Skip to main content
CVE-2026-39682 MEDIUM This Month

Unauthenticated remote attackers can access sensitive information in linkPizza-Manager WordPress plugin through incorrectly configured access controls that fail to enforce proper authorization checks. The vulnerability affects linkPizza-Manager versions up to 5.5.5 and allows an unauthenticated attacker to obtain partial confidentiality impact with no modification or availability impact. No public exploit code has been identified at time of analysis.

Authentication Bypass Linkpizza Manager
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39680 MEDIUM This Month

Missing authorization in MWP Development Diet Calorie Calculator plugin through version 1.1.1 allows unauthenticated remote attackers to gain unauthorized read access to sensitive data via improperly configured access control. The vulnerability affects all versions from inception through 1.1.1, with a network attack vector and minimal complexity. Although the CVSS base score is 5.3 (moderate), real-world risk is substantially lower: EPSS exploitation probability is only 0.02% (fourth percentile), no public exploit code or active exploitation has been identified, and the vulnerability is limited to information disclosure without integrity or availability impact.

Authentication Bypass Diet Calorie Calculator
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39678 MEDIUM This Month

Unauthenticated remote attackers can bypass access control in DOTonPAPER Pinpoint Booking System versions up to 2.9.9.6.5 to view sensitive booking data due to missing authorization checks on API endpoints. The vulnerability allows information disclosure with low confidentiality impact, and while CVSS rates it 5.3 (medium), the 0.02% EPSS score indicates minimal real-world exploitation probability despite the straightforward network-based attack vector.

Authentication Bypass Pinpoint Booking System
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39676 MEDIUM This Month

Remote unauthenticated attackers can bypass access controls in Shahjada Download Manager through version 3.3.52, gaining unauthorized read access to restricted download content due to missing authorization checks. The vulnerability affects all versions up to and including 3.3.52, with an EPSS exploitation probability of 0.02% (4th percentile) indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.

Authentication Bypass Download Manager
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39675 MEDIUM This Month

Webmuehle Court Reservation WordPress plugin versions up to 1.10.11 fail to properly validate user permissions, allowing unauthenticated remote attackers to modify court reservation data through incorrectly configured access control checks. The vulnerability enables integrity attacks against the reservation system despite missing confidentiality and availability impact. With EPSS score of 0.02% and no KEV confirmation, real-world exploitation risk is minimal, though the authentication bypass vector presents a foundational security gap.

Authentication Bypass Court Reservation
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39673 MEDIUM This Month

Missing authorization in iZooto web push plugin versions 3.7.20 and earlier allows unauthenticated remote attackers to modify data through incorrectly configured access control, compromised integrity without requiring authentication or user interaction. CVSS 5.3 reflects the integrity impact; EPSS 0.02% indicates extremely low real-world exploitation probability despite the straightforward attack vector (AV:N, AC:L, PR:N).

Authentication Bypass Izooto
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39672 MEDIUM This Month

Missing authorization in ShipTime: Discounted Shipping Rates WordPress plugin (versions ≤1.1.1) allows unauthenticated remote attackers to access sensitive shipping rate information and configuration via incorrectly configured access control, resulting in limited confidentiality compromise. CVSS 5.3 with 0.02% EPSS indicates low real-world exploitation probability despite network-accessible attack vector. CISA SSVC framework rates this as non-exploited with partial technical impact, suggesting this is a configuration weakness rather than an actively weaponized vulnerability.

Authentication Bypass Shiptime
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39669 MEDIUM This Month

NitroPack WordPress plugin through version 1.19.3 allows remote unauthenticated attackers to modify plugin settings via incorrectly configured access control checks, enabling unauthorized changes to website optimization and caching configurations. The vulnerability requires only network access and no user interaction, affecting default installations. Despite the CVSS 5.3 score indicating integrity impact, real-world exploitation risk is extremely low (EPSS 0.02%, 4th percentile), suggesting limited practical exploitability or narrow attack scope in production environments.

Authentication Bypass Nitropack
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39668 MEDIUM This Month

Book Previewer for WooCommerce plugin versions up to 1.0.6 fail to enforce authorization checks on sensitive functionality, allowing unauthenticated remote attackers to access restricted content with low-complexity exploitation. The vulnerability stems from missing access control validation, enabling attackers to bypass intended security boundaries without user interaction. While CVSS rates this as moderate (5.3), EPSS exploitation probability remains minimal at 0.02% percentile, and no public exploit code or active exploitation has been confirmed.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39664 MEDIUM This Month

Leadrebel plugin version 1.0.2 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, exposing confidential data without authorization. The vulnerability stems from missing authorization checks on functionality that should be restricted, enabling attackers to bypass authentication mechanisms and retrieve non-public information. While the CVSS score is moderate (5.3) and real-world exploitation probability is low (EPSS 0.02%), the issue represents a fundamental authentication bypass in access control logic.

Authentication Bypass Leadrebel
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39663 MEDIUM This Month

TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing unauthenticated remote attackers to modify sensitive data via incorrectly configured access control mechanisms. The vulnerability has a low CVSS score (5.3) reflecting limited direct impact, but represents a critical authentication bypass in a widely deployed WordPress plugin affecting booking system integrity.

Authentication Bypass Truebooker
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39662 MEDIUM This Month

Missing authorization in ProWCPlugins Product Price by Formula for WooCommerce plugin (versions up to 2.5.6) allows unauthenticated remote attackers to read sensitive configuration data through incorrectly configured access control. The vulnerability exposes limited information confidentiality without enabling modification or denial of service, and carries a low real-world exploitation probability (EPSS 0.02%) despite a moderate CVSS score.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39660 MEDIUM This Month

Missing authorization in Automattic WP Job Manager through version 2.4.1 allows unauthenticated remote attackers to modify plugin data through incorrectly configured access control, enabling unauthorized changes to job listings and related content without proper privilege validation. The vulnerability has a low real-world exploitation probability (EPSS 0.02%) despite the network-accessible attack vector, suggesting limited practical exploitability in typical WordPress deployments.

Authentication Bypass Wp Job Manager
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39659 MEDIUM This Month

Missing authorization in Ultimate Member WordPress plugin versions up to 2.11.3 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured security levels. The vulnerability has a low CVSS score (5.3) with minimal real-world exploitation risk (EPSS 0.02%), though it enables confidentiality impact through access control circumvention.

Authentication Bypass Ultimate Member
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39658 MEDIUM This Month

Missing authorization in Coding Panda Panda Pods Repeater Field WordPress plugin versions up to 1.5.12 allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting confidentiality and integrity of plugin-managed content without requiring user interaction or elevated privileges.

Authentication Bypass Panda Pods Repeater Field
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39657 MEDIUM This Month

Leadlovers Forms WordPress plugin versions 1.0.2 and earlier allow unauthenticated remote attackers to bypass access controls and read sensitive information through incorrectly configured authorization checks. The vulnerability exposes confidential data without requiring authentication or user interaction, affecting the forms plugin deployed across WordPress installations. While the EPSS score of 0.02% suggests minimal exploitation probability, the unauthenticated attack vector and lack of user interaction make this a straightforward access control flaw that could enable information disclosure.

Authentication Bypass Leadlovers Forms
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39656 MEDIUM This Month

Razorpay for WooCommerce plugin versions 4.8.2 and earlier allow unauthenticated attackers to bypass access controls through incorrectly configured authorization checks, enabling unauthorized modification of payment-related data. This missing authorization vulnerability affects all WooCommerce sites running the affected plugin and could allow attackers to manipulate sensitive payment information without authentication. The low EPSS score (0.02%, 4th percentile) and absence of active exploitation indicators suggest limited real-world attack activity despite the accessibility of the vulnerability vector (network, no authentication required).

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39652 MEDIUM This Month

Missing authorization in iGMS Direct Booking WordPress plugin versions 1.3 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, affecting confidentiality but not integrity or availability. The vulnerability carries a CVSS score of 5.3 with network-based remote access and no authentication required, though EPSS exploitation probability is very low at 0.02% percentile, suggesting minimal real-world threat despite the authorization flaw.

Authentication Bypass Igms Direct Booking
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39650 MEDIUM This Month

Missing authorization in Unitech Web UnitechPay WordPress plugin through version 1.0.2 permits unauthenticated remote attackers to read sensitive information via incorrectly configured access controls, exposing data confidentiality without enabling modification or service disruption. The vulnerability carries a CVSS score of 5.3 with near-zero measured exploitation probability (EPSS 0.02%), indicating low real-world risk despite network-accessible attack surface.

Authentication Bypass Unitechpay
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39649 MEDIUM This Month

Royale News WordPress theme through version 2.2.4 allows unauthenticated remote attackers to modify content via incorrectly configured access control, enabling unauthorized data integrity compromise despite the lack of direct confidentiality impact. EPSS probability remains low at 0.02% percentile, suggesting limited real-world exploitation likelihood despite the network-accessible vector. Patch status indicates remediation is available through the vendor advisory.

Authentication Bypass Royale News
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39648 MEDIUM This Month

Missing authorization in themebeez Cream Blog WordPress theme versions up to 2.1.7 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access control security levels. With a CVSS score of 5.3 and EPSS exploitation probability of 0.02% (4th percentile), this represents a low real-world exploitation risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass Cream Blog
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39644 MEDIUM This Month

Missing authorization in Roxnor Wp Ultimate Review plugin versions up to 2.3.8 allows unauthenticated remote attackers to access restricted functionality through incorrectly configured access control security levels, resulting in limited information disclosure. The vulnerability carries a low EPSS exploitation probability (0.02%, 4th percentile) and has not been confirmed as actively exploited, though the simple attack vector (network-accessible, no complexity, no authentication required) means opportunistic exploitation is feasible.

Authentication Bypass Wp Ultimate Review
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39643 MEDIUM This Month

Improper access control in Payment Plugins for PayPal WooCommerce up to version 2.0.13 permits remote unauthenticated attackers to modify sensitive data through incorrectly configured authorization checks. The vulnerability (CVSS 5.3) allows integrity violations in payment-related operations via network requests without authentication or user interaction. With an EPSS score of 0.02%, exploitation likelihood remains minimal in measured threat activity, though the CWE-862 (missing authorization) classification indicates a fundamental security control failure in the plugin's privilege validation.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39637 MEDIUM This Month

SpabRice Mogi theme versions through 1.2.3 fail to properly enforce authorization controls, allowing unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 with low confidentiality impact but no integrity or availability impact. EPSS exploitation probability is minimal at 0.02%, and no public exploit code or active exploitation has been identified.

Authentication Bypass Mogi
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39624 MEDIUM This Month

Incorrectly configured access control in kutethemes Biolife WordPress theme version 3.2.3 and earlier allows unauthenticated remote attackers to bypass authorization checks and modify content via arbitrary shortcode execution. The vulnerability requires no authentication and can be exploited over the network with low complexity, affecting the integrity of web content served to visitors. EPSS score of 0.02% indicates minimal real-world exploitation probability despite network-accessible attack vector.

Authentication Bypass Biolife
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39622 MEDIUM This Month

Missing authorization controls in acmethemes Education Base WordPress theme (versions through 3.0.8) allow unauthenticated remote attackers to modify content via incorrectly configured access control checks. The vulnerability affects the theme's access control security levels, enabling attackers to bypass authentication mechanisms and alter data on vulnerable installations. With an EPSS score of 0.02% and no confirmed active exploitation, the real-world risk remains low despite the network-accessible attack vector.

Authentication Bypass Education Base
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39616 MEDIUM This Month

Authorization bypass in dFactory Download Attachments WordPress plugin versions up to 1.4.0 allows unauthenticated remote attackers to modify file access controls through user-controlled keys, enabling unauthorized file access or manipulation. The vulnerability exploits incorrectly configured access control security levels via an insecure direct object reference (IDOR) mechanism. With EPSS score of 0.02% and no confirmed active exploitation, this poses minimal immediate risk despite network-accessible attack surface.

Authentication Bypass Download Attachments
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39612 MEDIUM This Month

Incorrectly configured access control in kutethemes KuteShop theme versions up to 4.2.9 allows unauthenticated remote attackers to modify data via missing authorization checks on sensitive operations. The vulnerability enables exploitation of insufficient access control mechanisms without authentication, though with limited impact confined to data integrity rather than confidentiality or availability.

Authentication Bypass Kuteshop
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39610 MEDIUM This Month

Missing authorization in WpXmas-Snow WordPress plugin up to version 1.1 allows unauthenticated remote attackers to modify plugin content through incorrectly configured access control, resulting in unauthorized data integrity violations without requiring authentication or user interaction.

Authentication Bypass Wpxmas Snow
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39609 MEDIUM This Month

Wava Payment plugin for WordPress versions 0.3.7 and earlier allows unauthenticated remote attackers to access sensitive information through missing authorization controls on API endpoints. The vulnerability enables attackers to read confidential data by exploiting improperly configured access control levels without requiring authentication or user interaction. EPSS exploitation probability is minimal at 0.02%, but the ability to leak information without authentication warrants attention for WordPress sites using this payment plugin.

Authentication Bypass Wava Payment
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39608 MEDIUM This Month

Missing authorization in iPOSpays Gateways WC WordPress plugin versions up to 1.3.7 allows unauthenticated remote attackers to modify sensitive data due to incorrectly configured access control, resulting in integrity compromise without authentication or user interaction. Exploitation requires only network access and is low-complexity, though current real-world exploitation likelihood remains minimal (EPSS 0.02%).

Authentication Bypass Ipospays Gateways Wc
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39606 MEDIUM This Month

Missing authorization in Foysal Imran BizReview WordPress plugin versions up to 1.5.13 allows unauthenticated remote attackers to modify data via incorrectly configured access control, bypassing intended permission restrictions. The CVSS score of 5.3 reflects low integrity impact with no confidentiality or availability compromise. EPSS probability is extremely low at 0.02%, and no public exploit code or active exploitation has been identified, suggesting this is a configuration-level authorization flaw rather than a critical remote code execution vulnerability.

Authentication Bypass Bizreview
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39605 MEDIUM This Month

Missing authorization in Obadiah Super Custom Login WordPress plugin versions 1.1 and earlier allows unauthenticated remote attackers to bypass access controls and gain limited information disclosure. The vulnerability stems from incorrectly configured access control security levels that fail to enforce proper authorization checks, enabling attackers to exploit weak authentication mechanisms without requiring valid credentials or user interaction.

Authentication Bypass Super Custom Login
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39602 MEDIUM This Month

Missing authorization in Rustaurius Order Tracking plugin versions 3.4.3 and below allows unauthenticated remote attackers to modify order data through incorrectly configured access control, enabling unauthorized changes to order information without proper privilege validation. With an EPSS score of 0.02% and no confirmed active exploitation, real-world risk is currently low despite the moderate CVSS score of 5.3.

Authentication Bypass Order Tracking
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39588 MEDIUM This Month

NM Gift Registry and Wishlist Lite WordPress plugin versions up to 5.13 allows unauthenticated remote attackers to modify data through missing authorization checks on access control settings. The vulnerability stems from incorrectly configured authorization levels that fail to validate user permissions before processing requests, enabling attackers to bypass authentication mechanisms and alter registry or wishlist information without proper credentials. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the low attack complexity.

Authentication Bypass Nm Gift Registry And Wishlist Lite
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39585 MEDIUM This Month

Missing authorization in Arraytics Booktics WordPress plugin through version 1.0.16 allows unauthenticated remote attackers to modify application data via incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.02%, percentile 4) despite the network-accessible attack vector, suggesting limited real-world exploitation likelihood. No public exploit code or active CISA KEV status has been identified.

Authentication Bypass Booktics
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39563 MEDIUM This Month

Missing authorization in ILLID Share This Image WordPress plugin through version 2.12 allows unauthenticated remote attackers to access restricted functionality due to incorrectly configured access control, resulting in low-impact information disclosure. The vulnerability carries a moderate CVSS score of 5.3 but very low real-world exploitation probability (EPSS 0.02%, percentile 4%), suggesting this is a configuration or design flaw with limited practical impact rather than a critical security issue.

Authentication Bypass Share This Image
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39562 MEDIUM This Month

BoldGrid Client Invoicing by Sprout Invoices versions 20.8.10 and earlier fails to enforce authorization controls, allowing unauthenticated remote attackers to modify data through incorrectly configured access control. The vulnerability affects WordPress installations running the vulnerable plugin and has an EPSS score of 0.02% (4th percentile), indicating very low exploitation likelihood despite the network-accessible attack surface. No public exploit code or active exploitation has been documented.

Authentication Bypass Client Invoicing By Sprout Invoices
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39561 MEDIUM This Month

Missing authorization in WP Chill Revive.so plugin versions up to 2.0.7 allows unauthenticated remote attackers to bypass access controls and read sensitive information via incorrectly configured access control security levels. The vulnerability has an EPSS score of 0.02% (4th percentile), indicating minimal real-world exploitation probability despite the moderate CVSS 5.3 score. No public exploit code or active exploitation has been confirmed.

Authentication Bypass Revive So
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39543 MEDIUM This Month

Missing authorization in Themefic Tourfic WordPress plugin versions up to 2.21.4 allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability exposes data confidentiality without enabling modification or denial of service, affecting WordPress sites running the vulnerable plugin. Despite a moderate CVSS score of 5.3, the extremely low EPSS score of 0.02% indicates minimal real-world exploitation probability.

Authentication Bypass Tourfic
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39535 MEDIUM This Month

Missing authorization in the fullworks Display Eventbrite Events WordPress plugin through version 6.5.6 allows unauthenticated remote attackers to modify plugin data via incorrectly configured access control mechanisms. The vulnerability enables integrity attacks (CWE-862: Missing Authorization) without requiring authentication or user interaction, affecting the plugin's REST API or admin functions. EPSS score of 0.02% indicates extremely low real-world exploitation probability despite the network-accessible attack vector.

Authentication Bypass Display Eventbrite Events
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39528 MEDIUM This Month

Missing authorization in WP Delicious WordPress plugin versions up to 1.9.5 enables unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access restrictions. The vulnerability allows unauthorized information disclosure with low CVSS impact (5.3) but affects a widely deployed WordPress plugin; exploitation likelihood is minimal (EPSS 0.02%, percentile 4%) and no public exploit code has been identified.

Authentication Bypass Wp Delicious
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39520 MEDIUM This Month

Missing authorization in weDevs weDocs WordPress plugin through version 2.1.18 allows unauthenticated remote attackers to modify content by exploiting incorrectly configured access control security levels. The vulnerability enables unauthorized modification of protected documents via a network request without authentication, though with limited information disclosure impact. EPSS score of 0.02% indicates minimal real-world exploitation probability despite the moderate CVSS rating.

Authentication Bypass Wedocs
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39509 MEDIUM This Month

Broken access control in wpWax Directorist WordPress plugin versions up to 8.5.10 allows unauthenticated remote attackers to modify data through incorrectly configured authorization checks. The vulnerability exploits missing permission validation on plugin functionality, enabling unauthorized state changes without authentication or user interaction. With EPSS at 0.02% and no public exploit code identified, real-world risk remains low despite network-accessible exploitation.

Authentication Bypass Directorist
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39505 MEDIUM This Month

Missing authorization in Craig Hewitt Seriously Simple Podcasting plugin allows unauthenticated attackers to read sensitive podcast information through incorrectly configured access controls. The vulnerability affects versions 3.14.2 and earlier of the WordPress plugin. CVSS 5.3 with 0.02% EPSS score indicates limited real-world exploitation likelihood despite the network-accessible attack vector. No public exploit code or active CISA KEV listing confirms this as a lower-priority authorization disclosure issue.

Authentication Bypass Seriously Simple Podcasting
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39501 MEDIUM This Month

Missing authorization in RealMag777 FOX woocommerce-currency-switcher plugin for WordPress allows unauthenticated remote attackers to bypass access controls and gain read access to sensitive data through incorrectly configured security levels. The vulnerability affects FOX versions up to and including 1.4.5, with a CVSS score of 5.3 and extremely low exploitation probability (EPSS 0.02%), suggesting limited real-world attack incentive despite the missing authorization flaw.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5083 MEDIUM This Month

Ado::Sessions through version 0.935 for Perl generates cryptographically weak session identifiers by seeding SHA-1 with the built-in rand function, system time, and process ID, allowing attackers to predict valid session IDs and hijack user sessions. The vulnerability affects unmaintained code no longer available on CPAN, though it remains on BackPAN. EPSS exploitation probability is minimal at 0.02%, and no public exploit code has been identified, but the automatable nature of session prediction and partial technical impact warrant assessment for legacy deployments.

Information Disclosure Ado
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5082 MEDIUM This Month

Amon2::Plugin::Web::CSRFDefender versions 7.00 through 7.03 for Perl generate cryptographically weak session IDs when /dev/urandom is unavailable, falling back to SHA-1 hashing seeded with predictable values (system PID, epoch time, and the unseeded rand() function). This allows attackers to forge valid session identifiers and potentially conduct session hijacking or CSRF attacks. The module is deprecated by its author, and CISA has not confirmed active exploitation; however, the automatable nature of the attack (as per SSVC) combined with the availability of fix version 7.04 indicates moderate practical risk despite the low EPSS score of 0.02%.

Information Disclosure Amon2
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39882 MEDIUM PATCH GHSA This Month

OpenTelemetry Go OTLP HTTP exporters allow memory exhaustion when sending telemetry to attacker-controlled or network-intercepted collector endpoints. The trace, metric, and log exporters read unbounded HTTP response bodies into in-memory buffers without size limits, enabling an attacker to force large transient heap allocations and crash the instrumented process via out-of-memory conditions. Attack requires network control of the collector endpoint or man-in-the-middle position (CVSS 5.3, CVSS:3.1/AV:A/AC:H). Upstream fix available (PR #8108); no active exploitation confirmed.

Canonical Denial Of Service
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3438 MEDIUM PATCH This Month

Reflected cross-site scripting in Sonatype Nexus Repository 3.0.0 through 3.90.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a specially crafted URL, requiring user interaction to trigger the attack. With a CVSS 4.0 score of 5.1 and limited technical impact (session integrity only), this vulnerability poses a moderate risk to organizations using affected versions; no public exploit code or active exploitation has been identified.

XSS
NVD
CVSS 4.0
5.1
EPSS
0.2%
Prev Page 5 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy