Skip to main content
CVE-2026-41459 MEDIUM POC PATCH This Month

Xerte Online Toolkits versions 3.15 and earlier expose the server-side filesystem root path through an unauthenticated GET request to the /setup page, allowing remote attackers to retrieve sensitive path information rendered in HTML responses. This information disclosure enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access or further system compromise.

PHP Information Disclosure Path Traversal Xerteonlinetoolkits
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25271 MEDIUM POC This Month

Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Memory Corruption Buffer Overflow Textpad
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25267 MEDIUM POC This Month

UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in the Output FileName field of the Make CD/DVD Image dialog that allows attackers to overwrite SEH and SE handler records. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Memory Corruption Buffer Overflow Ultraiso
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25266 MEDIUM POC This Month

Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the preferences dialog that allows local attackers to crash the application by supplying an excessively large string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Memory Corruption Buffer Overflow Angry Ip Scanner
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2018-25262 MEDIUM POC This Month

Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerability that allows local attackers to crash the application by supplying malformed input to the port selection field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Memory Corruption Buffer Overflow Angry Ip Scanner For Linux
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-1660 MEDIUM POC PATCH This Month

Denial of service in GitLab CE/EE versions 12.3 through 18.11.0 allows authenticated users to trigger excessive resource consumption during issue import operations due to improper input validation on user-supplied data. The vulnerability affects all minor versions from 12.3 onwards until patched versions 18.9.6, 18.10.4, and 18.11.1. Publicly available exploit code exists, and CISA SSVC assessment indicates the vulnerability is exploitable but not automatable at scale.

Gitlab Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-0186 MEDIUM POC PATCH This Month

Authenticated users can trigger denial of service in GitLab CE/EE versions 10.6 through 18.11.0 by sending crafted requests to the discussions endpoint that exhaust server resources. The vulnerability requires valid authentication credentials and affects all affected versions across the 10.6, 18.9, 18.10, and 18.11 release branches. Publicly available exploit code exists; CISA has not yet listed this in the Known Exploited Vulnerabilities catalog, but active exploitation likelihood is moderate given public POC availability and the low complexity of resource exhaustion attacks.

Gitlab Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-3922 MEDIUM POC PATCH This Month

Authenticated users can trigger denial of service in GitLab by overwhelming system resources through the GraphQL API due to insufficient resource allocation limits. Affected versions span from 12.4 through 18.11.0 across three release branches. Publicly available exploit code exists, though active exploitation has not been confirmed in CISA KEV. CVSS 6.5 reflects moderate severity with high availability impact but requires valid authentication.

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-6016 MEDIUM POC PATCH This Month

Denial of service in GitLab CE/EE affects authenticated users who can trigger resource exhaustion when retrieving notes under specific conditions, causing service unavailability. Versions 9.2 through 18.9.5, 18.10.0 through 18.10.3, and 18.11.0 are vulnerable. An authenticated attacker with standard user privileges can exploit this remotely without user interaction via crafted note retrieval requests. A publicly available exploit exists, and patches have been released by GitLab.

Gitlab Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-58344 MEDIUM POC This Month

Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Carbon Forum
NVD Exploit-DB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2018-25269 MEDIUM POC This Month

ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Icewarp Client
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-41469 MEDIUM POC This Month

Beghelli SicuroWeb (Sicuro24) lacks Content Security Policy enforcement, permitting unrestricted loading of external JavaScript from attacker-controlled origins. When combined with template injection and sandbox escape flaws in the same application, this missing security header removes browser-enforced protections that would otherwise prevent external script execution, enabling attackers to inject arbitrary remote payloads into operator sessions. Publicly available exploit code exists, and SSVC analysis confirms exploitability is achievable but not automatable, with partial technical impact.

Code Injection Sicuroweb Sicuro24
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-5377 MEDIUM POC PATCH This Month

GitLab CE/EE 18.11 before 18.11.1 allows authenticated users to bypass access controls and read titles of confidential or private issues in public projects through improper validation in the issue description rendering process. The vulnerability requires valid user credentials but no elevated privileges, affecting the confidentiality of issue metadata that should be restricted. Publicly available exploit code exists, and a vendor patch is available.

Authentication Bypass Gitlab
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41168 MEDIUM PATCH This Month

Denial of service in pypdf prior to version 6.10.1 allows remote attackers to craft malicious PDF files with oversized cross-reference stream `/Size` values or object stream `/N` values, causing excessive processing time and long runtimes. No authentication is required; the vulnerability is triggered by parsing a specially crafted PDF file. Patch version 6.10.1 is available from the vendor.

Information Disclosure Python Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41457 MEDIUM PATCH This Month

SQL injection in OwnTone Server 28.4 through 29.0 allows unauthenticated remote attackers to inject arbitrary SQL expressions via the query= and filter= parameters in DAAP requests, enabling bypass of access controls and unauthorized retrieval of media library data. The vulnerability stems from insufficient sanitization of integer-mapped DAAP field parameters and affects default network-accessible deployments without requiring user interaction.

Authentication Bypass SQLi Owntone Server
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-35058 MEDIUM PATCH This Month

Remote denial-of-service in OpenVPN server allows a low-privileged network attacker possessing a valid tls-crypt-v2 client key to crash the server daemon by sending a suitably malformed packet that passes cryptographic validation but triggers a fatal ASSERT() failure, terminating the server process and disconnecting all active VPN sessions. The vulnerability is limited to deployments with tls-crypt-v2 enabled and requires possession of a legitimate client key, constraining the attacker pool. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41238 MEDIUM PATCH GHSA This Month

DOMPurify versions 3.0.1 through 3.3.3 fail to prevent prototype pollution-based XSS attacks when using default configurations. An attacker who can exploit a prototype pollution gadget elsewhere in the application can pollute Object.prototype with permissive regex values, causing DOMPurify to bypass sanitization and allow arbitrary custom elements with event handler attributes. The vulnerability affects the standard DOMPurify.sanitize(userInput) call without requiring special configuration.

Google XSS Red Hat Chrome
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-34068 MEDIUM PATCH GHSA This Month

The Nimiq staking contract accepts UpdateValidator transactions that omit proof-of-knowledge validation when updating voting keys, enabling rogue-key attacks against BLS signature aggregation used in Tendermint block justification. An attacker who can predict the next epoch's validator set could forge quorum-appearing block justifications with a single signature. Exploitation is constrained by the requirement to predict future validator set composition via VRF, making real-world attacks unlikely despite the critical cryptographic impact. Vendor-released patch v1.3.0 addresses the vulnerability.

Jwt Attack Information Disclosure
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-41239 MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) in DOMPurify when using SAFE_FOR_TEMPLATES with RETURN_DOM or RETURN_DOM_FRAGMENT modes allows remote attackers to execute arbitrary JavaScript by crafting malformed HTML that reassembles into template expressions after DOM normalization. The vulnerability affects DOMPurify from v1.0.10 through at least v3.3.3, exploitable when sanitized output is mounted into template-evaluating frameworks like Vue 2. A proof-of-concept demonstrates reliable exploitation with alert(1) execution.

Node.js XSS Red Hat
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-35349 MEDIUM PATCH GHSA This Month

Bypass of --preserve-root protection in uutils coreutils rm utility allows local users to recursively delete the root filesystem by supplying a symbolic link that resolves to the root directory, rather than relying on authentic root inode comparison. The vulnerability affects coreutils versions before 0.7.0 and requires local access with no special privileges, though successful exploitation is hindered by high complexity (AC:H). CISA exploitation status is none at time of analysis, and a vendor patch has been released.

Authentication Bypass Coreutils
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-6839 MEDIUM This Month

Improper validation of STRING tensor offsets in Samsung Open Source ONE prior to commit 1.30.0 allows local attackers with user interaction to trigger out-of-bounds memory access during constant tensor import, potentially causing information disclosure, data modification, or denial of service. The vulnerability affects the tensor metadata parsing logic when processing malformed string tensor definitions.

Samsung Information Disclosure
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-40450 MEDIUM This Month

Integer overflow in Samsung Open Source ONE's output tensor copy size calculation allows local attackers with user interaction to cause memory corruption and potential code execution through oversized tensor processing. The vulnerability affects versions prior to 1.30.0 and stems from improper integer arithmetic when computing copy lengths for tensor data, enabling an attacker to trigger buffer overflows by crafting malicious tensor inputs that bypass size validation.

Samsung Integer Overflow Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-35365 MEDIUM PATCH GHSA This Month

The mv utility in uutils coreutils improperly expands symbolic links instead of preserving them during moves across filesystem boundaries, allowing local authenticated users to trigger resource exhaustion via disk space consumption, disclose sensitive data through unexpected file duplication, or cause denial of service through infinite symlink loop recursion. Affected versions prior to 0.7.0 are vulnerable; a vendor-released patch is available.

Information Disclosure Denial Of Service Coreutils
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-35350 MEDIUM This Month

The cp utility in uutils coreutils improperly preserves setuid and setgid bits when the chown operation fails during file copying with the -p flag, potentially creating unprivileged user-owned files that retain elevated privilege bits and violate security policies. This behavior diverges from GNU cp, which strips these bits when ownership preservation fails. Local users with write access to directories can exploit this to create unexpected privileged executables.

Information Disclosure Coreutils
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-41667 MEDIUM This Month

Integer overflow in constant tensor data size calculation in Samsung Open Source ONE prior to version 1.30.0 allows local attackers with user interaction to cause incorrect buffer sizing for large constant nodes, leading to buffer overflow conditions that may result in information disclosure or denial of service. The vulnerability requires local access and user interaction but can trigger high-severity memory corruption due to incorrect buffer allocation for tensors exceeding integer size limits.

Samsung Integer Overflow Buffer Overflow
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-41666 MEDIUM This Month

Integer overflow in tensor copy size calculation within Samsung Open Source ONE enables out of bounds memory access during loop state propagation. Unauthenticated local attackers with user interaction can trigger the overflow to read sensitive data, modify memory, or cause denial of service on affected versions prior to 1.30.0. CVSS 6.6 indicates moderate severity with high availability impact.

Samsung Integer Overflow Buffer Overflow
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-41664 MEDIUM This Month

Integer overflow in memory copy size calculation in Samsung Open Source ONE prior to commit 1.30.0 allows local attackers with user privileges to trigger invalid memory operations by supplying tensors with large shapes, potentially causing information disclosure, data corruption, or denial of service. The vulnerability requires user interaction (UI:R) and operates with low attack complexity on local systems. No public exploit code or active exploitation has been identified.

Samsung Integer Overflow Buffer Overflow
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-40449 MEDIUM This Month

Integer overflow in tensor buffer size calculation in Samsung Open Source ONE prior to version 1.30.0 allows local attackers with user-level privileges to cause out-of-bounds memory access, leading to information disclosure and denial of service. The vulnerability requires user interaction to process specially crafted large tensor data. CVSS 6.6 indicates moderate severity with local attack vector and high availability impact.

Samsung Integer Overflow Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-4280 MEDIUM This Month

Local file inclusion in Breaking News WP plugin for WordPress (versions up to 1.3) allows authenticated attackers with Subscriber-level access to read arbitrary files on the server. The vulnerability stems from insufficient path validation in the brnwp_show_breaking_news_wp() shortcode handler, which passes unsanitized user input directly to PHP's include() function after stripping only text field characters but not directory traversal sequences. Attackers can exploit the unprotected brnwp_ajax_form AJAX endpoint to overwrite the brnwp_theme option with paths like ../../../../etc/passwd, then trigger file inclusion when the shortcode renders.

Path Traversal WordPress CSRF
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-31192 MEDIUM This Month

Raindrop.io Bookmark Manager Web App version 5.6.76.0 allows remote unauthenticated attackers to obtain sensitive user data through insufficient validation of Chrome extension identifiers in crafted requests. The vulnerability exploits improper input validation (CWE-20) to bypass security controls, enabling information disclosure with low integrity impact. No active exploitation has been confirmed in CISA KEV, but publicly available vulnerability research exists on GitHub.

Information Disclosure Google Chrome
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6355 MEDIUM This Month

Insecure direct object references in Augmentt 1.0 allow unauthenticated remote attackers to access and modify sensitive tenant data across different organizational contexts, bypassing authentication mechanisms through direct manipulation of object identifiers. The vulnerability enables both unauthorized information disclosure and modification of tenant configuration with CVSS 6.5 (medium severity); no public exploit code has been identified at the time of analysis, though the attack is automatable and requires no user interaction.

Information Disclosure Authentication Bypass Augmentt
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41127 MEDIUM This Month

BigBlueButton versions prior to 3.0.24 allow authenticated viewers to inject or overwrite captions due to missing authorization controls, enabling unauthorized modification of classroom content. The vulnerability requires an authenticated session but does not need user interaction, affecting the integrity of real-time collaboration in virtual classroom deployments. Version 3.0.24 restricts caption submission permissions to authorized roles only.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32885 MEDIUM PATCH GHSA This Month

Path traversal in DDEV versions prior to 1.25.2 allows remote attackers to write files outside intended extraction directories when downloading and extracting archives from remote sources. The vulnerability affects the Untar() and Unzip() functions in pkg/archive/archive.go, which lack path validation during extraction. Exploitation requires user interaction (UI:R) to trigger archive extraction but can achieve high integrity impact through arbitrary file write. A proof-of-concept exists, and CISA SSVC framework rates this as exploitable with partial technical impact.

Node.js PHP Path Traversal
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33611 MEDIUM PATCH This Month

PowerDNS Authoritative server allows authenticated REST API operators to inject malformed HTTPS or SVCB record data, corrupting the LMDB backend database and causing service degradation or denial of availability. The vulnerability requires high-privilege REST API access and affects deployments using LMDB as the backend storage engine, with confirmed impact on data integrity and availability.

Information Disclosure Integer Overflow Authoritative
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33602 MEDIUM PATCH This Month

DNSdist is vulnerable to denial of service via out-of-bounds write when processing crafted UDP responses from a rogue backend server. An attacker controlling a backend DNS server can send a specially crafted UDP response with a query ID set off-by-one from the maximum configured value, triggering memory corruption that crashes the DNS forwarder. The CVSS score of 6.5 reflects network attack vector with high complexity and absence of confidentiality impact, though availability and integrity are affected.

Denial Of Service Buffer Overflow Heap Overflow Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1395 MEDIUM This Month

Stored Cross-Site Scripting in the Gutentools WordPress plugin (versions up to 1.1.3) allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the Post Slider block's block_id attribute. The vulnerability exploits insufficient input sanitization combined with a custom unescaping routine that reintroduces dangerous characters, enabling persistent payload execution whenever users access injected pages. This affects all installations using the plugin at or below version 1.1.3 and requires only low-privileged WordPress authentication.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1913 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in the Gallagher Website Design WordPress plugin through version 2.6.4 allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into pages via the 'prefix' attribute of the login_link shortcode, bypassing input sanitization and output escaping controls. The injected scripts execute in the context of any user viewing the affected page, potentially enabling session hijacking, credential theft, or malicious redirection. Wordfence has documented the vulnerability with proof-of-concept references to the vulnerable code in the WordPress plugin repository.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-41591 MEDIUM PATCH GHSA This Month

Cross-site scripting in Marko template engine allows authenticated attackers to break out of script and style tags using mixed-case closing tags (e.g., </SCRIPT>, </Style>) and inject arbitrary HTML/JavaScript. The vulnerability affects any Marko template that interpolates untrusted user data inside <script> or <style> blocks, enabling stored XSS attacks against victim browsers with CVSS 6.4 (network-accessible, low complexity, requires low privileges). Vendor-released patch available.

XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4088 MEDIUM This Month

Stored Cross-Site Scripting in Switch CTA Box WordPress plugin up to version 1.1 allows authenticated contributors and above to inject arbitrary JavaScript through unsanitized post meta fields including button link, button ID, button text, and description. The vulnerability arises from direct output of user-supplied data into HTML without escaping functions, enabling attackers to execute malicious scripts whenever pages containing injected shortcodes are accessed by any visitor.

XSS WordPress
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4074 MEDIUM This Month

Stored Cross-Site Scripting in the Quran Live Multilanguage WordPress plugin versions up to 1.0.3 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes ('cheikh' and 'lang'). The vulnerability exploits insufficient input validation in the quran_live_render() function and direct output of user-supplied values into inline <script> blocks without escaping, enabling injection of arbitrary web scripts that execute whenever a user accesses the compromised page.

XSS WordPress PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4076 MEDIUM This Month

Stored cross-site scripting in Slider Bootstrap Carousel WordPress plugin up to version 1.0.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via unsanitized 'category' and 'template' shortcode attributes, executing malicious scripts in pages viewed by any user. The vulnerability stems from improper use of extract() on shortcode attributes combined with missing output escaping (esc_attr()) on multiple HTML attributes, enabling persistent XSS injection that affects site security and user data.

XSS WordPress Bootstrap
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4085 MEDIUM This Month

Stored cross-site scripting (XSS) in Easy Social Photos Gallery - MIF plugin for WordPress (versions up to 3.1.2) allows authenticated attackers with contributor-level access to inject arbitrary HTML and JavaScript via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode. The vulnerability exists because the plugin uses sanitize_text_field() instead of esc_attr() when outputting the attribute inside HTML class tags, allowing attackers to break out of the attribute context and inject event handlers that execute in users' browsers when they visit affected pages.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4125 MEDIUM This Month

Stored Cross-Site Scripting in WPMK Block plugin for WordPress up to version 1.0.1 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'class' shortcode attribute, which is directly concatenated into HTML without proper escaping. The vulnerability affects all versions through 1.0.1 due to insufficient input sanitization in the wpmk_block_shortcode() function, enabling persistent XSS attacks that execute whenever users access compromised pages.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4089 MEDIUM This Month

Stored cross-site scripting in Twittee Text Tweet WordPress plugin versions up to 1.0.8 allows authenticated users with Contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes. The ttt_twittee_tweeter() function uses extract() to process shortcode parameters and concatenates them directly into HTML and inline JavaScript contexts without escaping, enabling attackers to break out of attribute contexts and inject event handlers that execute against site visitors. The vulnerability affects the 'id', 'tweet', 'content', 'balloon', and 'theme' parameters.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4082 MEDIUM This Month

Stored cross-site scripting in the ER Swiffy Insert WordPress plugin through version 1.0.0 allows authenticated users with Contributor access or higher to inject arbitrary JavaScript via unsanitized shortcode attributes that are directly interpolated into page output. The vulnerability affects all versions of the plugin and requires only contributor-level privileges to exploit, making it a persistence and privilege-escalation vector on WordPress sites with multiple user accounts.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4279 MEDIUM This Month

Stored cross-site scripting in Bread & Butter plugin for WordPress up to version 8.2.0.25 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'event' attribute of the 'breadbutter-customevent-button' shortcode. The vulnerability arises from missing output escaping in the customEventShortCodeButton() function, which directly interpolates unsanitized user input into an onclick HTML attribute. Scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malicious content injection.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4353 MEDIUM This Month

Stored cross-site scripting in CI HUB Connector plugin for WordPress up to version 1.2.106 allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript through the 'id' attribute of the cihub_metadata shortcode, which executes in the context of any user visiting the injected page. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handler, enabling persistent XSS attacks that can compromise site visitors and administrative accounts.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6236 MEDIUM This Month

Stored Cross-Site Scripting in Posts Map plugin for WordPress up to version 0.1.3 allows authenticated contributors to inject arbitrary JavaScript via the 'name' shortcode attribute. When any user accesses a page containing the malicious shortcode, the injected script executes in their browser with the privileges of their WordPress session, potentially enabling account compromise, admin impersonation, or malware distribution. The vulnerability requires contributor-level or higher access and affects all versions through 0.1.3.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5748 MEDIUM This Month

Stored cross-site scripting (XSS) in the Text Snippets plugin for WordPress up to version 0.0.1 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via unsanitized shortcode attributes, which executes whenever any user visits the affected page. The vulnerability stems from insufficient input sanitization and output escaping on the `ts` shortcode, enabling persistent payload injection. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6246 MEDIUM This Month

Simple Random Posts Shortcode plugin for WordPress versions up to 0.3 contains stored cross-site scripting (XSS) via insufficient sanitization of the 'container_right_width' shortcode attribute, allowing authenticated contributors and above to inject arbitrary JavaScript that executes in browsers of all users accessing affected pages. No active exploitation has been confirmed, but the vulnerability requires only contributor-level access and carries network-based attack vector with low complexity.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy