CVE-2026-24511
MEDIUM
CVSS 4.4
Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.6 and 9.11.0.0 through 9.13.0.0 disclose sensitive information through error messages accessible to high-privileged local attackers. The vulnerability stems from improper error handling (CWE-209) that exposes confidential data in system responses, requiring local access and administrative privileges to exploit. With a CVSS score of 4.4 reflecting high confidentiality impact but low attack complexity and no public exploit identified at time of analysis, this represents a moderate risk primarily to organizations where insider threats or compromised admin accounts pose concerns.
Dell
Information Disclosure
-
CVE-2026-20709
MEDIUM
CVSS 5.8
Use of a default cryptographic key in Intel Pentium Processor Silver Series, Celeron Processor J Series, and Celeron Processor N Series hardware allows privilege escalation when a hardware reverse engineer with privileged user access performs a high-complexity physical attack with special internal knowledge. The vulnerability has a CVSS score of 5.8 with physical attack vector (AV:P) and high attack complexity (AC:H), requiring privileged access (PR:H) and special attack time requirements (AT:P). No public exploit code or active CISA KEV designation has been identified.
Intel
Privilege Escalation
-
CVE-2026-5919
MEDIUM
CVSS 6.5
Google Chrome prior to 147.0.7727.55 contains insufficient validation of untrusted input in WebSockets that allows a remote attacker with a compromised renderer process to bypass same-origin policy via a crafted HTML page. This vulnerability requires prior renderer compromise and user interaction, limiting real-world exploitability despite the high CVSS score. EPSS scoring (0.02%, 6th percentile) and Chromium's own Low severity classification indicate minimal practical risk despite the integrity impact rating.
Google
Authentication Bypass
-
CVE-2026-5918
MEDIUM
CVSS 4.3
Google Chrome prior to version 147.0.7727.55 contains an information disclosure vulnerability in the Navigation component that allows a remote attacker with a compromised renderer process to leak cross-origin data via a crafted HTML page. The vulnerability requires user interaction and only affects confidentiality (CVSS 4.3), with an extremely low EPSS score of 0.03% indicating minimal real-world exploitation probability despite the unauthenticated attack vector.
Google
Information Disclosure
-
CVE-2026-5911
MEDIUM
CVSS 4.3
Content security policy bypass in Google Chrome prior to version 147.0.7727.55 allows remote attackers to bypass CSP protections via ServiceWorker policy manipulation when users interact with crafted HTML pages. The vulnerability requires user interaction (UI:R in CVSS) and results in integrity impact only; EPSS exploitation probability is minimal at 0.02%, and Chromium rates the security severity as low despite the policy bypass nature.
Google
Authentication Bypass
-
CVE-2026-5906
MEDIUM
CVSS 4.3
Omnibox spoofing in Google Chrome on Android prior to version 147.0.7727.55 allows remote attackers to deceive users by displaying falsified URL bar contents through a crafted HTML page, enabling phishing and social engineering attacks without requiring user interaction beyond visiting a malicious site. Despite a low CVSS score of 4.3 and minimal EPSS exploitation probability (0.03%), the vulnerability has real-world impact because attackers can trick users into believing they are on legitimate domains while actually on attacker-controlled pages.
Google
Information Disclosure
-
CVE-2026-5905
MEDIUM
CVSS 6.5
Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.
Google
Information Disclosure
Microsoft
-
CVE-2026-5876
MEDIUM
CVSS 6.5
Side-channel information leakage in Google Chrome's Navigation feature prior to version 147.0.7727.55 allows unauthenticated remote attackers to extract cross-origin data by serving a crafted HTML page. The vulnerability requires user interaction (clicking or navigating to a malicious page) but successfully bypasses same-origin policy protections, exposing sensitive information from different origins. With an EPSS score of 0.03% (10th percentile) indicating very low real-world exploitation probability, this represents a medium-severity information disclosure risk appropriate for routine patching rather than emergency mitigation.
Information Disclosure
Google
-
CVE-2026-5875
MEDIUM
CVSS 4.3
UI spoofing via policy bypass in Blink rendering engine in Google Chrome prior to version 147.0.7727.55 allows remote attackers to deceive users through crafted HTML pages. The vulnerability requires user interaction (clicking or viewing) but needs no authentication, affecting all Chrome users on unpatched versions. Chromium security team rated this as Medium severity; EPSS score of 0.02% indicates low real-world exploitation probability despite public disclosure.
Google
Authentication Bypass
-
CVE-2026-5869
MEDIUM
CVSS 6.5
Heap buffer overflow in WebML (a web markup language component) in Google Chrome prior to version 147.0.7727.55 allows remote attackers to obtain potentially sensitive information from process memory by serving a crafted HTML page. The vulnerability requires no user authentication and can be triggered through normal web browsing, though exploitation has a low probability (EPSS 0.03%) and no public exploit code has been identified.
Google
Buffer Overflow
Heap Overflow
-
CVE-2026-5867
MEDIUM
CVSS 6.5
Heap buffer overflow in WebML component of Google Chrome prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory via a specially crafted HTML page. The vulnerability requires no user authentication and only user interaction (page visit), with a CVSS score of 6.5 reflecting confidentiality impact and limited availability risk. No public exploit code or active exploitation has been confirmed at time of analysis, though a vendor patch is available.
Google
Buffer Overflow
Heap Overflow
-
CVE-2026-5864
MEDIUM
CVSS 6.5
Heap buffer overflow in Google Chrome's WebAudio component prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory by serving a crafted HTML page. The vulnerability has a CVSS score of 6.5 and EPSS probability of 0.03% (8th percentile), indicating low real-world exploitation likelihood despite the network attack vector and lack of user interaction requirements. Vendor-released patch is available.
Google
Buffer Overflow
Heap Overflow
-
CVE-2026-5814
MEDIUM
CVSS 6.9
SQL injection in PHPGurukul Online Course Registration 3.1 allows remote unauthenticated attackers to manipulate the regno parameter in /admin/check_availability.php, enabling arbitrary database queries with potential for data exfiltration and modification. The vulnerability has a publicly available exploit and CVSS 6.9 score indicating moderate severity with confirmed data confidentiality and integrity impact.
SQLi
PHP
Online Course Registration
-
CVE-2026-5813
MEDIUM
CVSS 6.9
SQL injection in PHPGurukul Online Course Registration 3.1 allows unauthenticated remote attackers to manipulate the cid parameter in /check_availability.php to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. Publicly available exploit code exists, elevating real-world risk despite moderate CVSS scoring.
SQLi
PHP
-
CVE-2026-5812
MEDIUM
CVSS 5.3
Unauthenticated remote attackers can manipulate the txtqty POST parameter in SourceCodester Pharmacy Product Management System 1.0's add-sales.php to trigger business logic errors and cause data integrity violations. The vulnerability affects an unknown component of the POST parameter handler and allows modification of sales quantity values, resulting in integrity and availability impacts. Publicly available exploit code exists, and the flaw requires user authentication but is trivially exploitable with low attack complexity.
Information Disclosure
PHP
-
CVE-2026-5811
MEDIUM
CVSS 5.3
SourceCodester Online Food Ordering System 1.0 allows authenticated remote attackers to manipulate product pricing through the save_product function in Actions.php, leading to business logic errors including potential negative or arbitrary price values. The vulnerability affects the POST parameter handler and carries a CVSS score of 5.3 with publicly available exploit code; while not in CISA's KEV catalog, the public exploit availability and disclosure via vuldb indicate real-world exposure.
Information Disclosure
PHP
-
CVE-2026-5810
MEDIUM
CVSS 5.1
Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID parameter in /delete.php, which are executed in the context of other users' browsers when they interact with the affected page. The vulnerability requires user interaction (clicking a malicious link) but has a published proof-of-concept and CVSS 5.1 score reflecting moderate impact on data integrity; exploitation is confirmed possible but not currently in CISA KEV.
XSS
PHP
-
CVE-2026-5808
MEDIUM
CVSS 5.3
Reflected cross-site scripting (XSS) in openstatusHQ openstatus allows unauthenticated remote attackers to inject malicious scripts via the callbackURL parameter in the Onboarding Endpoint component. The vulnerability affects the onboarding client functionality and requires user interaction to exploit. Vendor has released a patched version (commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb), and no public exploit code is currently identified.
XSS
Openstatus
-
CVE-2026-5806
MEDIUM
CVSS 5.1
Stored cross-site scripting (XSS) in code-projects Easy Blog Site 1.0 allows authenticated remote attackers to inject malicious scripts via the postTitle parameter in /posts/update.php, potentially compromising user sessions and data integrity. The vulnerability requires user interaction (UI:P) and authentication (PR:L), but carries published exploit code and a moderate CVSS score of 5.1, indicating practical exploitation risk in multi-user blog environments.
XSS
PHP
Easy Blog Site
-
CVE-2026-5805
MEDIUM
CVSS 6.9
Remote code execution via SQL injection in code-projects Easy Blog Site up to version 1.0 allows unauthenticated attackers to manipulate the Name parameter in /users/contact_us.php, leading to arbitrary SQL command execution. The vulnerability has a CVSS score of 6.9 with network-based attack vector and low complexity, and publicly available exploit code exists, making this an immediate concern for affected deployments.
SQLi
PHP
Easy Blog Site
-
CVE-2026-5803
MEDIUM
CVSS 5.3
Server-side request forgery (SSRF) in bigsk1 openai-realtime-ui allows authenticated remote attackers to manipulate API proxy endpoint query parameters in server.js, enabling the server to make arbitrary requests to internal or external resources. The vulnerability affects all versions up to commit 188ccde27fdf3d8fab8da81f3893468f53b2797c, has publicly available exploit code, and carries a CVSS 5.3 score reflecting moderate impact with authentication required. A fix is available via commit 54f8f50f43af97c334a881af7b021e84b5b8310f.
SSRF
Openai Realtime Ui
-
CVE-2026-5802
MEDIUM
CVSS 6.9
Remote code execution in idachev mcp-javadc up to version 1.2.4 allows unauthenticated attackers to inject arbitrary operating system commands through the jarFilePath parameter in the HTTP Interface, with publicly available exploit code and a moderate CVSS score of 6.9 reflecting limited confidentiality, integrity, and availability impact.
Command Injection
-
CVE-2026-5711
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Post Blocks & Tools WordPress plugin versions up to 1.3.0 allows authenticated attackers with author-level access to inject arbitrary JavaScript through the 'sliderStyle' block attribute in the Posts Slider block, which executes in the browsers of all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent payload injection that affects any site administrator or editor visiting a compromised post.
WordPress
XSS
Post Blocks Tools
-
CVE-2026-5600
MEDIUM
CVSS 5.5
Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.
Authentication Bypass
-
CVE-2026-5508
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in WowPress plugin for WordPress (all versions up to 1.0.0) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript through insufficiently sanitized shortcode attributes, enabling malicious script execution in pages viewed by other users. CVSS 6.4 reflects moderate severity with network-accessible attack vector but requires authenticated access; no public exploit code or active exploitation confirmed at time of analysis.
WordPress
XSS
-
CVE-2026-5506
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Wavr WordPress plugin up to version 0.2.6 allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, with malicious scripts executing for all users who view affected pages. CVSS 6.4 reflects moderate severity with network-accessible attack vector and cross-site impact; no public exploit code or active exploitation confirmed at time of analysis.
WordPress
XSS
-
CVE-2026-5451
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Extensions for Leaflet Map plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'elevation-track' shortcode due to insufficient input sanitization and output escaping, enabling arbitrary script execution whenever users access injected pages. The vulnerability affects all versions up to and including 4.14, with a CVSS score of 6.4 reflecting the moderate but significant impact across multiple users of the same WordPress installation.
WordPress
XSS
Extensions For Leaflet Map
-
CVE-2026-5302
MEDIUM
CVSS 6.3
CORS misconfiguration in CoolerControl coolercontrold versions 2.0.0 through 3.x allows unauthenticated remote attackers to read sensitive data and send control commands to the service by exploiting browser-based cross-origin requests from malicious websites. The vulnerability requires user interaction (UI:R) but grants attackers capability to leak information and manipulate daemon operations with a CVSS score of 6.3 (medium).
Cors Misconfiguration
Information Disclosure
-
CVE-2026-5300
MEDIUM
CVSS 5.9
CoolerControl's coolercontrold daemon versions before 4.0.0 lack proper authentication controls, allowing unauthenticated local attackers to view and modify sensitive system data through unprotected HTTP API endpoints. The vulnerability affects coolercontrold 0.14.0 through 3.x, with CVSS 5.9 reflecting local attack vector and low-complexity exploitation; no public exploit code or active KEV status identified at time of analysis.
Authentication Bypass
Information Disclosure
-
CVE-2026-5169
MEDIUM
CVSS 4.4
Stored cross-site scripting in the Inquiry Form to Posts or Pages WordPress plugin up to version 1.0 allows authenticated administrators to inject arbitrary JavaScript via the 'Form Header' field, executing when users access the plugin settings page or view pages containing the [inquiry_form] shortcode. The vulnerability stems from insufficient input sanitization during option storage and missing output escaping in two rendering locations. CVSS 4.4 reflects the high privilege requirement (administrator-only access) and limited impact, though the stored nature and cross-site scope elevate concern for sites with multiple administrators or role delegation.
WordPress
PHP
XSS
-
CVE-2026-5167
MEDIUM
CVSS 5.3
Unauthenticated attackers can bypass authorization in Masteriyo LMS plugin versions up to 2.1.7 by sending forged Stripe webhook events to mark arbitrary orders as completed without payment, granting unauthorized access to paid course content. The vulnerability stems from insufficient webhook signature verification in the handle_webhook() function, which processes requests with an empty default webhook_secret and only validates signatures if both the secret is configured and the HTTP_STRIPE_SIGNATURE header is present. No public exploit code or active exploitation has been identified at time of analysis, though the attack requires only network access and no authentication or user interaction.
WordPress
Authentication Bypass
-
CVE-2026-5083
MEDIUM
CVSS 5.3
Ado::Sessions through version 0.935 for Perl generates cryptographically weak session identifiers by seeding SHA-1 with the built-in rand function, system time, and process ID, allowing attackers to predict valid session IDs and hijack user sessions. The vulnerability affects unmaintained code no longer available on CPAN, though it remains on BackPAN. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified, but the automatable nature of session prediction and partial technical impact warrant assessment for legacy deployments.
Information Disclosure
-
CVE-2026-5082
MEDIUM
CVSS 5.3
Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl generate cryptographically weak session IDs when /dev/urandom is unavailable, falling back to SHA-1 hashing seeded with predictable values (system PID, epoch time, and the unseeded rand() function). This allows attackers to forge valid session identifiers and potentially conduct session hijacking or CSRF attacks. The module is deprecated by its author, and CISA has not confirmed active exploitation; however, the automatable nature of the attack (as per SSVC) combined with the availability of fix version 7.04 indicates moderate practical risk despite the low EPSS score of 0.02%.
Information Disclosure
-
CVE-2026-4871
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Sports Club Management WordPress plugin versions up to 1.12.9 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into shortcode attributes, which executes when other users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the `scm_member_data` shortcode's 'before' and 'after' parameters, requiring only basic WordPress login privileges but affecting all site visitors who access injected content. No public exploit code or active exploitation has been identified at this time.
WordPress
XSS
-
CVE-2026-4837
MEDIUM
CVSS 6.6
Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.
RCE
Code Injection
-
CVE-2026-4785
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in LatePoint Calendar Booking Plugin for WordPress up to version 5.3.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'button_caption' parameter in the [latepoint_resources] shortcode when 'items' is set to 'bundles'. The injected scripts execute for all users viewing the affected page. No public exploit code or active exploitation has been identified, though the vulnerability requires only contributor-level access and automatic exploitation is feasible.
WordPress
XSS
-
CVE-2026-4655
MEDIUM
CVSS 6.4
Stored cross-site scripting in Element Pack Addons for Elementor plugin versions up to 8.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malicious SVG files through the SVG Image Widget. The vulnerability exists in the render_svg() function, which fetches remote SVG content and echoes it directly to pages without proper sanitization, enabling persistent XSS attacks affecting all users who view pages containing the compromised widget. No public exploit code or active exploitation has been identified at the time of analysis.
WordPress
XSS
-
CVE-2026-4654
MEDIUM
CVSS 5.3
Insecure Direct Object Reference (IDOR) in Awesome Support WordPress plugin up to version 6.3.7 allows authenticated subscribers and above to access sensitive information from all support tickets by manipulating the ticket_id parameter in the wpas_get_ticket_replies_ajax() function. The vulnerability fails to verify user permissions before returning ticket data, enabling unauthorized disclosure of potentially sensitive helpdesk information across the entire system. No public exploit code or active exploitation has been confirmed at time of analysis.
WordPress
Authentication Bypass
-
CVE-2026-4406
MEDIUM
CVSS 4.7
Reflected cross-site scripting in Gravity Forms plugin for WordPress versions up to 2.9.30 allows unauthenticated attackers to inject arbitrary web scripts via the form_ids parameter in the gform_get_config AJAX action. The vulnerability exploits improper JSON encoding combined with HTML content-type headers and publicly reusable nonces; attackers can craft malicious links that, when clicked by users, execute injected scripts on vulnerable pages. No active exploitation confirmed; CVSS 4.7 reflects moderate risk constrained by required user interaction and limited scope.
WordPress
XSS
-
CVE-2026-4401
MEDIUM
CVSS 5.4
Cross-Site Request Forgery in Download Monitor plugin for WordPress up to version 5.1.10 allows unauthenticated attackers to delete, disable, or enable approved download paths by tricking site administrators into clicking a malicious link, due to missing nonce verification in the actions_handler() and bulk_actions_handler() methods. The vulnerability requires user interaction (UI:R) and has a moderate CVSS score of 5.4, with impacts limited to integrity and availability of download path configurations rather than confidentiality.
WordPress
PHP
CSRF
-
CVE-2026-4394
MEDIUM
CVSS 6.1
Stored cross-site scripting in Gravity Forms plugin for WordPress up to version 2.9.30 allows unauthenticated attackers to inject malicious scripts via the Credit Card field's 'Card Type' sub-field. The vulnerability exploits a gap between frontend validation (Card Type is auto-derived from card number) and backend acceptance of unsanitized POST parameters, combined with unescaped output when administrators view form entries in the WordPress dashboard. Attackers can craft POST requests containing malicious JavaScript in the `input_<id>.4` parameter, which is stored and executed with administrator privileges upon dashboard access.
WordPress
XSS
-
CVE-2026-4379
MEDIUM
CVSS 6.4
LightPress Lightbox plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript via the unescaped `group` attribute in the `[gallery]` shortcode, resulting in stored cross-site scripting that executes for all users viewing affected pages. The vulnerability affects all versions up to 2.3.4 and has been addressed in version 2.3.5.
WordPress
XSS
-
CVE-2026-4341
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Prime Slider - Addons for Elementor plugin allows authenticated users with Author-level access to inject arbitrary JavaScript through the 'follow_us_text' setting in the Mount widget. The vulnerability exists in all versions up to 4.1.10 due to missing output escaping in the render_social_link() function, enabling attackers to execute malicious scripts whenever pages containing the injected widget are viewed. No public exploit code or active exploitation has been confirmed at this time.
WordPress
PHP
XSS
-
CVE-2026-4333
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in LearnPress WordPress LMS Plugin up to version 4.3.3 allows authenticated contributors to inject malicious scripts via the 'skin' attribute of the learn_press_courses shortcode, which lacks proper output escaping. The injected scripts execute whenever any user visits a page containing the malicious shortcode, affecting all sites using vulnerable versions. No evidence of active exploitation exists at time of analysis.
WordPress
XSS
-
CVE-2026-4332
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in GitLab EE customizable analytics dashboards allows authenticated users to execute arbitrary JavaScript in other users' browsers due to improper input sanitization. Affected versions include 18.2-18.8.8, 18.9-18.9.4, and 18.10-18.10.2. An attacker with valid GitLab credentials can craft malicious dashboard configurations that execute when other users view the dashboard, potentially stealing session tokens, modifying visible data, or performing actions on behalf of the victim. No public exploit code or active exploitation in the wild has been confirmed; patches are available.
XSS
Gitlab
-
CVE-2026-4330
MEDIUM
CVSS 4.3
Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.8.3 allow authenticated attackers with Subscriber-level access to modify, reschedule, or delete other users' scheduled social media posts through authorization bypass in AJAX handlers. The vulnerability stems from insufficient validation of user-controlled 'b2s_id' parameters before performing UPDATE and DELETE operations, enabling privilege escalation within multi-user WordPress environments. No public exploit code or active exploitation has been reported, but the low CVSS complexity and minimal authentication barrier (Subscriber role) make this a practical attack vector in shared hosting scenarios.
WordPress
Authentication Bypass
-
CVE-2026-4303
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in WP Visitor Statistics plugin versions up to 8.4 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript through the 'wsm_showDayStatsGraph' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user accessing the affected page, potentially compromising site visitors and enabling account takeover or malware distribution. No public exploit code or active exploitation has been confirmed at this time.
WordPress
XSS
-
CVE-2026-4300
MEDIUM
CVSS 6.4
Stored cross-site scripting in Robo Gallery for WordPress up to version 5.1.3 allows authenticated Author-level users to inject arbitrary JavaScript via the Loading Label gallery setting. The vulnerability exploits a custom marker pattern (`|***...***|`) in the `fixJsFunction()` method that converts JSON-wrapped strings into raw JavaScript code; input validation with `sanitize_text_field()` fails to strip the markers, enabling script injection that executes whenever the gallery shortcode is rendered. No public exploit code or active exploitation has been confirmed at time of analysis.
WordPress
XSS
-
CVE-2026-4299
MEDIUM
CVSS 5.3
Authenticated attackers with Subscriber-level access can extract MainWP Child Reports activity logs including action summaries, user information, IP addresses, and contextual data from WordPress sites running the MainWP Child Reports plugin up to version 2.2.6 by exploiting a missing authorization check in the WordPress Heartbeat API handler. The vulnerability (CVSS 5.3) affects information disclosure only and requires network access but no user interaction; no public exploit code or active exploitation has been confirmed at the time of analysis.
WordPress
Authentication Bypass
-
CVE-2026-4141
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) in the Quran Translations WordPress plugin versions up to 1.7 allows unauthenticated attackers to modify plugin settings by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the quran_playlist_options() function, which processes POST requests to update options like PDF, RSS, podcast, and media player display settings without cryptographic request verification. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
CSRF
-
CVE-2026-4073
MEDIUM
CVSS 6.4
Stored cross-site scripting (XSS) in the pdfl.io WordPress plugin allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'text' attribute of the 'pdflio' shortcode, which is executed in the browsers of all site visitors due to missing output escaping. All versions up to and including 1.0.5 are affected, and the vulnerability requires Contributor-level WordPress access but no user interaction beyond page access. No public exploit code or active exploitation has been confirmed; the attack relies on insufficient input sanitization in the output_shortcode() function.
WordPress
XSS
-
CVE-2026-4025
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in PrivateContent Free WordPress plugin versions up to 1.2.0 allows authenticated contributors and above to inject arbitrary JavaScript through the 'align' shortcode attribute in [pc-login-form], which executes when any user visits an affected page. The vulnerability stems from the 'align' parameter being concatenated directly into an HTML class attribute without proper escaping (esc_attr), enabling persistent XSS attacks. No public exploit code or active exploitation has been identified at the time of analysis.
WordPress
XSS
-
CVE-2026-3781
MEDIUM
CVSS 5.4
SQL injection in the Attendance Manager WordPress plugin (versions up to 0.6.2) allows authenticated attackers with Subscriber-level access to execute arbitrary SQL queries via the 'attmgr_off' parameter, enabling unauthorized extraction of sensitive database information. The vulnerability requires user authentication but can be exploited without further user interaction, with a CVSS score of 5.4 indicating moderate risk. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
WordPress
SQLi
-
CVE-2026-3646
MEDIUM
CVSS 5.3
Unauthenticated attackers can modify LTL Freight Quotes - R+L Carriers Edition plugin subscription settings via a webhook handler with missing authorization controls in all versions up to 3.3.13. The vulnerability allows downgrading paid subscriptions to trial plans, changing store type, and manipulating expiration dates, effectively disabling premium features like Dropship and Hazardous Material handling. CVSS 5.3 reflects moderate integrity impact with no authentication required and network-accessible attack surface.
WordPress
PHP
Authentication Bypass
-
CVE-2026-3618
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Columns by BestWebSoft WordPress plugin (versions up to 1.0.3) allows authenticated contributors and above to inject arbitrary JavaScript via the 'id' shortcode attribute of [print_clmns], which is embedded unsanitized into HTML id attributes and inline CSS. The vulnerability requires at least one column to exist in the plugin database but affects any user viewing a page containing the injected shortcode, with a CVSS score of 6.4 reflecting moderate impact across confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
XSS
-
CVE-2026-3600
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Investi WordPress plugin versions up to 1.0.26 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through the 'maximum-num-years' attribute of the 'investi-announcements-accordion' shortcode. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS payloads that execute when users access affected pages. No public exploit code or active exploitation has been confirmed at this time.
WordPress
XSS
-
CVE-2026-3594
MEDIUM
CVSS 5.3
Riaxe Product Customizer plugin for WordPress versions up to 2.4 exposes sensitive WooCommerce customer and order data through an unauthenticated REST API endpoint due to a missing permission callback. Attackers can query the '/wp-json/InkXEProductDesignerLite/orders' endpoint to retrieve customer names, order IDs, totals, dates, and statuses without authentication. No public exploit code or active exploitation has been confirmed at time of analysis.
WordPress
Information Disclosure
-
CVE-2026-3513
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in TableOn - WordPress Posts Table Filterable plugin versions up to 1.0.4.4 allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript via unescaped shortcode attributes ('class', 'help_link', 'popup_title', 'help_title') in the 'tableon_button' shortcode. The vulnerability results from the do_shortcode_button() function extracting attributes without sanitization and the TABLEON_HELPER::draw_html_item() function concatenating these values directly into HTML output without escaping, enabling malicious scripts to execute in the browsers of users viewing affected pages. No public exploit code or active exploitation has been reported at this time.
WordPress
XSS
-
CVE-2026-3480
MEDIUM
CVSS 6.5
WP Blockade WordPress plugin versions up to 0.9.14 allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress shortcodes due to missing authorization checks and nonce verification in the render_shortcode_preview() function. An attacker can supply malicious shortcodes via the 'wp-blockade-shortcode-render' admin_post action to achieve information disclosure, privilege escalation, or arbitrary actions depending on registered shortcodes. No public exploit code or active exploitation has been confirmed at time of analysis.
WordPress
Privilege Escalation
Authentication Bypass
Information Disclosure
-
CVE-2026-3477
MEDIUM
CVSS 5.3
PZ Frontend Manager plugin for WordPress versions up to 1.0.6 allows authenticated attackers with Subscriber-level access to delete arbitrary WordPress users, including administrators, due to missing authorization checks in the pzfm_user_request_action_callback() AJAX function. The vulnerable function lacks both capability verification and nonce validation when processing user deletion requests, enabling privilege escalation and account takeover attacks. CVSS score of 5.3 reflects the integrity impact; however, the true risk is elevated by the low privilege requirement (unauthenticated attackers can exploit this if they register a free Subscriber account) and the critical business impact of administrative account deletion.
WordPress
Authentication Bypass
-
CVE-2026-3438
MEDIUM
CVSS 5.1
Reflected cross-site scripting in Sonatype Nexus Repository 3.0.0 through 3.90.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a specially crafted URL, requiring user interaction to trigger the attack. With a CVSS 4.0 score of 5.1 and limited technical impact (session integrity only), this vulnerability poses a moderate risk to organizations using affected versions; no public exploit code or active exploitation has been identified.
XSS
-
CVE-2026-3311
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in The Plus Addons for Elementor plugin for WordPress (all versions up to 6.4.9) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript into pages via the Progress Bar shortcode due to insufficient input sanitization and output escaping. When other users access affected pages, the injected scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.
WordPress
XSS
-
CVE-2026-3239
MEDIUM
CVSS 6.4
Stored cross-site scripting in Strong Testimonials WordPress plugin up to version 3.2.21 allows authenticated contributors and above to inject arbitrary JavaScript via the testimonial_view shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
XSS
-
CVE-2026-3142
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Pinterest Site Verification Plugin Using Meta Tag for WordPress up to version 1.8 allows authenticated attackers with subscriber-level access to inject arbitrary JavaScript via the 'post_var' parameter due to insufficient input sanitization and output escaping. The vulnerability has a CVSS score of 6.4 with cross-site scope, enabling persistent script injection that executes in the browsers of any user visiting affected pages. No public exploit code or active exploitation has been confirmed at the time of analysis.
WordPress
XSS
-
CVE-2026-2988
MEDIUM
CVSS 6.4
Stored cross-site scripting in Blubrry PowerPress plugin versions up to 11.15.15 allows authenticated contributors and above to inject arbitrary scripts via the 'powerpress' and 'podcast' shortcodes, executing malicious code whenever users access affected pages. The vulnerability stems from insufficient input sanitization and output escaping in shortcode processing. EPSS score of 6.4 reflects moderate risk; exploitation requires contributor-level WordPress access but no public exploit code has been identified at the time of analysis.
WordPress
XSS
-
CVE-2026-2838
MEDIUM
CVSS 4.4
Stored Cross-Site Scripting (XSS) in Whole Enquiry Cart for WooCommerce plugin allows authenticated administrators to inject arbitrary JavaScript via the 'woowhole_success_msg' parameter, affecting all versions up to 1.2.1. The injected scripts execute for all users viewing affected pages, but exploitation is restricted to multi-site WordPress installations or sites with unfiltered_html disabled, and requires administrator-level privileges. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
XSS
-
CVE-2026-2619
MEDIUM
CVSS 4.3
GitLab EE versions 18.6-18.8.8, 18.9-18.9.4, and 18.10-18.10.2 allow authenticated users with auditor role privileges to modify vulnerability flag data in private projects due to improper authorization checks. The vulnerability requires valid GitLab credentials and auditor-level access but enables unauthorized data integrity compromise within project security contexts.
Authentication Bypass
Gitlab
-
CVE-2026-2509
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Page Builder: Pagelayer WordPress plugin versions up to 2.0.8 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into page content via the Button widget's Custom Attributes field. The vulnerability bypasses an incomplete XSS filter that blocks common event handlers but fails to block all variants, enabling persistent script execution whenever affected pages are viewed. No public exploit code or active exploitation has been confirmed; however, the low attack complexity and broad applicability to WordPress sites using this popular page builder plugin present meaningful risk.
WordPress
XSS
-
CVE-2026-2481
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Beaver Builder Page Builder plugin for WordPress up to version 2.10.1.1 allows authenticated attackers with author-level access or higher to inject arbitrary JavaScript through the 'settings[js]' parameter due to insufficient input sanitization and output escaping. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site integrity and user accounts. No public exploit code or active CISA KEV status reported at analysis time.
WordPress
XSS
-
CVE-2026-2377
MEDIUM
CVSS 6.5
Server-side request forgery (SSRF) in Red Hat Mirror Registry and Red Hat Quay 3.x allows authenticated users to conduct arbitrary requests to internal network resources via a specially crafted URL in the log export feature, potentially exposing sensitive information and compromising internal systems. CVSS 6.5 (medium severity) with confirmed authentication requirement and high confidentiality impact. No active exploitation or public exploit code identified at time of analysis.
Authentication Bypass
SSRF
Redhat
-
CVE-2026-2263
MEDIUM
CVSS 5.3
Unauthenticated attackers can forge conversion tracking events in The Hustle WordPress plugin (versions up to 7.8.10.2) by exploiting a missing capability check on the 'hustle_module_converted' AJAX action, allowing manipulation of marketing analytics and conversion statistics for any module including unpublished drafts. The vulnerability has a CVSS score of 5.3 (medium severity) with network-based attack vector and no authentication required, confirmed by Wordfence research with public code references available.
WordPress
Authentication Bypass
-
CVE-2026-2104
MEDIUM
CVSS 4.3
GitLab CE/EE versions 18.2-18.10.2 allow authenticated users to export confidential issues assigned to other users via CSV export due to missing authorization validation. The vulnerability affects approximately three release branches with a moderate CVSS score of 4.3, limited by the requirement for prior authentication and lack of integrity impact, but represents a direct confidentiality breach in multi-tenant environments where issue classification is a security boundary.
Authentication Bypass
Gitlab
-
CVE-2026-1865
MEDIUM
CVSS 6.5
SQL Injection in User Registration & Membership plugin for WordPress (versions up to 5.1.2) allows authenticated Subscriber-level attackers to extract sensitive database information via unsanitized 'membership_ids[]' parameter. The vulnerability stems from insufficient escaping and lack of prepared statements in SQL query construction, enabling attackers to append arbitrary SQL commands to existing queries. No public exploit code or active exploitation has been identified at the time of analysis.
WordPress
SQLi
-
CVE-2026-1752
MEDIUM
CVSS 4.3
GitLab EE versions 11.3 through 18.10.2 allow authenticated developers to modify protected environment settings through improper authorization checks in the API, enabling privilege escalation within project scope. The vulnerability requires valid developer credentials and network access but allows an attacker to alter security-critical environment configurations without appropriate permissions. CVSS 4.3 (low severity) reflects limited scope and integrity-only impact; no public exploit or active exploitation via CISA KEV has been confirmed.
Authentication Bypass
Gitlab
-
CVE-2026-1673
MEDIUM
CVSS 4.3
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to delete WooCommerce taxonomy terms via a malicious link that tricks site administrators or shop managers into performing an action. The vulnerability stems from missing nonce validation on the woobe_delete_tax_term() function, enabling integrity compromise with low CVSS impact (4.3) but requiring user interaction.
WordPress
CSRF
-
CVE-2026-1672
MEDIUM
CVSS 6.5
Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to modify WooCommerce product data including prices, descriptions, and other fields by tricking administrators or shop managers into clicking a malicious link, due to missing nonce validation in the woobe_redraw_table_row() function. CVSS 6.5 reflects the high integrity impact; no public exploit code or active exploitation has been confirmed at analysis time.
WordPress
CSRF
-
CVE-2026-1516
MEDIUM
CVSS 5.7
Authenticated users can leak IP addresses of other users viewing Code Quality reports in GitLab EE through specially crafted malicious content injection. The vulnerability affects GitLab EE versions 18.0.0 through 18.10.2, requires user interaction (report viewing), and has been patched in versions 18.8.9, 18.9.5, and 18.10.3. No public exploit code or active exploitation has been confirmed; the vulnerability was discovered and reported through the GitLab responsible disclosure program.
RCE
Gitlab
Code Injection
-
CVE-2026-1396
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting (XSS) in Magic Conversation For Gravity Forms plugin allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes, executing malicious scripts in pages viewed by any visitor. The vulnerability affects all versions up to and including 3.0.97 and requires no user interaction from the victim. With an EPSS score context of 6.4 CVSS and confirmed patch availability, this represents a moderate-to-significant risk to WordPress sites with untrusted contributor accounts.
WordPress
XSS
-
CVE-2026-1163
MEDIUM
CVSS 4.1
Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been confirmed.
Information Disclosure
-
CVE-2026-1101
MEDIUM
CVSS 6.5
Denial of service in GitLab EE 18.2-18.10 allows authenticated users to crash the GitLab instance through improper input validation in GraphQL queries. GitLab EE versions 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 are affected. An authenticated attacker with any valid GitLab account can trigger the vulnerability by submitting a malformed GraphQL query, causing the instance to become unavailable. No public exploit code has been identified at the time of analysis, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
Denial Of Service
Gitlab
-
CVE-2026-0814
MEDIUM
CVSS 4.3
Export sensitive Contact Form 7 submissions without proper authorization in Advanced Contact form 7 DB plugin for WordPress versions up to 2.0.9 allows authenticated attackers with Subscriber-level or higher permissions to export form data to Excel files due to a missing capability check on the 'vsz_cf7_export_to_excel' function. While the CVSS score of 4.3 reflects low severity and no public exploit code exists, the vulnerability enables unauthorized data access on any WordPress site using this plugin, affecting site administrators managing contact form submissions that may contain sensitive user information.
WordPress
Authentication Bypass
-
CVE-2026-0811
MEDIUM
CVSS 5.4
Cross-Site Request Forgery in Advanced Contact Form 7 DB plugin for WordPress (versions up to 2.0.9) allows unauthenticated attackers to delete form entries by exploiting missing nonce validation in the 'vsz_cf7_save_setting_callback' function. An attacker must trick a site administrator into clicking a malicious link, but no public exploit code or active exploitation has been confirmed at the time of analysis.
WordPress
CSRF
-
CVE-2025-58713
MEDIUM
CVSS 6.4
Red Hat Process Automation Manager container images allow local privilege escalation when the /etc/passwd file is created with group-writable permissions during the build process. An attacker with non-root command execution capability who is a member of the root group can modify /etc/passwd to create a new user with UID 0, gaining full root privileges within the container. This requires high privileges (membership in root group) and challenging conditions (AC:H), but affects all versions of Red Hat Process Automation 7 distributed as container images. No public exploit code has been identified at the time of analysis.
Redhat
Privilege Escalation
-
CVE-2025-57854
MEDIUM
CVSS 6.4
Privilege escalation in OpenShift Update Service (OSUS) container images allows local attackers with high privileges to gain root access by modifying the group-writable /etc/passwd file created during build time. An attacker executing commands within an affected container can leverage root group membership to inject a new user with UID 0, achieving full container root privileges. No public exploit code or active exploitation has been identified at the time of analysis.
Privilege Escalation
-
CVE-2025-57853
MEDIUM
CVSS 6.4
Container privilege escalation in Red Hat Web Terminal allows local attackers with group membership to modify the /etc/passwd file and create arbitrary user accounts including root. The vulnerability stems from overly permissive group-writable permissions on /etc/passwd during image build, enabling privilege escalation from non-root container users to full root access within the container. Red Hat Web Terminal across multiple versions is affected; no public exploit code or active exploitation has been reported at the time of analysis.
Privilege Escalation
-
CVE-2025-57851
MEDIUM
CVSS 6.4
Container privilege escalation in Red Hat Multicluster Engine for Kubernetes allows authenticated local attackers to escalate from non-root container execution to full root privileges by exploiting group-writable permissions on the /etc/passwd file created during container image build time, enabling arbitrary UID assignment including UID 0.
Privilege Escalation
Kubernetes
-
CVE-2025-57847
MEDIUM
CVSS 6.4
Container privilege escalation in Red Hat Ansible Automation Platform 2 allows non-root users within affected container images to gain root privileges by modifying the group-writable /etc/passwd file. During the container build process, /etc/passwd is created with overly permissive group-write permissions, enabling any user in the root group to add arbitrary entries including a UID 0 account. This vulnerability requires local container execution access and elevated group membership, but results in complete container compromise when exploited.
Privilege Escalation
-
CVE-2025-57175
MEDIUM
CVSS 6.4
Siklu EtherHaul 8010 wireless backhaul devices contain a static root password that enables physical attackers or those with local console access to gain complete administrative control without authentication. The vulnerability affects firmware version 10.6.2-18707 and potentially other versions of the EtherHaul 8010 product line, allowing credential-based authentication bypass with high confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at this time, though the CVSS:3.1 physical attack vector (AV:P) reflects that an attacker must have direct physical access to the device's console interfaces.
Authentication Bypass
-
CVE-2025-14732
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.
WordPress
XSS
-
CVE-2025-14243
MEDIUM
CVSS 5.3
OpenShift Mirror Registry leaks valid usernames and email addresses through inconsistent error messages during authentication and account creation, enabling unauthenticated remote attackers to enumerate registered users. CVSS score of 5.3 reflects the low confidentiality impact with no authentication required and low attack complexity; no public exploit code or active exploitation has been confirmed at time of analysis.
Information Disclosure
-
CVE-2025-9484
MEDIUM
CVSS 4.3
Authenticated users in GitLab EE versions 16.6-18.8.8, 18.9-18.9.4, and 18.10-18.10.2 can expose other users' email addresses through specific GraphQL queries due to improper authorization checks. An authenticated attacker can enumerate valid user accounts and retrieve their email addresses without additional privileges, violating confidentiality. No public exploit code or active exploitation has been confirmed; patches are available in GitLab 18.8.9, 18.9.5, and 18.10.3.
Authentication Bypass
Gitlab
-
CVE-2025-1794
MEDIUM
CVSS 5.4
Stored Cross-Site Scripting in AM LottiePlayer WordPress plugin versions up to 3.6.0 allows authenticated attackers with Author-level privileges or higher to inject malicious scripts via specially crafted SVG file uploads, which execute in the browsers of all users viewing the affected pages. The vulnerability stems from insufficient input sanitization during SVG processing and lack of proper output escaping, enabling persistent payload delivery to website visitors without requiring any user interaction beyond normal page access.
WordPress
XSS
-
CVE-2026-39715
None
Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: from n/a through <= 1.5.5.
WordPress
PHP
Authentication Bypass
Anytrack Affiliate Link Manager
-
CVE-2026-39713
None
Missing Authorization vulnerability in mailercloud Mailercloud – Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud – Integrate webf...
WordPress
PHP
Authentication Bypass
Mailercloud 8211 Integrate Webforms And Synchronize Website Contacts
-
CVE-2026-39711
None
Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
WordPress
PHP
Information Disclosure
Rt Theme 18 Extensions
-
CVE-2026-39709
None
Insertion of Sensitive Information Into Sent Data vulnerability in thetechtribe The Tribal the-tech-tribe allows Retrieve Embedded Sensitive Data.This issue affects The Tribal: from n/a through <= 1.3.4.
WordPress
PHP
Information Disclosure
The Tribal
-
CVE-2026-39707
None
Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through <= 4.0.4.
WordPress
PHP
Authentication Bypass
Accept Paypal Payments Using Contact Form 7
-
CVE-2026-39705
None
Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through <= 1.4.4.
Authentication Bypass
WordPress
Woocommerce
PHP
Mipl Wc Multisite Sync
-
CVE-2026-39703
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.
WordPress
PHP
XSS
Wpbits Addons For Elementor Page Builder
-
CVE-2026-39701
None
Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through <= 5.2.4.
WordPress
PHP
Authentication Bypass
Shopwp
-
CVE-2026-39699
None
Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2.
WordPress
PHP
AI / ML
Authentication Bypass
Ai Workflow Automation
-
CVE-2026-39697
None
Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI GEO / SEO tool maio-the-new-ai-geo-seo-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MAIO – The new AI GEO / SEO tool: from n/a through <= 6.2.8.
WordPress
PHP
AI / ML
Authentication Bypass
Maio 8211 The New Ai Geo Seo Tool
-
CVE-2026-39695
None
Server-Side Request Forgery (SSRF) vulnerability in podigee Podigee podigee allows Server Side Request Forgery.This issue affects Podigee: from n/a through <= 1.4.0.
WordPress
PHP
SSRF
Podigee
-
CVE-2026-39693
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fesomia FSM Custom Featured Image Caption fsm-custom-featured-image-caption allows DOM-Based XSS.This issue affects FSM Custom Featured Image Caption: from n/a through <= 1.25.1.
WordPress
PHP
XSS
Fsm Custom Featured Image Caption
-
CVE-2026-39691
None
Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box - Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box - Bitcoin & Crypto Donations: from n/a thro...
WordPress
PHP
Authentication Bypass
Cryptocurrency Donation Box Bitcoin Crypto Donations
-
CVE-2026-39689
None
Missing Authorization vulnerability in eshipper eShipper Commerce eshipper-commerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eShipper Commerce: from n/a through <= 2.16.12.
WordPress
PHP
Authentication Bypass
Eshipper Commerce
-
CVE-2026-39687
None
Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rapid Car Check Vehicle Data: from n/a through <= 2.0.
Authentication Bypass
WordPress
PHP
Rapid Car Check Vehicle Data
-
CVE-2026-39686
None
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.This issue affects BSK PDF Manager: from n/a through <= 3.7.2.
Information Disclosure
Bsk Pdf Manager
-
CVE-2026-39685
None
Missing Authorization vulnerability in lvaudore The Moneytizer the-moneytizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Moneytizer: from n/a through <= 10.0.10.
Authentication Bypass
WordPress
PHP
The Moneytizer
-
CVE-2026-39683
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chief Gnome Garden Gnome Package garden-gnome-package allows DOM-Based XSS.This issue affects Garden Gnome Package: from n/a through <= 2.4.1.
WordPress
PHP
XSS
Garden Gnome Package
-
CVE-2026-39681
None
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59.
Lfi
PHP
WordPress
Homeo
-
CVE-2026-39679
None
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21.
Lfi
PHP
WordPress
Freeio
-
CVE-2026-39677
None
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through <= 3.9.
Lfi
PHP
Emphires
-
CVE-2026-39675
None
Missing Authorization vulnerability in webmuehle Court Reservation court-reservation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Court Reservation: from n/a through <= 1.10.11.
WordPress
PHP
Authentication Bypass
Court Reservation
-
CVE-2026-39673
None
Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20.
Authentication Bypass
Izooto
-
CVE-2026-39671
None
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
CSRF
WordPress
Woocommerce
PHP
Extra Fees Plugin For Woocommerce
-
CVE-2026-39669
None
Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3.
WordPress
PHP
Authentication Bypass
Nitropack
-
CVE-2026-39667
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0.
XSS
WordPress
Korea Sns
-
CVE-2026-39665
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac SEO Friendly Images seo-image allows DOM-Based XSS.This issue affects SEO Friendly Images: from n/a through <= 3.0.5.
WordPress
PHP
XSS
Seo Friendly Images
-
CVE-2026-39663
None
Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.5.
WordPress
PHP
Authentication Bypass
Truebooker
-
CVE-2026-39660
None
Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.1.
WordPress
PHP
Authentication Bypass
Wp Job Manager
-
CVE-2026-39658
None
Missing Authorization vulnerability in Coding Panda Panda Pods Repeater Field panda-pods-repeater-field allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panda Pods Repeater Field: from n/a through <= 1.5.12.
WordPress
PHP
Authentication Bypass
Panda Pods Repeater Field
-
CVE-2026-39656
None
Missing Authorization vulnerability in Razorpay Razorpay for WooCommerce woo-razorpay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay for WooCommerce: from n/a through <= 4.8.2.
WordPress
PHP
Authentication Bypass
Razorpay For Woocommerce
-
CVE-2026-39654
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.8.
WordPress
PHP
XSS
Wp Simple Html Sitemap
-
CVE-2026-39653
None
Missing Authorization vulnerability in Deepen Bajracharya Video Conferencing with Zoom video-conferencing-with-zoom-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Video Conferencing with Zoom: from n/a through <= 4.6.6.
WordPress
PHP
Authentication Bypass
Video Conferencing With Zoom
-
CVE-2026-39651
None
Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
WordPress
PHP
Authentication Bypass
Total Poll Lite
-
CVE-2026-39649
None
Missing Authorization vulnerability in themebeez Royale News royale-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royale News: from n/a through <= 2.2.4.
WordPress
PHP
Authentication Bypass
Royale News
-
CVE-2026-39647
None
Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11.
WordPress
PHP
SSRF
Mp3 Audio Player For Music Radio Podcast By Sonaar
-
CVE-2026-39645
None
Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.
WordPress
PHP
Woocommerce
SSRF
Globalpayments Woocommerce
-
CVE-2026-39643
None
Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13.
WordPress
PHP
Woocommerce
Authentication Bypass
Payment Plugins For Paypal Woocommerce
-
CVE-2026-39640
None
Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.
WordPress
PHP
CSRF
Code Injection
Theme Editor
-
CVE-2026-39638
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.
WordPress
PHP
XSS
Qubely
-
CVE-2026-39636
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.
WordPress
PHP
XSS
Livemesh Addons For Elementor
-
CVE-2026-39634
None
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.This issue affects Grand Portfolio: from n/a through <= 3.3.
WordPress
PHP
CSRF
Grand Portfolio
-
CVE-2026-39632
None
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Cross Site Request Forgery.This issue affects Grand Blog: from n/a through <= 3.1.
WordPress
PHP
CSRF
Grand Blog
-
CVE-2026-39630
None
Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0.
WordPress
PHP
SSRF
Getty Images
-
CVE-2026-39628
None
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
WordPress
PHP
XSS
Dukamarket
-
CVE-2026-39626
None
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
WordPress
PHP
XSS
Armania
-
CVE-2026-39624
None
Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3.
WordPress
PHP
Authentication Bypass
Biolife
-
CVE-2026-39622
None
Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a through <= 3.0.8.
WordPress
PHP
Authentication Bypass
Education Base
-
CVE-2026-39620
None
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.
WordPress
PHP
CSRF
Appointment
-
CVE-2026-39618
None
Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo allows Cross Site Request Forgery.This issue affects NewsExo: from n/a through <= 7.1.
WordPress
PHP
CSRF
Newsexo
-
CVE-2026-39616
None
Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0.
WordPress
PHP
Authentication Bypass
Download Attachments
-
CVE-2026-39614
None
Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6.
WordPress
PHP
Authentication Bypass
Jw Player For Wordpress
-
CVE-2026-39612
None
Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9.
WordPress
PHP
Authentication Bypass
Kuteshop
-
CVE-2026-39610
None
Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1.
WordPress
PHP
Authentication Bypass
Wpxmas Snow
-
CVE-2026-39608
None
Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iPOSpays Gateways WC: from n/a through <= 1.3.7.
WordPress
PHP
Authentication Bypass
Ipospays Gateways Wc
-
CVE-2026-39606
None
Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizReview: from n/a through <= 1.5.13.
WordPress
PHP
Authentication Bypass
Bizreview
-
CVE-2026-39604
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.
WordPress
PHP
XSS
Mybooktable Bookstore
-
CVE-2026-39602
None
Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3.
WordPress
PHP
Authentication Bypass
Order Tracking
-
CVE-2026-39588
None
Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13.
WordPress
PHP
Authentication Bypass
Nm Gift Registry And Wishlist Lite
-
CVE-2026-39586
None
Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a through <= 4.1132.
WordPress
PHP
Information Disclosure
Repairbuddy
-
CVE-2026-39585
None
Missing Authorization vulnerability in Arraytics Booktics booktics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booktics: from n/a through <= 1.0.16.
WordPress
PHP
Authentication Bypass
Booktics
-
CVE-2026-39572
None
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Retrieve Embedded Sensitive Data.This issue affects Bus Ticket Booking with Seat Reservation: from n/a t...
WordPress
PHP
Information Disclosure
Bus Ticket Booking With Seat Reservation
-
CVE-2026-39571
None
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themefic Instantio instantio allows Retrieve Embedded Sensitive Data.This issue affects Instantio: from n/a through <= 3.3.30.
WordPress
PHP
Information Disclosure
Instantio
-
CVE-2026-39570
None
Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
WordPress
PHP
Information Disclosure
12 Step Meeting List
-
CVE-2026-39566
None
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Designinvento DirectoryPress directorypress allows Retrieve Embedded Sensitive Data.This issue affects DirectoryPress: from n/a through <= 3.6.26.
WordPress
PHP
Information Disclosure
Directorypress
-
CVE-2026-39564
None
Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.
WordPress
PHP
Information Disclosure
Sunshine Photo Cart
-
CVE-2026-39562
None
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10.
WordPress
PHP
Authentication Bypass
Client Invoicing By Sprout Invoices
-
CVE-2026-39544
None
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeStek LabtechCO labtechco allows PHP Local File Inclusion.This issue affects LabtechCO: from n/a through <= 8.3.
WordPress
PHP
Lfi
Labtechco
-
CVE-2026-39542
None
Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13.
WordPress
PHP
Information Disclosure
Doofinder For Woocommerce
-
CVE-2026-39538
None
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through <= 1.6.
WordPress
PHP
Lfi
Mikado Core
-
CVE-2026-39536
None
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16.
WordPress
PHP
Information Disclosure
Rsvp And Event Management
-
CVE-2026-39535
None
Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6.
WordPress
PHP
Authentication Bypass
Display Eventbrite Events
-
CVE-2026-39526
None
Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2.
WordPress
PHP
Authentication Bypass
Wpstream
-
CVE-2026-39521
None
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1.
WordPress
PHP
SSRF
Nelio Content
-
CVE-2026-39520
None
Missing Authorization vulnerability in weDevs weDocs wedocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weDocs: from n/a through <= 2.1.18.
WordPress
PHP
Authentication Bypass
Wedocs
-
CVE-2026-39516
None
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.7.0.
WordPress
PHP
Information Disclosure
Nexter Blocks
-
CVE-2026-39510
None
Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11.
WordPress
PHP
Authentication Bypass
Image Photo Gallery Final Tiles Grid
-
CVE-2026-39509
None
Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10.
WordPress
PHP
Authentication Bypass
Directorist
-
CVE-2026-39506
None
Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.
WordPress
PHP
AI / ML
Authentication Bypass
Ai Engine Pro
-
CVE-2026-39504
None
Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.2.5.
WordPress
PHP
Authentication Bypass
Instawp Connect
-
CVE-2026-39500
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.2.
WordPress
PHP
XSS
Themesflat Addons For Elementor
-
CVE-2026-39496
None
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.This issue affects YayMail: from n/a through <= 4.3.3.
WordPress
PHP
SQLi
Yaymail
-
CVE-2026-39488
None
Missing Authorization vulnerability in SureCart SureCart surecart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SureCart: from n/a through <= 4.0.2.
WordPress
PHP
Authentication Bypass
Surecart
-
CVE-2026-39486
None
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.
WordPress
PHP
SQLi
Download Monitor
-
CVE-2026-39484
None
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.This issue affects Hide My WP Ghost: from n/a through < 7.0.00.
WordPress
PHP
Open Redirect
Hide My Wp Ghost
-
CVE-2026-39483
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.
WordPress
PHP
XSS
Vk All In One Expansion Unit
-
CVE-2026-39482
None
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator: from n/a through <= 4.9.4.
WordPress
PHP
XSS
Post Expirator
-
CVE-2026-39479
None
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from n/a through <= 1.1.20.
SQLi
Code Injection
Ottokit
-
CVE-2026-39477
None
Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.2.3.
Authentication Bypass
Privilege Escalation
Cartflows
-
CVE-2026-39476
None
Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.
WordPress
PHP
Authentication Bypass
User Feedback
-
CVE-2026-39475
None
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1.
WordPress
PHP
SQLi
User Feedback
-
CVE-2026-39473
None
Insertion of Sensitive Information Into Sent Data vulnerability in Pär Thernström Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0.
WordPress
PHP
Information Disclosure
Simple History
-
CVE-2026-39469
None
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n/a through <= 2.0.8.
Information Disclosure
Pagelayer
-
CVE-2026-39466
None
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through <= 2.4.7.
WordPress
PHP
SQLi
Broken Link Checker
-
CVE-2026-39464
None
Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8.
WordPress
PHP
SSRF
Coming Soon Page Under Construction Maintenance Mode By Seedprod
-
CVE-2026-35400
LOW
CVSS 3.5
LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated users with publication module access to forge emails appearing to originate from LORIS by submitting a malicious baseURL parameter in POST requests, enabling email spoofing attacks against external recipients. The vulnerability requires user interaction (email recipient click) and publication module privileges but could facilitate social engineering or phishing campaigns. Fixed in versions 27.0.3 and 28.0.1.
Information Disclosure
-
CVE-2026-34720
LOW
CVSS 2.3
Zammad prior to versions 7.0.1 and 6.5.4 fails to validate that Single Sign-On (SSO) headers originate from trusted proxy/gateway sources before processing them, allowing authenticated attackers with particular preconditions to cause limited information disclosure. The vulnerability requires authentication, high attack complexity, and specific preconditions (AT:P in CVSS 4.0 vector), resulting in a low real-world risk profile despite network accessibility.
Information Disclosure
-
CVE-2026-34248
LOW
CVSS 2.1
Zammad prior to 7.0.1 improperly discloses internal ticket fields to customers within shared organizations, allowing them to view restricted fields such as priority and custom internal attributes when accessing tickets from other organization members. This information disclosure vulnerability requires customer-level authentication and user interaction to exploit, and has a very low CVSS score of 2.1 reflecting minimal confidentiality impact with no ability to modify exposed data.
Authentication Bypass
-
CVE-2026-34166
LOW
CVSS 3.7
The replace filter in LiquidJS (Node.js npm package) fails to correctly account for memory usage when memoryLimit is enabled, allowing remote attackers to bypass DoS protections with approximately 2,500x memory amplification by crafting templates where the replace operation produces quadratically larger output than the charged memory cost. Deployments with memoryLimit explicitly configured to protect against untrusted template input can suffer out-of-memory crashes; patch available in v10.25.3.
Node.js
Denial Of Service
-
CVE-2026-33810
None
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Root...
Authentication Bypass
Tls
Crypto X509
-
CVE-2026-32289
None
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied...
Golang
XSS
Html Template
-
CVE-2026-32288
None
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
Golang
Denial Of Service
Archive Tar
-
CVE-2026-32283
None
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
Denial Of Service
Tls
Crypto Tls
-
CVE-2026-32282
None
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to av...
Privilege Escalation
Linux
Internal Syscall Unix
-
CVE-2026-32281
None
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptio...
Denial Of Service
Tls
Crypto X509
-
CVE-2026-31411
None
In the Linux kernel, the following vulnerability has been resolved:
net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
Reproducer available at [1].
The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc
pointer from msg->vcc and uses it directly without any validatio...
Linux
Linux Kernel
Denial Of Service
-
CVE-2026-28264
LOW
CVSS 3.3
Dell PowerProtect Agent prior to version 20.1 allows low-privileged local attackers to read sensitive information through incorrect permission assignment on critical resources. The vulnerability requires local access and existing user privileges but can expose confidential data without requiring user interaction or elevated permissions.
Dell
Information Disclosure
-
CVE-2026-27144
None
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
Golang
Memory Corruption
Cmd Compile
-
CVE-2026-27143
None
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
Memory Corruption
Buffer Overflow
Cmd Compile
-
CVE-2026-27140
None
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
RCE
Code Injection
Cmd Go
-
CVE-2026-5913
None
Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Buffer Overflow
Google
-
CVE-2026-5904
None
Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)
Memory Corruption
Google
Denial Of Service
Use After Free
-
CVE-2026-5903
None
Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Google
Authentication Bypass
-
CVE-2026-5902
None
Race in Media in Google Chrome on Android prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to corrupt media stream metadata via a crafted HTML page. (Chromium security severity: Low)
Google
Information Disclosure
Race Condition
-
CVE-2026-5901
None
Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension. (Chromium security severity: Low)
Google
Authentication Bypass
-
CVE-2026-5900
None
Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass of multi-download protections via a crafted HTML page. (Chromium security severity: Low)
Google
Authentication Bypass
-
CVE-2026-5899
None
Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
Google
Code Injection
-
CVE-2026-5898
None
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Google
Information Disclosure
Apple
-
CVE-2026-5897
None
Incorrect security UI in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Google
Information Disclosure
-
CVE-2026-5896
None
Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: Low)
Google
Authentication Bypass
-
CVE-2026-5895
None
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 147.0.7727.55 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. (Chromium security severity: Low)
Google
Information Disclosure
Apple
-
CVE-2026-5894
None
Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Google
Authentication Bypass
-
CVE-2026-5893
None
Race in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Google
Information Disclosure
Race Condition
-
CVE-2026-5892
None
Insufficient policy enforcement in PWAs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to install a PWA without user consent via a crafted HTML page. (Chromium security severity: Medium)
Google
Information Disclosure
-
CVE-2026-5891
None
Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Google
Information Disclosure
-
CVE-2026-5890
None
Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Google
Information Disclosure
Race Condition
-
CVE-2026-5889
None
Cryptographic Flaw in PDFium in Google Chrome prior to 147.0.7727.55 allowed an attacker to read potentially sensitive information from encrypted PDFs via a brute-force attack. (Chromium security severity: Medium)
Google
Information Disclosure
-
CVE-2026-5888
None
Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Google
Information Disclosure
-
CVE-2026-5887
None
Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)
Google
Microsoft
Authentication Bypass
-
CVE-2026-5885
None
Insufficient validation of untrusted input in WebML in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
Google
Information Disclosure
Microsoft
-
CVE-2026-5884
None
Insufficient validation of untrusted input in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Google
RCE
-
CVE-2026-5883
None
Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Google
RCE
Memory Corruption
Denial Of Service
Use After Free
-
CVE-2026-5882
None
Incorrect security UI in Fullscreen in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Google
Information Disclosure
-
CVE-2026-5881
None
Policy bypass in LocalNetworkAccess in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
Google
Authentication Bypass
-
CVE-2026-5880
None
Insufficient policy enforcement in browser UI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)
Google
Information Disclosure
-
CVE-2026-5879
None
Insufficient validation of untrusted input in ANGLE in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Google
RCE
-
CVE-2026-5878
None
Incorrect security UI in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
Google
Information Disclosure
-
CVE-2026-5877
None
Use after free in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
Google
RCE
Memory Corruption
Denial Of Service
Use After Free
-
CVE-2026-5873
None
Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Google
RCE
Buffer Overflow
-
CVE-2026-5872
None
Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Google
RCE
Memory Corruption
Denial Of Service
Use After Free
-
CVE-2026-5871
None
Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Memory Corruption
Google
RCE
-
CVE-2026-5870
None
Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Google
RCE
-
CVE-2026-5868
None
Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Heap Overflow
Buffer Overflow
Google
RCE
-
CVE-2026-5865
None
Type Confusion in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Memory Corruption
Google
RCE
-
CVE-2026-5863
None
Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Google
RCE
-
CVE-2026-5862
None
Inappropriate implementation in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Google
RCE
-
CVE-2026-5861
None
Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Google
RCE
Memory Corruption
Denial Of Service
Use After Free
-
CVE-2026-5860
None
Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Google
RCE
Memory Corruption
Denial Of Service
Use After Free
-
CVE-2026-5859
None
Integer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Google
Buffer Overflow
-
CVE-2026-5858
None
Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Heap Overflow
Buffer Overflow
Google
RCE
-
CVE-2026-4916
LOW
CVSS 2.7
Improper authorization checks in GitLab CE/EE versions 18.2-18.10.2 allow authenticated users with custom role permissions to demote or remove higher-privileged group members, violating role-based access control boundaries. The vulnerability requires high-privilege authentication and results only in integrity compromise (member privilege modification), not data exposure or availability loss. CVSS score of 2.7 reflects the restricted attack surface, though the reputational and operational risk of privilege escalation via role abuse warrants timely patching.
Authentication Bypass
Gitlab