Skip to main content
CVE-2026-4394 MEDIUM POC This Month

Stored cross-site scripting in Gravity Forms plugin for WordPress up to version 2.9.30 allows unauthenticated attackers to inject malicious scripts via the Credit Card field's 'Card Type' sub-field. The vulnerability exploits a gap between frontend validation (Card Type is auto-derived from card number) and backend acceptance of unsanitized POST parameters, combined with unescaped output when administrators view form entries in the WordPress dashboard. Attackers can craft POST requests containing malicious JavaScript in the `input_<id>.4` parameter, which is stored and executed with administrator privileges upon dashboard access.

WordPress XSS
NVD VulDB GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-5814 MEDIUM POC This Month

SQL injection in PHPGurukul Online Course Registration 3.1 allows remote unauthenticated attackers to manipulate the regno parameter in /admin/check_availability.php, enabling arbitrary database queries with potential for data exfiltration and modification. The vulnerability has a publicly available exploit and CVSS 6.9 score indicating moderate severity with confirmed data confidentiality and integrity impact.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5805 MEDIUM POC This Month

Remote code execution via SQL injection in code-projects Easy Blog Site up to version 1.0 allows unauthenticated attackers to manipulate the Name parameter in /users/contact_us.php, leading to arbitrary SQL command execution. The vulnerability has a CVSS score of 6.9 with network-based attack vector and low complexity, and publicly available exploit code exists, making this an immediate concern for affected deployments.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4406 MEDIUM POC This Month

Reflected cross-site scripting in Gravity Forms plugin for WordPress versions up to 2.9.30 allows unauthenticated attackers to inject arbitrary web scripts via the form_ids parameter in the gform_get_config AJAX action. The vulnerability exploits improper JSON encoding combined with HTML content-type headers and publicly reusable nonces; attackers can craft malicious links that, when clicked by users, execute injected scripts on vulnerable pages. No active exploitation confirmed; CVSS 4.7 reflects moderate risk constrained by required user interaction and limited scope.

WordPress XSS
NVD VulDB GitHub
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-39892 MEDIUM PATCH GHSA This Month

Buffer overflow in pyca/cryptography library allows reading past allocated memory when non-contiguous Python buffers (such as reversed slices) are passed to cryptographic APIs like Hash.update() on Python 3.11+. Attackers can trigger memory disclosure or denial of service by crafting malformed buffer objects, affecting any application using the cryptography package with vulnerable buffer handling.

Buffer Overflow Python
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-34722 MEDIUM PATCH This Month

Unauthenticated attackers can bypass authorization on Zammad's ticket creation endpoint when using the link parameter, allowing unauthorized ticket creation and modification in affected versions prior to 6.5.4 and 7.0.1. This authentication bypass (CWE-862) affects all versions of Zammad before the patched releases and requires only network access with no user interaction or special complexity.

Authentication Bypass Zammad
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-33088 MEDIUM This Month

SQL injection in Movable Type allows unauthenticated remote attackers to execute arbitrary SQL statements through unvalidated input, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects Movable Type versions prior to 9.07 with a CVSS score of 6.9 (medium-high severity); exploitation requires only network access and no user interaction, making it broadly exploitable despite limited scope of confidentiality and integrity impact.

SQLi Movable Type
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-5893 MEDIUM PATCH This Month

Remote code execution in Google Chrome prior to 147.0.7727.55 exploits a race condition in the V8 JavaScript engine to corrupt heap memory via crafted HTML, requiring user interaction. The vulnerability affects all Chrome versions below 147.0.7727.55 across all platforms via the CPE cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*. No public exploit code or active exploitation has been confirmed at time of analysis, though the Chromium security team rated it medium severity; EPSS scoring at 0.03% (9th percentile) indicates low real-world exploitation probability despite the high CVSS score of 6.8.

Information Disclosure Google Race Condition Red Hat Suse +1
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-30817 MEDIUM PATCH This Month

External configuration control in TP-Link AX53 v1.0 OpenVPN module allows authenticated adjacent attackers to read arbitrary files by processing malicious configuration files, exposing sensitive device information. The vulnerability affects AX53 v1.0 prior to firmware build 1.7.1 Build 20260213 and requires high-level authentication and network adjacency to exploit. A vendor-released patch is available.

TP-Link Authentication Bypass
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-30816 MEDIUM PATCH This Month

External control of configuration in TP-Link Archer AX53 v1.0 OpenVPN module allows authenticated adjacent attackers with high privileges to read arbitrary files via malicious configuration file processing, exposing sensitive device information. CVSS 6.8 reflects high confidentiality impact; no public exploit code or active exploitation confirmed. Patch available: firmware version 1.7.1 Build 20260213 or later.

TP-Link Authentication Bypass
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-39389 MEDIUM PATCH GHSA This Month

CI4MS (CodeIgniter 4 CMS) versions prior to 0.31.4.0 contain an authentication bypass vulnerability (CWE-285) that allows high-privileged users to escalate or circumvent authorization controls. The vulnerability affects the role-based access control (RBAC) system in CI4MS, enabling authenticated administrators to gain unauthorized access to protected resources or functions. With a CVSS score of 6.7 and EPSS exploitation probability indicating moderate real-world risk, this requires immediate patching in production deployments.

Authentication Bypass Ci4ms
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-4837 MEDIUM PATCH This Month

Remote code execution in Rapid7 Insight Agent for Linux versions prior to 4.1.0.2 allows authenticated attackers with high privileges to inject arbitrary code via eval() in the beaconing logic by crafting a malicious beacon response. The vulnerability requires high authentication privileges and mutual TLS verification, making remote exploitation difficult without prior compromise of the Rapid7 Platform backend. CVSS 6.6 reflects the high impact (code execution as root) balanced against high attack complexity and privilege requirements. No public exploit code or active exploitation has been identified at time of analysis.

RCE Code Injection Insight Agent
NVD VulDB
CVSS 3.1
6.6
EPSS
0.2%
CVE-2026-5892 MEDIUM PATCH This Month

Insufficient policy enforcement in PWA installation within Google Chrome prior to version 147.0.7727.55 allows a local attacker with renderer process compromise to install a Progressive Web App without user consent via a crafted HTML page. This vulnerability requires prior compromise of the renderer process and user interaction, resulting in high integrity and availability impact. The issue carries a low real-world exploitation probability (EPSS 0.03%), reflecting the significant prerequisites needed to trigger the vulnerability.

Google Information Disclosure Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-35479 MEDIUM PATCH This Month

InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without requiring superuser privileges, enabling privilege escalation and potential code execution. The vulnerability exists because plugin installation permissions are inconsistently enforced compared to other plugin operations (such as uninstallation) that correctly require superuser access. Staff users, typically considered lower-trust accounts than superusers, can exploit this to deploy malicious plugins with full application context. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Inventree
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-27102 MEDIUM PATCH This Month

Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.6 and 9.11.0.0 through 9.13.0.1 contain an incorrect privilege assignment vulnerability allowing local authenticated attackers to escalate privileges with low complexity, potentially achieving partial confidentiality and integrity compromise alongside high availability impact. No public exploit code or active exploitation has been identified at the time of analysis, though the local attack vector and straightforward exploitation path (AC:L) indicate moderate real-world risk for environments where local access controls are weak.

Dell Information Disclosure
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-5885 MEDIUM PATCH This Month

Memory disclosure in Google Chrome on Windows prior to version 147.0.7727.55 allows remote attackers to extract sensitive information from process memory by delivering a crafted HTML page through WebML parsing. The vulnerability stems from insufficient input validation in the WebML component and requires user interaction (visiting a malicious page), making it a moderate-risk information disclosure affecting a ubiquitous browser platform.

Information Disclosure Google Microsoft Red Hat Suse +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33459 MEDIUM This Month

Denial of service in Kibana's automatic import feature allows authenticated users to trigger uncontrolled resource consumption by submitting specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, backend services become unstable, resulting in service disruption across all users. CVSS 6.5 (medium severity) reflects the authenticated attack requirement and high availability impact without confidentiality or integrity compromise.

Elastic Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5876 MEDIUM PATCH This Month

Side-channel information leakage in Google Chrome's Navigation feature prior to version 147.0.7727.55 allows unauthenticated remote attackers to extract cross-origin data by serving a crafted HTML page. The vulnerability requires user interaction (clicking or navigating to a malicious page) but successfully bypasses same-origin policy protections, exposing sensitive information from different origins. With an EPSS score of 0.03% (10th percentile) indicating very low real-world exploitation probability, this represents a medium-severity information disclosure risk appropriate for routine patching rather than emergency mitigation.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2377 MEDIUM This Month

Server-side request forgery (SSRF) in Red Hat Mirror Registry and Red Hat Quay 3.x allows authenticated users to conduct arbitrary requests to internal network resources via a specially crafted URL in the log export feature, potentially exposing sensitive information and compromising internal systems. CVSS 6.5 (medium severity) with confirmed authentication requirement and high confidentiality impact. No active exploitation or public exploit code identified at time of analysis.

Authentication Bypass SSRF Mirror Registry For Red Hat Openshift Mirror Registry For Red Hat Openshift 2 Red Hat Quay 3
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5888 MEDIUM PATCH This Month

Information disclosure in Google Chrome prior to 147.0.7727.55 allows remote attackers to read sensitive process memory through the WebCodecs API via a crafted HTML page. Exploitation requires user interaction (UI:R) to visit a malicious webpage but grants high-confidence memory access. The vulnerability has low real-world exploitation probability (EPSS 0.03%) despite satisfying network-accessible conditions, likely due to unreliable memory content extraction and WebCodecs' limited practical attack surface in typical user workflows.

Information Disclosure Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-35403 MEDIUM PATCH This Month

Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticated users with low privileges to inject malicious scripts via invalid visit labels. The vulnerability arises because responses are JSON-encoded but lack a proper Content-Type header, causing browsers to interpret the payload as HTML. An attacker can trick a victim into following a crafted link to execute arbitrary JavaScript in the victim's browser context, potentially compromising sensitive neuroimaging research data. Fixed in versions 27.0.3 and 28.0.1.

XSS Loris
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3480 MEDIUM This Month

WP Blockade WordPress plugin versions up to 0.9.14 allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress shortcodes due to missing authorization checks and nonce verification in the render_shortcode_preview() function. An attacker can supply malicious shortcodes via the 'wp-blockade-shortcode-render' admin_post action to achieve information disclosure, privilege escalation, or arbitrary actions depending on registered shortcodes. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress Privilege Escalation Authentication Bypass Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39708 MEDIUM This Month

Stored cross-site scripting (XSS) in UiCore Elements WordPress plugin versions 1.3.14 and earlier allows authenticated users to inject malicious scripts into web pages, which execute in the browsers of other users viewing affected content. The vulnerability stems from improper input neutralization during page generation, affecting any WordPress installation using the plugin. No active exploitation has been confirmed, and the EPSS score of 0.03% indicates very low real-world exploitation probability despite the CVSS 6.5 score.

XSS Uicore Elements
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39703 MEDIUM This Month

Stored cross-site scripting (XSS) in WPBITS Addons For Elementor Page Builder versions up to 1.8.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability stems from improper input sanitization during web page generation, enabling an attacker to persistently compromise site content and steal session tokens or perform administrative actions on behalf of legitimate users. EPSS exploitation probability is very low at 0.03%, indicating limited real-world attack likelihood despite moderate CVSS severity.

XSS Wpbits Addons For Elementor Page Builder Elementor
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39702 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Wealcoder Animation Addons for Elementor through version 2.6.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the click of a link. The vulnerability stems from improper input neutralization during web page generation and affects all versions of the plugin up to and including 2.6.1. With an EPSS score of 0.03% and no confirmed active exploitation, this represents a lower-priority vulnerability despite the authenticated attack requirement.

XSS Animation Addons For Elementor Elementor
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39696 MEDIUM This Month

DOM-Based cross-site scripting (XSS) in Elfsight WhatsApp Chat CC WordPress plugin versions up to 1.2.0 allows authenticated attackers with limited privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R per CVSS vector) and affects the plugin's DOM manipulation during web page generation. Real-world exploitation risk is low: EPSS score of 0.03% (8th percentile) reflects minimal demonstrated exploitation likelihood, no public proof-of-concept has been identified, and CISA SSVC assessment indicates exploitation is not yet observed and attack automation is infeasible.

XSS Elfsight Whatsapp Chat Cc
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39692 MEDIUM This Month

Stored cross-site scripting (XSS) in tagDiv Composer WordPress plugin versions up to 5.4.3 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS exploitation probability is very low at 0.03% (8th percentile), and CISA SSVC assessment indicates no known exploitation, non-automatable attacks, and partial technical impact, suggesting this is a lower-priority vulnerability despite the CVSS 6.5 rating.

XSS Tagdiv Composer
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39674 MEDIUM This Month

DOM-based cross-site scripting in MK Google Directions WordPress plugin versions up to 3.1.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper sanitization of user-supplied input during web page generation, enabling attackers to steal session cookies, perform actions on behalf of authenticated users, or deface plugin interface elements. With an EPSS score of 0.03% (8th percentile), real-world exploitation probability is minimal despite the medium CVSS score of 6.5.

Google XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39666 MEDIUM This Month

DOM-Based XSS in Hello Bar Popup Builder WordPress plugin versions up to 1.5.1 allows authenticated attackers with low privileges to inject arbitrary scripts that execute in users' browsers with the affected site's context. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability with limited scope. EPSS score of 0.03% (8th percentile) and CISA SSVC assessment of non-automatable exploitation with partial technical impact indicate this is a low real-world priority despite moderate CVSS score, though authenticated access and user interaction requirements limit immediate threat surface.

XSS Hello Bar Popup Builder
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39665 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Vladimir Prelovac SEO Friendly Images WordPress plugin version 3.0.5 and earlier allows authenticated attackers with low privileges to execute arbitrary JavaScript in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the WordPress admin dashboard with cross-site scope, enabling session hijacking, credential theft, or malicious actions on behalf of compromised administrators. EPSS exploitation probability is minimal at 0.03%, indicating low real-world attack likelihood despite the moderate CVSS score.

XSS Seo Friendly Images
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39646 MEDIUM This Month

Stored cross-site scripting (XSS) in bozdoz Leaflet Map WordPress plugin versions up to 3.4.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability has a low EPSS score (0.03%, 8th percentile) suggesting minimal real-world exploitation likelihood despite moderate CVSS severity, and no public exploit code or active exploitation has been confirmed.

XSS Leaflet Map
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39636 MEDIUM This Month

Stored cross-site scripting (XSS) in Livemesh Addons for Elementor through version 9.0 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of administrators and other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling attackers to persistently compromise site functionality and steal administrative credentials or session tokens. CVSS 6.5 reflects moderate severity; EPSS 0.03% indicates very low real-world exploitation probability, suggesting this requires specific user interaction and authenticated access to exploit effectively.

XSS Livemesh Addons For Elementor Elementor
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39575 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Ronald Huereca Custom Query Blocks WordPress plugin version 5.5.0 and earlier allows authenticated users to inject malicious scripts via the post-type-archive-mapping functionality. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability across site boundaries (S:C). With EPSS at 0.03% and no confirmed active exploitation, this is a low-probability risk despite the medium CVSS score, indicating exploitation requires specific preconditions unlikely to occur in typical deployments.

XSS Custom Query Blocks
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39517 MEDIUM This Month

DOM-Based Cross-Site Scripting (XSS) in A WP Life Blog Filter WordPress plugin versions 1.7.6 and earlier allows authenticated attackers with low privileges to inject malicious scripts that execute in victims' browsers when they interact with crafted web pages. The vulnerability stems from improper neutralization of user input during page generation and requires user interaction to trigger. No public exploit code or active exploitation has been identified at the time of analysis, with an EPSS score of 0.03% indicating low exploitation probability.

XSS Blog Filter
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39508 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Advanced Coupons for WooCommerce Coupons plugin (versions up to 4.7.1.1) allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the same privileges as the site context, affecting confidentiality, integrity, and availability of the WordPress installation. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating low real-world exploitation probability despite the moderate CVSS 6.5 rating.

XSS WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39500 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Themesflat Addons for Elementor up to version 2.3.2 allows authenticated users with low privileges to inject malicious scripts that execute in the context of site visitors' browsers. An attacker with contributor-level access or higher can craft input fields within the plugin's admin interface to persistently store JavaScript code, which then executes whenever other users (including administrators) view the affected content. The vulnerability has low real-world exploitation risk (EPSS 0.03%, percentile 8%) despite its CVSS 6.5 rating, as it requires authenticated user interaction and user-initiated viewing of affected pages.

XSS Themesflat Addons For Elementor Elementor
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39483 MEDIUM This Month

Stored cross-site scripting (XSS) in VK All in One Expansion Unit WordPress plugin through version 9.113.3 allows authenticated attackers to inject malicious JavaScript that executes in the browsers of other users, potentially compromising site administrators and visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate mass exploitation but remaining a significant risk for compromised or malicious user accounts. No public exploit code or active exploitation has been reported; the EPSS score of 0.03% reflects the authentication and user-interaction requirements that reduce real-world exploitation probability.

XSS Vk All In One Expansion Unit
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39482 MEDIUM This Month

DOM-based cross-site scripting (XSS) in PublishPress Post Expirator WordPress plugin versions 4.9.4 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of higher-privileged administrators viewing affected pages, potentially leading to unauthorized actions or credential theft. The vulnerability requires user interaction (administrator viewing the malicious content) and is confined to the application context, making it a medium-severity risk despite the high CVSS score-EPSS scoring of 0.03% percentile indicates low real-world exploitation probability.

XSS Post Expirator
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5905 MEDIUM PATCH This Month

Domain spoofing via incorrect security UI in Google Chrome on Windows prior to version 147.0.7727.55 allows unauthenticated remote attackers to deceive users through crafted HTML pages that exploit flawed permission display mechanisms. The attack requires user interaction (clicking or viewing a malicious page) but carries moderate real-world risk due to low EPSS exploitation probability (0.03%, 7th percentile) despite the high CVSS impact score, suggesting the vulnerability requires specific user actions or conditions to successfully exploit.

Google Information Disclosure Microsoft Red Hat Suse +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1865 MEDIUM This Month

SQL Injection in User Registration & Membership plugin for WordPress (versions up to 5.1.2) allows authenticated Subscriber-level attackers to extract sensitive database information via unsanitized 'membership_ids[]' parameter. The vulnerability stems from insufficient escaping and lack of prepared statements in SQL query construction, enabling attackers to append arbitrary SQL commands to existing queries. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5919 MEDIUM PATCH This Month

Google Chrome prior to 147.0.7727.55 contains insufficient validation of untrusted input in WebSockets that allows a remote attacker with a compromised renderer process to bypass same-origin policy via a crafted HTML page. This vulnerability requires prior renderer compromise and user interaction, limiting real-world exploitability despite the high CVSS score. EPSS scoring (0.02%, 6th percentile) and Chromium's own Low severity classification indicate minimal practical risk despite the integrity impact rating.

Google Authentication Bypass Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1101 MEDIUM PATCH This Month

Denial of service in GitLab EE 18.2-18.10 allows authenticated users to crash the GitLab instance through improper input validation in GraphQL queries. GitLab EE versions 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 are affected. An authenticated attacker with any valid GitLab account can trigger the vulnerability by submitting a malformed GraphQL query, causing the instance to become unavailable. No public exploit code has been identified at the time of analysis, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Denial Of Service Gitlab
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39651 MEDIUM This Month

TotalSuite Total Poll Lite plugin for WordPress versions up to 4.12.0 allows authenticated users to bypass access controls and modify poll data due to missing authorization checks on administrative functions. An authenticated attacker with low privileges can exploit incorrectly configured access control security levels to read, modify, or delete poll content without proper authorization, achieving a CVSS score of 6.3 with low exploitation probability (EPSS 0.02%).

Authentication Bypass Total Poll Lite
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39639 MEDIUM This Month

RPS Include Content WordPress plugin through version 1.2.2 fails to properly enforce access control, allowing authenticated users to modify content they should not have permission to alter. The vulnerability stems from missing authorization checks that validate user permissions before allowing content modifications, affecting all installations of the plugin up to and including version 1.2.2. While the CVSS score of 6.5 reflects moderate severity, the low EPSS score (0.02% percentile 4%) suggests limited real-world exploitation probability, likely due to the requirement for authenticated access and the plugin's relatively narrow user base.

Authentication Bypass Rps Include Content
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39569 MEDIUM This Month

Broken access control in AA Web Servant 12 Step Meeting List plugin version 3.19.9 and earlier allows authenticated users to view sensitive information by exploiting misconfigured access control security levels. An attacker with low-level privileges can enumerate or access data they should not be permitted to view, exposing confidential meeting or user information. The vulnerability has an EPSS score of 0.02% (4th percentile), indicating low real-world exploitation probability despite the moderate CVSS score of 6.5.

Authentication Bypass 12 Step Meeting List
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-39488 MEDIUM This Month

Missing authorization controls in SureCart WordPress plugin versions up to 4.0.2 allow authenticated attackers to access or modify restricted data due to incorrectly configured access control security levels. With CVSS 6.3 (authenticated attack, low complexity, confidentiality/integrity/availability impact) and EPSS 0.02% exploitation probability, this represents a moderate-severity flaw affecting plugin deployments where user role separation is security-critical; no public exploit code or active exploitation has been confirmed.

Authentication Bypass Surecart
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5903 MEDIUM PATCH This Month

Bypass of iframe sandbox navigation restrictions in Google Chrome prior to version 147.0.7727.55 allows remote attackers to circumvent security boundaries via a crafted HTML page combined with specific user UI gestures. The vulnerability affects the IFrameSandbox security mechanism, which is designed to prevent iframes from navigating the top-level window; successful exploitation requires user interaction but results in direct integrity impact through unauthorized navigation. This is a low-severity issue with minimal exploitation probability (EPSS 0.02%, percentile 3%) and no confirmed active exploitation.

Authentication Bypass Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5881 MEDIUM PATCH This Month

Google Chrome versions prior to 147.0.7727.55 contain a policy bypass vulnerability in the LocalNetworkAccess feature that allows remote attackers to circumvent navigation restrictions by delivering a crafted HTML page. An unauthenticated attacker requires only user interaction (clicking or viewing the malicious page) to trigger the bypass, resulting in integrity compromise of network access policies. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been reported.

Authentication Bypass Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1672 MEDIUM This Month

Cross-Site Request Forgery in BEAR - Bulk Editor and Products Manager Professional for WooCommerce (all versions up to 1.1.5) allows unauthenticated attackers to modify WooCommerce product data including prices, descriptions, and other fields by tricking administrators or shop managers into clicking a malicious link, due to missing nonce validation in the woobe_redraw_table_row() function. CVSS 6.5 reflects the high integrity impact; no public exploit code or active exploitation has been confirmed at analysis time.

WordPress CSRF Bear Bulk Editor And Products Manager Professional For Woocommerce By Pluginus Net
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5901 MEDIUM PATCH This Month

Insufficient policy enforcement in Google Chrome's DevTools allows unauthenticated attackers who convince users to install a malicious extension to bypass enterprise host restrictions and modify cookies, affecting Chrome versions prior to 147.0.7727.55. The vulnerability requires user interaction to install the malicious extension but grants attackers the ability to circumvent security policies protecting sensitive cookie data. With an EPSS score of 0.01% and Chromium severity rated as Low, real-world exploitation is unlikely despite the moderate CVSS score of 6.5.

Authentication Bypass Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
Page 1 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy