Skip to main content
CVE-2026-39693 MEDIUM This Month

DOM-based cross-site scripting in fesomia FSM Custom Featured Image Caption WordPress plugin versions up to 1.25.1 allows authenticated administrators with high privileges to inject malicious scripts via improper input neutralization during featured image caption generation. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting real-world risk despite the network-accessible attack vector. EPSS exploitation probability is very low at 0.03% percentile rank, and no public exploit code or active exploitation has been identified.

XSS Fsm Custom Featured Image Caption
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-39683 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Chief Gnome Garden Gnome Package through version 2.4.1 allows authenticated high-privilege users to inject malicious scripts via improper input neutralization during web page generation. An attacker with administrative credentials can craft requests that execute arbitrary JavaScript in the browsers of other users when they view affected pages. The vulnerability requires user interaction (UI:R) and high-privilege authentication (PR:H), significantly limiting real-world exploitation scope. EPSS exploitation probability is minimal at 0.03% (8th percentile), and no public exploit code has been identified.

XSS Garden Gnome Package
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-39667 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Jongmyoung Kim's Korea SNS WordPress plugin versions up to 1.7.0 allows authenticated high-privilege users to inject malicious scripts into web pages viewed by others. The vulnerability requires user interaction (UI:R) and high-privilege authentication (PR:H), limiting real-world exploitability to scenarios where administrative or editor-level WordPress accounts are compromised or misused. EPSS exploitation probability is minimal at 0.03% (8th percentile), indicating low technical likelihood despite the network-accessible attack vector.

XSS Korea Sns
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-39654 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.8.

XSS Wp Simple Html Sitemap
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-39638 MEDIUM This Month

Stored cross-site scripting (XSS) in Themeum Qubely WordPress plugin version 1.8.14 and earlier allows authenticated high-privilege users to inject malicious scripts that execute in the browsers of other site visitors, compromising session integrity and enabling credential theft or malware distribution. The vulnerability requires administrator authentication and user interaction (UI:R), limiting immediate risk, but stored persistence means injected payloads remain active until remediated. EPSS exploitation probability is extremely low at 0.03%, suggesting minimal real-world targeting despite public disclosure.

XSS Qubely
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-39615 MEDIUM This Month

Stored XSS in Shahjada Download Manager WordPress plugin versions up to 3.3.53 allows authenticated administrators with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (UI:R) and high administrative privileges (PR:H), limiting real-world attack surface; EPSS exploitation probability is exceptionally low at 0.03% (8th percentile), indicating minimal practical risk despite the stored nature of the vulnerability.

XSS Download Manager
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-39604 MEDIUM This Month

MyBookTable Bookstore WordPress plugin versions 3.6.0 and earlier allow authenticated high-privilege users to inject malicious scripts that are stored and executed in the browsers of other users, enabling stored cross-site scripting (XSS) attacks. The vulnerability requires admin-level authentication and user interaction from victims to trigger, limiting real-world exploitation scope despite network accessibility. EPSS probability is exceptionally low at 0.03%, reflecting the authentication and interaction barriers.

XSS Mybooktable Bookstore Okta
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-39541 MEDIUM This Month

Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.

XSS Hydra Booking
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-34721 MEDIUM PATCH This Month

Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.

Google CSRF Microsoft
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-39408 MEDIUM PATCH GHSA This Month

Path traversal in Hono's toSSG() function allows attackers to write files outside the configured output directory during static site generation by injecting traversal sequences into ssgParams dynamic route values. The vulnerability is limited to build-time operations and does not affect runtime request handling. A vendor-released patch is available in Hono v4.12.12.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-39865 MEDIUM PATCH GHSA MAL This Month

Denial of service in Axios HTTP/2 client before version 1.13.2 allows unauthenticated remote attackers to crash Node.js applications through malicious HTTP/2 server responses that trigger state corruption during concurrent session closures. The vulnerability exploits a control flow error in session cleanup logic with high attack complexity, making real-world exploitation require specific server-side conditions but posing significant risk to applications relying on HTTP/2.

Node.js Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-5300 MEDIUM PATCH This Month

CoolerControl's coolercontrold daemon versions before 4.0.0 lack proper authentication controls, allowing unauthenticated local attackers to view and modify sensitive system data through unprotected HTTP API endpoints. The vulnerability affects coolercontrold 0.14.0 through 3.x, with CVSS 5.9 reflecting local attack vector and low-complexity exploitation; no public exploit code or active KEV status identified at time of analysis.

Authentication Bypass Information Disclosure Suse
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-20709 MEDIUM This Month

Use of a default cryptographic key in Intel Pentium Processor Silver Series, Celeron Processor J Series, and Celeron Processor N Series hardware allows privilege escalation when a hardware reverse engineer with privileged user access performs a high-complexity physical attack with special internal knowledge. The vulnerability has a CVSS score of 5.8 with physical attack vector (AV:P) and high attack complexity (AC:H), requiring privileged access (PR:H) and special attack time requirements (AT:P). No public exploit code or active CISA KEV designation has been identified.

Intel Privilege Escalation Red Hat
NVD VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-39901 MEDIUM PATCH GHSA This Month

Monetr allows authenticated tenant users to soft-delete protected synced transactions through the PUT update endpoint by directly setting the deletedAt field, bypassing the explicit DELETE protection that prevents such operations. This authorization bypass compromises transaction history integrity and audit trail reliability for imported transactions that should be immutable. The vulnerability requires authentication and user interaction but enables attackers to hide critical financial records from normal views while the soft-deleted data remains accessible via direct retrieval, affecting any Monetr deployment relying on synced transaction immutability.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-1516 MEDIUM PATCH This Month

Authenticated users can leak IP addresses of other users viewing Code Quality reports in GitLab EE through specially crafted malicious content injection. The vulnerability affects GitLab EE versions 18.0.0 through 18.10.2, requires user interaction (report viewing), and has been patched in versions 18.8.9, 18.9.5, and 18.10.3. No public exploit code or active exploitation has been confirmed; the vulnerability was discovered and reported through the GitLab responsible disclosure program.

RCE Gitlab Code Injection
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-5802 MEDIUM This Month

Remote code execution in idachev mcp-javadc up to version 1.2.4 allows unauthenticated attackers to inject arbitrary operating system commands through the jarFilePath parameter in the HTTP Interface, with publicly available exploit code and a moderate CVSS score of 6.9 reflecting limited confidentiality, integrity, and availability impact.

Command Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.8%
CVE-2026-5813 MEDIUM This Month

SQL injection in PHPGurukul Online Course Registration 3.1 allows unauthenticated remote attackers to manipulate the cid parameter in /check_availability.php to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. Publicly available exploit code exists, elevating real-world risk despite moderate CVSS scoring.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-32591 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Red Hat Quay's Proxy Cache configuration allows authenticated organization administrators to force the Quay server to make unvalidated network requests to internal services, cloud infrastructure endpoints, or otherwise restricted resources by supplying a crafted upstream registry hostname. With CVSS 5.2 and high confidentiality impact, this vulnerability requires administrator privileges and user interaction but poses significant risk to internal network exposure; no public exploit code or active exploitation (KEV) confirmed at time of analysis.

Red Hat SSRF Mirror Registry For Red Hat Openshift Mirror Registry For Red Hat Openshift 2 Red Hat Quay 3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31411 MEDIUM PATCH This Month

Kernel crash via forged VCC pointer in the Linux kernel ATM networking subsystem (net/atm/sigd.c) allows a local low-privileged attacker who has assumed the ATM signaling daemon role to dereference arbitrary kernel memory, resulting in denial of service. The flaw affects Linux 2.6.12 through multiple current stable branches, with patches available for 5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x, and 7.0-rc1. A public reproducer exists at a GitHub gist, though the EPSS score of 0.02% (7th percentile) and absence from CISA KEV reflect the niche ATM subsystem's limited real-world attack surface.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-35477 MEDIUM PATCH This Month

Remote code execution in InvenTree 1.2.3 through 1.2.6 allows staff users with settings access to execute arbitrary code by crafting malicious Jinja2 templates that bypass sandbox validation. The vulnerability exists because the PART_NAME_FORMAT validator uses a sandboxed Jinja2 environment, but the actual rendering engine in part/helpers.py uses an unsandboxed environment, combined with a validation bypass via dummy Part instances with pk=None that behave differently during validation versus production execution. No public exploit code or active exploitation confirmed at time of analysis.

Ssti RCE
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-39464 MEDIUM This Month

Server-side request forgery in SeedProd Coming Soon Page plugin versions through 6.19.8 allows high-privilege authenticated attackers to make arbitrary HTTP requests from the vulnerable WordPress server, potentially accessing internal resources, cloud metadata endpoints, or other services restricted to the server's network. The CVSS 5.5 score and low EPSS percentile (4%) reflect the requirement for administrative credentials, limiting real-world exploitability despite confirmed network accessibility.

SSRF Coming Soon Page Under Construction Maintenance Mode By Seedprod
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-5600 MEDIUM PATCH GHSA This Month

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.

Authentication Bypass Pretix
NVD
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-39392 MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with page-editing privileges to inject arbitrary JavaScript into page content that executes in the browsers of all public visitors. The Pages module fails to apply HTML sanitization during content creation and updates, storing unsanitized HTML directly in the database and rendering it without escaping on the frontend, whereas the Blog module correctly implements this protection. An attacker with admin credentials can compromise the integrity and confidentiality of visitor sessions. CVSS 5.5, no public exploit code identified at time of analysis.

XSS Ci4ms
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-39390 MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators to inject malicious JavaScript via the Google Maps iframe setting (cMap field) using the srcdoc attribute, which bypasses existing sanitization filters. The injected payload executes in the browser context of unauthenticated frontend visitors, enabling session hijacking, credential theft, or malware distribution. This vulnerability requires admin-level access to the settings panel but affects all unauthenticated site visitors who view pages with the malicious iframe.

XSS Google
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-32288 MEDIUM PATCH This Month

Denial of service via unbounded memory allocation in Go's archive/tar package when parsing maliciously-crafted tar archives containing many sparse regions in old GNU sparse map format. Affects Go standard library versions prior to 1.25.9 and 1.26.2. Local attackers with user interaction can exhaust system memory, crashing applications that process untrusted tar files. No public exploit code identified; EPSS score of 0.01% indicates very low exploitation probability despite moderate CVSS severity.

Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-5895 MEDIUM PATCH This Month

Google Chrome on iOS prior to version 147.0.7727.55 contains an Omnibox (URL bar) spoofing vulnerability that allows remote attackers to display misleading domain names to users through crafted domains, potentially enabling phishing attacks. The vulnerability requires user interaction (clicking a link) and affects iOS-specific browser UI rendering. While assigned a low Chromium security severity and rated 5.4 CVSS, the practical exploitation probability remains minimal (0.03% EPSS) due to the high user-interaction requirement and limited information-disclosure impact.

Apple Information Disclosure Google Red Hat Suse +1
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-1794 MEDIUM This Month

Stored Cross-Site Scripting in AM LottiePlayer WordPress plugin versions up to 3.6.0 allows authenticated attackers with Author-level privileges or higher to inject malicious scripts via specially crafted SVG file uploads, which execute in the browsers of all users viewing the affected pages. The vulnerability stems from insufficient input sanitization during SVG processing and lack of proper output escaping, enabling persistent payload delivery to website visitors without requiring any user interaction beyond normal page access.

WordPress XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3781 MEDIUM This Month

SQL injection in the Attendance Manager WordPress plugin (versions up to 0.6.2) allows authenticated attackers with Subscriber-level access to execute arbitrary SQL queries via the 'attmgr_off' parameter, enabling unauthorized extraction of sensitive database information. The vulnerability requires user authentication but can be exploited without further user interaction, with a CVSS score of 5.4 indicating moderate risk. No public exploit code or confirmed active exploitation has been identified at the time of analysis.

WordPress SQLi
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4401 MEDIUM This Month

Cross-Site Request Forgery in Download Monitor plugin for WordPress up to version 5.1.10 allows unauthenticated attackers to delete, disable, or enable approved download paths by tricking site administrators into clicking a malicious link, due to missing nonce verification in the actions_handler() and bulk_actions_handler() methods. The vulnerability requires user interaction (UI:R) and has a moderate CVSS score of 5.4, with impacts limited to integrity and availability of download path configurations rather than confidentiality.

WordPress PHP CSRF
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4332 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in GitLab EE customizable analytics dashboards allows authenticated users to execute arbitrary JavaScript in other users' browsers due to improper input sanitization. Affected versions include 18.2-18.8.8, 18.9-18.9.4, and 18.10-18.10.2. An attacker with valid GitLab credentials can craft malicious dashboard configurations that execute when other users view the dashboard, potentially stealing session tokens, modifying visible data, or performing actions on behalf of the victim. No public exploit code or active exploitation in the wild has been confirmed; patches are available.

XSS Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39695 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Podigee plugin versions up to 1.4.0 allows remote attackers to make arbitrary HTTP requests from the affected server to internal or external resources without authentication. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact across trust boundaries (AV:N/AC:H/PR:N). EPSS exploitation probability is very low at 0.02% (4th percentile), indicating minimal real-world attack likelihood despite public vulnerability disclosure.

SSRF Podigee
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39647 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Sonaar MP3 Audio Player for Music, Radio & Podcast WordPress plugin versions up to 5.11 allows unauthenticated remote attackers to forge requests to internal or external systems with high attack complexity, affecting confidentiality and integrity of data accessible from the server. EPSS scoring of 0.02% indicates minimal real-world exploitation probability despite moderate CVSS severity (5.4), and no active exploitation has been confirmed; patch availability status requires vendor verification.

SSRF Mp3 Audio Player For Music Radio Podcast By Sonaar
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39645 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Global Payments GlobalPayments WooCommerce plugin versions up to 1.18.0 allows unauthenticated remote attackers to forge requests from the affected server with limited confidentiality and integrity impact. The vulnerability requires high attack complexity, which significantly reduces practical exploitation risk despite network-accessible attack surface; EPSS score of 0.02% (4th percentile) indicates minimal likelihood of real-world exploitation.

WordPress SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39614 MEDIUM This Month

JW Player for WordPress plugin versions through 2.3.6 allows authenticated users to bypass authorization controls and access or modify restricted functionality due to improper access control checks. An attacker with low-privilege WordPress user credentials can exploit this vulnerability to read sensitive data or perform unauthorized actions normally restricted to administrators, with no user interaction required.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39607 MEDIUM This Month

Wpbens Filter Plus plugin versions 1.1.17 and earlier allow authenticated users to bypass access controls and modify data they should not have permission to access, due to missing authorization checks on sensitive functionality. An authenticated attacker with low privileges can exploit incorrectly configured access control security levels to read or modify restricted information, impacting the confidentiality and integrity of protected content.

Authentication Bypass Filter Plus
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39526 MEDIUM This Month

WpStream WordPress plugin versions before 4.11.2 contain an authorization bypass vulnerability allowing authenticated users to modify data or trigger denial of service through insecure direct object references (IDOR) via user-controlled keys in access control checks. The vulnerability affects all versions up to 4.11.2 and requires low-privilege authentication to exploit, making it a moderate-risk issue for WordPress installations using this plugin despite the low EPSS score of 0.02%.

Authentication Bypass Wpstream
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39504 MEDIUM This Month

InstaWP Connect WordPress plugin through version 0.1.2.5 permits authenticated users to access or modify resources they should not have permission to reach due to missing authorization checks. With CVSS 5.4 (authenticated network access, low complexity), EPSS 0.02%, and no confirmed public exploit code, this represents a moderate privilege escalation risk primarily affecting multi-user WordPress installations where access control segregation is important.

Authentication Bypass Instawp Connect
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0811 MEDIUM This Month

Cross-Site Request Forgery in Advanced Contact Form 7 DB plugin for WordPress (versions up to 2.0.9) allows unauthenticated attackers to delete form entries by exploiting missing nonce validation in the 'vsz_cf7_save_setting_callback' function. An attacker must trick a site administrator into clicking a malicious link, but no public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39710 MEDIUM This Month

Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated remote attackers to perform unintended actions on behalf of authenticated users through crafted requests, requiring user interaction. EPSS exploitation probability is minimal at 0.01%, and no public exploit code or active exploitation has been identified; however, the vulnerability carries real-world risk due to the low technical bar for CSRF attacks and the plugin's web-accessible attack surface.

CSRF Rt Theme 18 Extensions
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39635 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine WordPress theme versions up to 3.5.5 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users via crafted malicious web pages. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but carries low real-world exploitation probability despite the moderate CVSS score, as reflected by an EPSS score of 0.01% (1st percentile). No public exploit code or active exploitation has been confirmed at time of analysis.

CSRF Grand Magazine
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39634 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Portfolio WordPress theme versions up to 3.3 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users with low integrity and availability impact. The vulnerability requires user interaction (UI:R) to trigger a malicious request. No public exploit code or active exploitation has been confirmed, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the CVSS 5.4 rating.

CSRF Grand Portfolio
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39603 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Photography WordPress theme versions up to 5.7.8 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries low real-world exploitation risk, with an EPSS score of 0.01% indicating minimal practical likelihood of attack despite the moderate CVSS 5.4 rating.

CSRF Grand Photography
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3646 MEDIUM This Month

Unauthenticated attackers can modify LTL Freight Quotes - R+L Carriers Edition plugin subscription settings via a webhook handler with missing authorization controls in all versions up to 3.3.13. The vulnerability allows downgrading paid subscriptions to trial plans, changing store type, and manipulating expiration dates, effectively disabling premium features like Dropship and Hazardous Material handling. CVSS 5.3 reflects moderate integrity impact with no authentication required and network-accessible attack surface.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-3594 MEDIUM This Month

Riaxe Product Customizer plugin for WordPress versions up to 2.4 exposes sensitive WooCommerce customer and order data through an unauthenticated REST API endpoint due to a missing permission callback. Attackers can query the '/wp-json/InkXEProductDesignerLite/orders' endpoint to retrieve customer names, order IDs, totals, dates, and statuses without authentication. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-39415 MEDIUM PATCH This Month

Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores via client-side manipulation using browser developer tools before submission. This vulnerability compromises the integrity of quiz results and academic reliability without enabling privilege escalation, unauthorized account access, or exposure of confidential information. The fix is available in version 2.46.0, and no public exploit code or active exploitation has been identified at the time of analysis.

Privilege Escalation Authentication Bypass Lms
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-5167 MEDIUM This Month

Unauthenticated attackers can bypass authorization in Masteriyo LMS plugin versions up to 2.1.7 by sending forged Stripe webhook events to mark arbitrary orders as completed without payment, granting unauthorized access to paid course content. The vulnerability stems from insufficient webhook signature verification in the handle_webhook() function, which processes requests with an empty default webhook_secret and only validates signatures if both the secret is configured and the HTTP_STRIPE_SIGNATURE header is present. No public exploit code or active exploitation has been identified at time of analysis, though the attack requires only network access and no authentication or user interaction.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14243 MEDIUM This Month

OpenShift Mirror Registry leaks valid usernames and email addresses through inconsistent error messages during authentication and account creation, enabling unauthenticated remote attackers to enumerate registered users. CVSS score of 5.3 reflects the low confidentiality impact with no authentication required and low attack complexity; no public exploit code or active exploitation has been confirmed at time of analysis.

Information Disclosure Mirror Registry For Red Hat Openshift Mirror Registry For Red Hat Openshift 2
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-39407 MEDIUM PATCH GHSA This Month

Middleware bypass in Hono's serveStatic allows unauthenticated remote attackers to access protected static files by using repeated slashes in request paths, exploiting inconsistent path handling between the routing layer and static file resolution. The vulnerability affects Hono applications that rely on route-based middleware for access control, enabling unauthorized disclosure of sensitive files. Vendor-released patch available in version 4.12.12.

Path Traversal Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-39851 MEDIUM PATCH This Month

Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestEmailChange() GraphQL mutation, allowing authenticated attackers to enumerate valid email addresses in the system. The vulnerability affects multiple version branches and is resolved in patched versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. CVSS 5.3 reflects low confidentiality impact with authentication requirement.

Information Disclosure Saleor
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-34718 MEDIUM PATCH This Month

Improper HTML sanitization in Zammad ticket article processing prior to versions 7.0.1 and 6.5.4 allows unauthenticated remote attackers to inject malicious data URI schemes that persist in the database, potentially enabling stored cross-site scripting (XSS) attacks. While current Content Security Policy mitigations prevent immediate harm from link clicks, the vulnerability represents a persistent data integrity issue and stored XSS vector that could be exploited if CSP rules are modified or bypassed. No public exploit code has been identified, but the vulnerability affects all instances running unpatched versions.

XSS Zammad
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
Prev Page 3 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy