Skip to main content
CVE-2026-5802 MEDIUM This Month

Remote code execution in idachev mcp-javadc up to version 1.2.4 allows unauthenticated attackers to inject arbitrary operating system commands through the jarFilePath parameter in the HTTP Interface, with publicly available exploit code and a moderate CVSS score of 6.9 reflecting limited confidentiality, integrity, and availability impact.

Command Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.8%
CVE-2026-5813 MEDIUM This Month

SQL injection in PHPGurukul Online Course Registration 3.1 allows unauthenticated remote attackers to manipulate the cid parameter in /check_availability.php to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. Publicly available exploit code exists, elevating real-world risk despite moderate CVSS scoring.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-32591 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Red Hat Quay's Proxy Cache configuration allows authenticated organization administrators to force the Quay server to make unvalidated network requests to internal services, cloud infrastructure endpoints, or otherwise restricted resources by supplying a crafted upstream registry hostname. With CVSS 5.2 and high confidentiality impact, this vulnerability requires administrator privileges and user interaction but poses significant risk to internal network exposure; no public exploit code or active exploitation (KEV) confirmed at time of analysis.

Red Hat SSRF Mirror Registry For Red Hat Openshift Mirror Registry For Red Hat Openshift 2 Red Hat Quay 3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31411 MEDIUM PATCH This Month

Kernel crash via forged VCC pointer in the Linux kernel ATM networking subsystem (net/atm/sigd.c) allows a local low-privileged attacker who has assumed the ATM signaling daemon role to dereference arbitrary kernel memory, resulting in denial of service. The flaw affects Linux 2.6.12 through multiple current stable branches, with patches available for 5.10.x, 5.15.x, 6.1.x, 6.6.x, 6.12.x, 6.18.x, 6.19.x, and 7.0-rc1. A public reproducer exists at a GitHub gist, though the EPSS score of 0.02% (7th percentile) and absence from CISA KEV reflect the niche ATM subsystem's limited real-world attack surface.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-35477 MEDIUM PATCH This Month

Remote code execution in InvenTree 1.2.3 through 1.2.6 allows staff users with settings access to execute arbitrary code by crafting malicious Jinja2 templates that bypass sandbox validation. The vulnerability exists because the PART_NAME_FORMAT validator uses a sandboxed Jinja2 environment, but the actual rendering engine in part/helpers.py uses an unsandboxed environment, combined with a validation bypass via dummy Part instances with pk=None that behave differently during validation versus production execution. No public exploit code or active exploitation confirmed at time of analysis.

Ssti RCE
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-39464 MEDIUM This Month

Server-side request forgery in SeedProd Coming Soon Page plugin versions through 6.19.8 allows high-privilege authenticated attackers to make arbitrary HTTP requests from the vulnerable WordPress server, potentially accessing internal resources, cloud metadata endpoints, or other services restricted to the server's network. The CVSS 5.5 score and low EPSS percentile (4%) reflect the requirement for administrative credentials, limiting real-world exploitability despite confirmed network accessibility.

SSRF Coming Soon Page Under Construction Maintenance Mode By Seedprod
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-5600 MEDIUM PATCH GHSA This Month

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organizer rather than a specific event, exposing ticket scan records (including scan timestamps, results, and ticket IDs) across unauthorized events to authenticated API consumers with high-level organizer privileges. The vulnerability affects pretix 2025.10.0 through 2026.3.0, allowing privileged users to access sensitive event data they should not be permitted to view, though individual attendee identity linkage requires additional context not provided by the API response alone.

Authentication Bypass Pretix
NVD
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-39392 MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators with page-editing privileges to inject arbitrary JavaScript into page content that executes in the browsers of all public visitors. The Pages module fails to apply HTML sanitization during content creation and updates, storing unsanitized HTML directly in the database and rendering it without escaping on the frontend, whereas the Blog module correctly implements this protection. An attacker with admin credentials can compromise the integrity and confidentiality of visitor sessions. CVSS 5.5, no public exploit code identified at time of analysis.

XSS Ci4ms
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-39390 MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in CI4MS prior to 0.31.4.0 allows authenticated administrators to inject malicious JavaScript via the Google Maps iframe setting (cMap field) using the srcdoc attribute, which bypasses existing sanitization filters. The injected payload executes in the browser context of unauthenticated frontend visitors, enabling session hijacking, credential theft, or malware distribution. This vulnerability requires admin-level access to the settings panel but affects all unauthenticated site visitors who view pages with the malicious iframe.

XSS Google
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-32288 MEDIUM PATCH This Month

Denial of service via unbounded memory allocation in Go's archive/tar package when parsing maliciously-crafted tar archives containing many sparse regions in old GNU sparse map format. Affects Go standard library versions prior to 1.25.9 and 1.26.2. Local attackers with user interaction can exhaust system memory, crashing applications that process untrusted tar files. No public exploit code identified; EPSS score of 0.01% indicates very low exploitation probability despite moderate CVSS severity.

Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-5895 MEDIUM PATCH This Month

Google Chrome on iOS prior to version 147.0.7727.55 contains an Omnibox (URL bar) spoofing vulnerability that allows remote attackers to display misleading domain names to users through crafted domains, potentially enabling phishing attacks. The vulnerability requires user interaction (clicking a link) and affects iOS-specific browser UI rendering. While assigned a low Chromium security severity and rated 5.4 CVSS, the practical exploitation probability remains minimal (0.03% EPSS) due to the high user-interaction requirement and limited information-disclosure impact.

Apple Information Disclosure Google Red Hat Suse +1
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-1794 MEDIUM This Month

Stored Cross-Site Scripting in AM LottiePlayer WordPress plugin versions up to 3.6.0 allows authenticated attackers with Author-level privileges or higher to inject malicious scripts via specially crafted SVG file uploads, which execute in the browsers of all users viewing the affected pages. The vulnerability stems from insufficient input sanitization during SVG processing and lack of proper output escaping, enabling persistent payload delivery to website visitors without requiring any user interaction beyond normal page access.

WordPress XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3781 MEDIUM This Month

SQL injection in the Attendance Manager WordPress plugin (versions up to 0.6.2) allows authenticated attackers with Subscriber-level access to execute arbitrary SQL queries via the 'attmgr_off' parameter, enabling unauthorized extraction of sensitive database information. The vulnerability requires user authentication but can be exploited without further user interaction, with a CVSS score of 5.4 indicating moderate risk. No public exploit code or confirmed active exploitation has been identified at the time of analysis.

WordPress SQLi
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4401 MEDIUM This Month

Cross-Site Request Forgery in Download Monitor plugin for WordPress up to version 5.1.10 allows unauthenticated attackers to delete, disable, or enable approved download paths by tricking site administrators into clicking a malicious link, due to missing nonce verification in the actions_handler() and bulk_actions_handler() methods. The vulnerability requires user interaction (UI:R) and has a moderate CVSS score of 5.4, with impacts limited to integrity and availability of download path configurations rather than confidentiality.

WordPress PHP CSRF
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4332 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in GitLab EE customizable analytics dashboards allows authenticated users to execute arbitrary JavaScript in other users' browsers due to improper input sanitization. Affected versions include 18.2-18.8.8, 18.9-18.9.4, and 18.10-18.10.2. An attacker with valid GitLab credentials can craft malicious dashboard configurations that execute when other users view the dashboard, potentially stealing session tokens, modifying visible data, or performing actions on behalf of the victim. No public exploit code or active exploitation in the wild has been confirmed; patches are available.

XSS Gitlab
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39695 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Podigee plugin versions up to 1.4.0 allows remote attackers to make arbitrary HTTP requests from the affected server to internal or external resources without authentication. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact across trust boundaries (AV:N/AC:H/PR:N). EPSS exploitation probability is very low at 0.02% (4th percentile), indicating minimal real-world attack likelihood despite public vulnerability disclosure.

SSRF Podigee
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39647 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Sonaar MP3 Audio Player for Music, Radio & Podcast WordPress plugin versions up to 5.11 allows unauthenticated remote attackers to forge requests to internal or external systems with high attack complexity, affecting confidentiality and integrity of data accessible from the server. EPSS scoring of 0.02% indicates minimal real-world exploitation probability despite moderate CVSS severity (5.4), and no active exploitation has been confirmed; patch availability status requires vendor verification.

SSRF Mp3 Audio Player For Music Radio Podcast By Sonaar
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39645 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Global Payments GlobalPayments WooCommerce plugin versions up to 1.18.0 allows unauthenticated remote attackers to forge requests from the affected server with limited confidentiality and integrity impact. The vulnerability requires high attack complexity, which significantly reduces practical exploitation risk despite network-accessible attack surface; EPSS score of 0.02% (4th percentile) indicates minimal likelihood of real-world exploitation.

WordPress SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39614 MEDIUM This Month

JW Player for WordPress plugin versions through 2.3.6 allows authenticated users to bypass authorization controls and access or modify restricted functionality due to improper access control checks. An attacker with low-privilege WordPress user credentials can exploit this vulnerability to read sensitive data or perform unauthorized actions normally restricted to administrators, with no user interaction required.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39607 MEDIUM This Month

Wpbens Filter Plus plugin versions 1.1.17 and earlier allow authenticated users to bypass access controls and modify data they should not have permission to access, due to missing authorization checks on sensitive functionality. An authenticated attacker with low privileges can exploit incorrectly configured access control security levels to read or modify restricted information, impacting the confidentiality and integrity of protected content.

Authentication Bypass Filter Plus
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39526 MEDIUM This Month

WpStream WordPress plugin versions before 4.11.2 contain an authorization bypass vulnerability allowing authenticated users to modify data or trigger denial of service through insecure direct object references (IDOR) via user-controlled keys in access control checks. The vulnerability affects all versions up to 4.11.2 and requires low-privilege authentication to exploit, making it a moderate-risk issue for WordPress installations using this plugin despite the low EPSS score of 0.02%.

Authentication Bypass Wpstream
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39504 MEDIUM This Month

InstaWP Connect WordPress plugin through version 0.1.2.5 permits authenticated users to access or modify resources they should not have permission to reach due to missing authorization checks. With CVSS 5.4 (authenticated network access, low complexity), EPSS 0.02%, and no confirmed public exploit code, this represents a moderate privilege escalation risk primarily affecting multi-user WordPress installations where access control segregation is important.

Authentication Bypass Instawp Connect
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0811 MEDIUM This Month

Cross-Site Request Forgery in Advanced Contact Form 7 DB plugin for WordPress (versions up to 2.0.9) allows unauthenticated attackers to delete form entries by exploiting missing nonce validation in the 'vsz_cf7_save_setting_callback' function. An attacker must trick a site administrator into clicking a malicious link, but no public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39710 MEDIUM This Month

Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated remote attackers to perform unintended actions on behalf of authenticated users through crafted requests, requiring user interaction. EPSS exploitation probability is minimal at 0.01%, and no public exploit code or active exploitation has been identified; however, the vulnerability carries real-world risk due to the low technical bar for CSRF attacks and the plugin's web-accessible attack surface.

CSRF Rt Theme 18 Extensions
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39635 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Magazine WordPress theme versions up to 3.5.5 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users via crafted malicious web pages. The vulnerability requires user interaction (clicking a link or visiting a malicious page) but carries low real-world exploitation probability despite the moderate CVSS score, as reflected by an EPSS score of 0.01% (1st percentile). No public exploit code or active exploitation has been confirmed at time of analysis.

CSRF Grand Magazine
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39634 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Portfolio WordPress theme versions up to 3.3 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users with low integrity and availability impact. The vulnerability requires user interaction (UI:R) to trigger a malicious request. No public exploit code or active exploitation has been confirmed, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the CVSS 5.4 rating.

CSRF Grand Portfolio
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-39603 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Photography WordPress theme versions up to 5.7.8 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries low real-world exploitation risk, with an EPSS score of 0.01% indicating minimal practical likelihood of attack despite the moderate CVSS 5.4 rating.

CSRF Grand Photography
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3646 MEDIUM This Month

Unauthenticated attackers can modify LTL Freight Quotes - R+L Carriers Edition plugin subscription settings via a webhook handler with missing authorization controls in all versions up to 3.3.13. The vulnerability allows downgrading paid subscriptions to trial plans, changing store type, and manipulating expiration dates, effectively disabling premium features like Dropship and Hazardous Material handling. CVSS 5.3 reflects moderate integrity impact with no authentication required and network-accessible attack surface.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-3594 MEDIUM This Month

Riaxe Product Customizer plugin for WordPress versions up to 2.4 exposes sensitive WooCommerce customer and order data through an unauthenticated REST API endpoint due to a missing permission callback. Attackers can query the '/wp-json/InkXEProductDesignerLite/orders' endpoint to retrieve customer names, order IDs, totals, dates, and statuses without authentication. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-39415 MEDIUM PATCH This Month

Frappe Learning Management System versions prior to 2.46.0 allow authenticated students to modify their own quiz scores via client-side manipulation using browser developer tools before submission. This vulnerability compromises the integrity of quiz results and academic reliability without enabling privilege escalation, unauthorized account access, or exposure of confidential information. The fix is available in version 2.46.0, and no public exploit code or active exploitation has been identified at the time of analysis.

Privilege Escalation Authentication Bypass Lms
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-5167 MEDIUM This Month

Unauthenticated attackers can bypass authorization in Masteriyo LMS plugin versions up to 2.1.7 by sending forged Stripe webhook events to mark arbitrary orders as completed without payment, granting unauthorized access to paid course content. The vulnerability stems from insufficient webhook signature verification in the handle_webhook() function, which processes requests with an empty default webhook_secret and only validates signatures if both the secret is configured and the HTTP_STRIPE_SIGNATURE header is present. No public exploit code or active exploitation has been identified at time of analysis, though the attack requires only network access and no authentication or user interaction.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14243 MEDIUM This Month

OpenShift Mirror Registry leaks valid usernames and email addresses through inconsistent error messages during authentication and account creation, enabling unauthenticated remote attackers to enumerate registered users. CVSS score of 5.3 reflects the low confidentiality impact with no authentication required and low attack complexity; no public exploit code or active exploitation has been confirmed at time of analysis.

Information Disclosure Mirror Registry For Red Hat Openshift Mirror Registry For Red Hat Openshift 2
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-39407 MEDIUM PATCH GHSA This Month

Middleware bypass in Hono's serveStatic allows unauthenticated remote attackers to access protected static files by using repeated slashes in request paths, exploiting inconsistent path handling between the routing layer and static file resolution. The vulnerability affects Hono applications that rely on route-based middleware for access control, enabling unauthorized disclosure of sensitive files. Vendor-released patch available in version 4.12.12.

Path Traversal Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-39851 MEDIUM PATCH This Month

Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestEmailChange() GraphQL mutation, allowing authenticated attackers to enumerate valid email addresses in the system. The vulnerability affects multiple version branches and is resolved in patched versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. CVSS 5.3 reflects low confidentiality impact with authentication requirement.

Information Disclosure Saleor
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-34718 MEDIUM PATCH This Month

Improper HTML sanitization in Zammad ticket article processing prior to versions 7.0.1 and 6.5.4 allows unauthenticated remote attackers to inject malicious data URI schemes that persist in the database, potentially enabling stored cross-site scripting (XSS) attacks. While current Content Security Policy mitigations prevent immediate harm from link clicks, the vulnerability represents a persistent data integrity issue and stored XSS vector that could be exploited if CSP rules are modified or bypassed. No public exploit code has been identified, but the vulnerability affects all instances running unpatched versions.

XSS Zammad
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39362 MEDIUM PATCH This Month

Server-side request forgery (SSRF) in InvenTree prior to versions 1.2.7 and 1.3.0 allows authenticated users to request arbitrary internal URLs when the INVENTREE_DOWNLOAD_FROM_URL feature is enabled, bypassing URL validation through HTTP redirect chains. An attacker with valid credentials can probe internal networks, access cloud metadata endpoints, or interact with backend services not exposed to the public internet by supplying crafted remote_image URLs that are fetched server-side without IP-range restrictions.

SSRF Python
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-34837 MEDIUM PATCH This Month

Zammad versions prior to 7.0.1 fail to validate user authorization for context data supplied to the REST endpoint POST /api/v1/ai_assistance/text_tools/:id, allowing authenticated agents to access and leak unauthorized information (such as group or organization data) through AI prompt injection. The vulnerability requires the attacker to possess ticket.agent permission but does not require additional user interaction; no public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Zammad
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-34782 MEDIUM PATCH This Month

Bypass of access controls in Zammad REST API endpoint POST /api/v1/ai_assistance/text_tools/:id allows authenticated users to utilize AI text tools without proper privilege verification in versions prior to 7.0.1 and 6.5.4. An authenticated attacker can invoke AI assistance features regardless of their assigned permissions, leading to unauthorized consumption of text tool functionality and potential information disclosure through unrestricted tool access.

Authentication Bypass Zammad
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-35023 MEDIUM PATCH This Month

Wimi Teamwork On-Premises versions before 8.2.0 allow authenticated attackers to enumerate sequential item_id values in the preview.php endpoint to bypass authorization checks and access image previews from other users' private or group conversations, resulting in unauthorized information disclosure. The vulnerability requires valid user credentials (CVSS PR:L) but enables horizontal privilege escalation to retrieve sensitive conversation data. No public exploit code has been identified, though the IDOR vulnerability pattern is straightforward to exploit.

Authentication Bypass PHP
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39406 MEDIUM PATCH GHSA This Month

Path normalization inconsistency in Hono's node-server serveStatic middleware allows unauthenticated attackers to bypass route-based authorization middleware by using repeated slashes (e.g., //admin/secret.txt) to access protected static files, exposing sensitive information with low confidentiality impact (CVSS 5.3).

Path Traversal Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2263 MEDIUM This Month

Unauthenticated attackers can forge conversion tracking events in The Hustle WordPress plugin (versions up to 7.8.10.2) by exploiting a missing capability check on the 'hustle_module_converted' AJAX action, allowing manipulation of marketing analytics and conversion statistics for any module including unpublished drafts. The vulnerability has a CVSS score of 5.3 (medium severity) with network-based attack vector and no authentication required, confirmed by Wordfence research with public code references available.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40087 MEDIUM PATCH GHSA This Month

LangChain's f-string prompt-template validation allows information disclosure through attribute access and nested format-specifier injection in DictPromptTemplate and ImagePromptTemplate classes. Unauthenticated remote attackers can craft malicious template strings to expose internal object state, model context, or logs when templates are formatted with rich Python objects. Practical impact is limited to applications that accept untrusted template strings (not just variable values) and pass complex objects into template formatting; hardcoded templates and value-only user input are unaffected. Vendor-released patch available in langchain-core 0.3.84 and 1.2.28.

Python Deserialization Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5808 MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in openstatusHQ openstatus allows unauthenticated remote attackers to inject malicious scripts via the callbackURL parameter in the Onboarding Endpoint component. The vulnerability affects the onboarding client functionality and requires user interaction to exploit. Vendor has released a patched version (commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb), and no public exploit code is currently identified.

XSS Openstatus
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-4654 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Awesome Support WordPress plugin up to version 6.3.7 allows authenticated subscribers and above to access sensitive information from all support tickets by manipulating the ticket_id parameter in the wpas_get_ticket_replies_ajax() function. The vulnerability fails to verify user permissions before returning ticket data, enabling unauthorized disclosure of potentially sensitive helpdesk information across the entire system. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4299 MEDIUM This Month

Authenticated attackers with Subscriber-level access can extract MainWP Child Reports activity logs including action summaries, user information, IP addresses, and contextual data from WordPress sites running the MainWP Child Reports plugin up to version 2.2.6 by exploiting a missing authorization check in the WordPress Heartbeat API handler. The vulnerability (CVSS 5.3) affects information disclosure only and requires network access but no user interaction; no public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5886 MEDIUM PATCH This Month

Out-of-bounds read in Google Chrome WebAudio (Mac) prior to version 147.0.7727.55 enables remote information disclosure via crafted HTML. Unauthenticated network-based attacker can extract sensitive process memory without user interaction. CVSS 7.5 (High confidentiality impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%). Patch available from vendor.

Information Disclosure Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5890 MEDIUM PATCH This Month

Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Race Condition Google Chrome
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39412 MEDIUM PATCH GHSA This Month

LiquidJS `sort_natural` and `sort` filters bypass the `ownPropertyOnly` security option, enabling prototype property extraction through a sorting side-channel attack. Applications using LiquidJS with `ownPropertyOnly: true` (default since v10.x) where untrusted users write templates are vulnerable to information disclosure of sensitive prototype-inherited properties such as API keys and tokens. A working proof-of-concept demonstrates extraction of prototype secrets via binary search on filter-induced sort ordering.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39712 MEDIUM This Month

Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote attackers to inject arbitrary code through shortcode execution, resulting in stored cross-site scripting (XSS). The vulnerability exploits insufficient input sanitization in the plugin's composer functionality, enabling attackers to inject malicious scripts that execute in the context of affected web pages. While EPSS scoring indicates low real-world exploitation probability (0.03%, 8th percentile), the CISA SSVC framework notes the attack is automatable and results in partial technical impact; no public exploit code or active exploitation has been identified at time of analysis.

XSS Tagdiv Composer
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39629 MEDIUM This Month

Improper neutralization of script-related HTML tags in the kutethemes Uminex WordPress theme version 1.0.9 and earlier enables unauthenticated remote attackers to inject arbitrary code via cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating minimal real-world exploitation probability despite a CVSS base score of 5.3; no public exploit code or active exploitation has been identified.

XSS Uminex
NVD
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 7 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy