THREAT ALERT

ACT NOW CVE-2026-41940 9.3 Authentication bypass in cPanel & WHM allows unauthenticated remote attackers to gain unauthorized access to the control panel by exploiting a flaw in the login flow. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, an EPSS score of 16.52% (95th percentile), and affects multiple long-term support branches of cPanel & WHM as well as WP Squared. Given that cPanel administers shared hosting environments, successful exploitation typically grants attackers control over many downstream customer sites. | ACT NOW CVE-2026-31431 7.8 Memory corruption in Linux kernel's algif_aead cryptographic interface allows local authenticated users to achieve arbitrary kernel memory read/write, leading to privilege escalation to root. The vulnerability stems from improper handling of in-place operations introduced in commit 72548b093ee3, affecting kernel versions from 4.14 through 6.19.x. Multiple public exploit codes exist including proof-of-concept demonstrations from security researchers, with EPSS score of 0.01% indicating currently low widespread exploitation likelihood despite POC availability. | ACT NOW CVE-2026-32201 6.5 Improper input validation in Microsoft SharePoint Server enables network-based spoofing attacks without authentication, allowing attackers to forge communications and deceive users. Affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, making it a critical operational priority despite the moderate CVSS score of 6.5. | ACT NOW CVE-2026-33825 7.8 Privilege escalation in Microsoft Defender Antimalware Platform versions before 4.18.26030.3011 allows authenticated local attackers to gain elevated system privileges through insufficiently granular access controls. CVSS 7.8 (High) reflects local attack vector requiring low privileges. EPSS score of 0.04% (12th percentile) indicates low probability of widespread exploitation. Microsoft has released a patched version (4.18.26030.3011) addressing the access control deficiency. | ACT NOW CVE-2026-32202 4.3 Windows Shell protection mechanism failure (CVE-2026-32202) allows remote attackers to perform spoofing attacks over a network without authentication, requiring only user interaction. This low-severity vulnerability affects multiple Windows versions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through 2025. While not actively exploited in the wild, vendor patches are available across all affected versions, and the low CVSS score (4.3) reflects limited confidentiality impact and no availability impact despite the network-accessible attack vector. | ACT NOW CVE-2026-34621 8.6 Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execution in user context via malicious PDF files. Attack requires user interaction to open a crafted document. CVSS 9.6 (Critical) reflects network-deliverable code execution with scope change, though EPSS 0.24% (46th percentile) suggests moderate real-world exploitation probability. No public exploit identified at time of analysis. | ACT NOW CVE-2026-39987 9.3 Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis. | ACT NOW CVE-2026-34197 8.8 Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers to execute arbitrary code on the broker's JVM via Jolokia MBean operations. Attackers with low-privilege web console access can invoke BrokerService.addNetworkConnector() with a malicious discovery URI containing a VM transport brokerConfig parameter that loads remote Spring XML contexts, triggering bean instantiation and code execution through factory methods like Runtime.exec( | EMERGENCY CVE-2026-35616 9.8 Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execute arbitrary code via crafted network requests. The vulnerability stems from improper access control (CWE-284) and requires no user interaction or privileges (CVSS PR:N). With a CVSS score of 9.1 (Critical) and low attack complexity, this represents a severe exposure for organizations using affected FortiClientEMS versions. The CVSS temporal metrics indicate functional exploit code exists (E:F) with an official fix available (RL:O), making this a high-priority patching target despite no confirmed active exploitation (not present in CISA KEV). |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — May 02, 2026

74 CVEs tracked today. 2 Critical, 24 High, 30 Medium, 17 Low.

CVE-2026-7458 CRITICAL CVSS 9.8
Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.

PHP WordPress Authentication Bypass
CVE-2026-4882 CRITICAL CVSS 9.8
Unrestricted file upload in User Registration Advanced Fields plugin for WordPress (≤1.6.20) allows remote unauthenticated attackers to upload executable files and achieve code execution on the web server when Profile Picture fields are enabled in registration forms. Wordfence has documented this critical vulnerability affecting all versions through 1.6.20, with exploitation possible against any site using the Profile Picture form field feature without authentication or user interaction required.

WordPress RCE File Upload
CVE-2026-43824 HIGH CVSS 7.7
Authenticated users with low privileges can read cleartext Kubernetes Secret data through Argo CD's ServerSideDiff feature in versions 3.2.0-3.2.10 and 3.3.0-3.3.8. This scope-changing vulnerability (CVSS:3.1 S:C) allows attackers to access sensitive credential data managed by Kubernetes, including database passwords, API tokens, and certificates, by exploiting the server-side diff functionality. With a 7.7 CVSS score and low attack complexity (AC:L), this represents a significant confidentiality breach requiring only network access and basic authentication-no public exploit identified at time of analysis, but the technical barrier to exploitation is minimal.

Information Disclosure Kubernetes Red Hat
CVE-2026-7649 HIGH CVSS 7.5
Time-based blind SQL injection in ARMember WordPress plugin versions up to 4.0.60 allows unauthenticated remote attackers to extract sensitive database information via the 'orderby' parameter. The vulnerability stems from insufficient input sanitization in the members directory and shortcode handling classes, enabling attackers to append malicious SQL queries without authentication (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). EPSS data and active exploitation status not available at time of analysis, but the lack of authentication requirements and low attack complexity make this a high-priority remediation target for WordPress sites using ARMember for membership management or content restriction.

WordPress SQLi
CVE-2026-7647 HIGH CVSS 8.1
Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. With CVSS 8.1 and AC:H complexity, exploitation requires chaining with a POP gadget chain, though EPSS data and KEV status are not available to confirm active exploitation.

PHP WordPress Deserialization
CVE-2026-7641 HIGH CVSS 8.8
Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.

PHP WordPress Privilege Escalation
CVE-2026-7607 HIGH CVSS 8.7
Remote authenticated attackers can execute arbitrary code on TRENDnet TEW-821DAP v1.xR hardware running firmware 1.12B01 by exploiting a buffer overflow in the auto_update_firmware function during firmware update operations. The vulnerable product was end-of-lifed 8 years ago and is no longer supported by TRENDnet, making patching practically impossible for remaining deployed devices. With CVSS 8.7 (AV:N/AC:L/PR:L), this represents a critical risk for legacy installations, though real-world impact is limited by the obsolete product lifecycle and requirement for authenticated access to the firmware update interface.

Buffer Overflow
CVE-2026-7491 HIGH CVSS 8.6
Insecure Direct Object Reference in Zyosoft School App allows authenticated remote attackers to escalate privileges horizontally by manipulating object identifiers in API requests, enabling unauthorized read and write access to other users' personal data including student records, grades, and account information. The vulnerability requires only low-level authentication (PR:L) with no user interaction and poses high confidentiality and integrity risk to multi-tenant educational data. EPSS and KEV data not available; exploitation complexity is low (AC:L) making this accessible to moderately skilled attackers once credentials are obtained.

Authentication Bypass
CVE-2026-7490 HIGH CVSS 8.6
Arbitrary file upload in Sunnet CTMS and CPAS allows authenticated remote attackers with high privileges to upload and execute web shell backdoors, achieving full server compromise. The vulnerability enables complete control over affected systems via malicious file execution, with critical impact to confidentiality, integrity, and availability. Despite requiring high-privilege access (PR:H), the network-accessible attack vector and low complexity (AV:N/AC:L) make this exploitable by any authenticated administrator or privileged user, representing significant risk in environments where such credentials are compromised or where insider threats exist.

RCE File Upload
CVE-2026-7489 HIGH CVSS 8.7
SQL injection in Sunnet CTMS allows authenticated remote attackers with low privileges to execute arbitrary SQL commands over the network. The vulnerability enables complete compromise of database integrity - reading sensitive data, modifying records, and deleting information. Taiwan CERT (TWCERT) published advisories documenting this vulnerability, indicating coordinated disclosure. EPSS and KEV data not available; exploitation status unknown beyond vendor notification.

SQLi
CVE-2026-7049 HIGH CVSS 7.2
Server-Side Request Forgery in PixelYourSite Pro WordPress plugin allows unauthenticated remote attackers to force the web application to make arbitrary HTTP requests to internal or external resources through the vulnerable scan_video function. The vulnerability affects all versions up to 12.5.0.1 and features a Changed scope (CVSS S:C), enabling attackers to probe internal network infrastructure, access cloud metadata services, and potentially modify data in internal systems that trust requests from the WordPress server. The blind SSRF nature means attackers receive no direct response but can infer results through timing attacks or side-channel observation. EPSS data not available; no public exploit code identified at time of analysis.

WordPress SSRF
CVE-2026-6963 HIGH CVSS 8.8
Missing capability check in WP Mail Gateway plugin for WordPress (versions ≤1.8) allows authenticated attackers with Subscriber-level privileges to modify SMTP settings via the wmg_save_provider_config AJAX action, enabling mail redirection. Attackers exploit this by redirecting password reset emails to attacker-controlled servers, then using intercepted credentials to escalate privileges to Administrator. CVSS 8.8 (High) reflects the severe impact despite requiring initial low-level authentication. No active exploitation confirmed via CISA KEV, but Wordfence reporting indicates discovery by security researchers and likely inclusion in their threat intelligence feeds.

WordPress Authentication Bypass Privilege Escalation
CVE-2026-6320 HIGH CVSS 7.5
Arbitrary file read in Salon Booking System plugin for WordPress (versions ≤10.30.25) allows unauthenticated remote attackers to exfiltrate sensitive local files by injecting malicious file paths into booking form fields, which are then attached to confirmation emails sent by the system. Wordfence identified this path traversal vulnerability (CWE-22) with a CVSS score of 7.5, exploitable without authentication or user interaction. The vulnerability is confirmed patched in version 10.30.26 via changeset 3512110, though no CISA KEV listing or public exploit code has been identified at time of analysis.

WordPress Path Traversal
CVE-2026-6229 HIGH CVSS 7.2
Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. The CVSS vector indicates network-based attack with no authentication required (PR:N), contradicting the description's statement of Contributor-level requirement-affected site operators should verify actual privilege requirements with vendor advisory. No active exploitation confirmed (not in CISA KEV), but detailed source code references enable rapid POC development.

WordPress Google SSRF
CVE-2026-5324 HIGH CVSS 7.2
Unauthenticated attackers can inject stored cross-site scripting payloads into Brizy Page Builder for WordPress (versions ≤2.8.11) via form submission FileUpload fields, which execute when administrators view the form Leads page. The vulnerability chains three implementation flaws: missing nonce verification for anonymous form submissions, inadequate sanitization of FileUpload field values when no file is attached, and reversal of HTML entity encoding via html_entity_decode() before unescaped output in admin views. Publicly available exploit code exists. EPSS data not provided, but the CVSS 7.2 (High) with scope change reflects the privilege escalation from unauthenticated user to admin-context execution. Patch released in version 2.8.12 per WordPress plugin repository changeset 3502206.

PHP WordPress XSS
CVE-2026-5113 HIGH CVSS 7.2
Stored Cross-Site Scripting in Gravity Forms plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into form entries that executes when administrators view the Entries List page. The vulnerability exploits a flawed dual-hash state validation mechanism that fails to prevent sanitized-then-restored XSS payloads in Consent field hidden inputs. Gravity Forms versions up to 2.10.0 are affected. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence threat intelligence disclosure indicates vendor awareness and patching activity.

WordPress XSS
CVE-2026-5112 HIGH CVSS 7.2
Stored Cross-Site Scripting in Gravity Forms for WordPress up to 2.10.0 enables unauthenticated attackers to inject malicious scripts through form submissions containing crafted Calculation Product field names within Repeater fields. When administrators view entry details in wp-admin, the unescaped product names execute arbitrary JavaScript in the admin context. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N/S:C) indicates network-accessible exploitation without authentication, though actual impact requires admin interaction. EPSS and KEV data not provided; no public exploit code confirmed at time of analysis. Wordfence reported this vulnerability affecting the Calculation Product field validation and rendering chain.

WordPress XSS
CVE-2026-5111 HIGH CVSS 7.2
Stored Cross-Site Scripting in Gravity Forms plugin for WordPress through version 2.10.0 allows unauthenticated remote attackers to inject malicious scripts via Hidden Product fields nested in Repeater fields. The vulnerability executes when WordPress administrators view submitted form entries. Attack succeeds because repeater subfields bypass validation, and the Hidden Product field's validate() method checks only quantity while ignoring the product name field, which renders unescaped in entry details. CVSS 7.2 with changed scope indicates potential cross-user impact. EPSS and KEV data not provided; exploitation requires no authentication or user interaction (AV:N/PR:N/UI:N), making this exploitable against any public-facing Gravity Forms installation accepting submissions.

WordPress XSS
CVE-2026-5110 HIGH CVSS 7.2
Stored cross-site scripting (XSS) in Gravity Forms WordPress plugin versions ≤2.10.0 allows remote unauthenticated attackers to inject malicious JavaScript that executes when administrators view form entries. The vulnerability exploits a validation bypass in nested SingleProduct fields within Repeater fields, where product name tampering is not validated. When admins access compromised entries via wp-admin, the unsanitized payload executes in their browser session. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication or user interaction during payload delivery, though the attack requires subsequent admin interaction (viewing the entry) for payload execution. No active exploitation confirmed in CISA KEV at time of analysis.

PHP WordPress XSS
CVE-2026-5109 HIGH CVSS 7.2
Stored XSS in Gravity Forms for WordPress ≤2.10.0 allows unauthenticated remote attackers to inject malicious JavaScript through Product Option field values that execute when administrators view entry details. The flaw exploits a sanitization bypass: the plugin's state validation accepts values matching wp_kses()-cleaned legitimate options but stores the raw unsanitized input, which is then rendered without escaping in the Order Summary view (view-order-summary.php:32). EPSS data not available; no public exploit identified at time of analysis. Vendor patch status requires verification via changelog.

PHP WordPress XSS
CVE-2026-4100 HIGH CVSS 7.1
Authenticated attackers with Subscriber-level access can disrupt all Stripe payment processing in Paid Memberships Pro for WordPress versions up to 3.6.5 by deleting, creating, or rebuilding webhook configurations. Missing capability checks on three AJAX handlers (pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, pmpro_stripe_rebuild_webhook) allow low-privilege users to break subscription renewals, cancellation handling, and failed payment management for the entire site. Patch available in PR #3615 implementing proper authorization checks requiring manage_options or pmpro_paymentsettings capabilities plus nonce validation. EPSS data not provided; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.

WordPress Authentication Bypass
CVE-2026-4062 HIGH CVSS 7.5
Time-based SQL injection in Geo Mashup WordPress plugin versions ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from ineffective sanitization in the 'object_ids' and 'exclude_object_ids' parameters-while esc_sql() is applied, it provides no protection in unquoted IN() contexts where attackers can inject parentheses and SQL keywords. The numeric sanitizer exists but only applies to AJAX paths, leaving render-map.php and template tag paths vulnerable. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence Threat Intelligence disclosure increases likelihood of weaponization.

PHP WordPress SQLi
CVE-2026-4061 HIGH CVSS 7.5
Time-based blind SQL injection in Geo Mashup WordPress plugin allows unauthenticated remote attackers to extract database contents when Geo Search is enabled. The vulnerability stems from explicit removal of WordPress's built-in magic quotes protection via stripslashes_deep($_POST), combined with failure to sanitize the map_post_type parameter before SQL concatenation in an IN() clause. EPSS data not provided. No CISA KEV listing indicates this is not yet confirmed as actively exploited. Public exploit code status unknown, though detailed code references in Wordfence advisory provide clear exploitation path. Patch released in changeset 3503627.

WordPress SQLi
CVE-2026-4060 HIGH CVSS 7.5
Time-based SQL injection in WordPress Geo Mashup plugin ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The 'sort' parameter in multiple code paths (render-map.php, template tags) lacks proper sanitization despite esc_sql() application, which is ineffective in ORDER BY contexts without quote encapsulation. Version 1.13.18 added allowlist-based sanitization but only protected the AJAX endpoint, leaving other attack vectors exploitable. EPSS and KEV data not available; vulnerability disclosed by Wordfence with public source code references confirming the flaw.

PHP WordPress SQLi
CVE-2026-2554 HIGH CVSS 8.1
Authenticated vendors with low-level privileges can delete arbitrary WordPress users, including site administrators, via Insecure Direct Object Reference in WCFM - Frontend Manager for WooCommerce plugin versions up to 6.7.25. The vulnerability resides in the 'wcfm_delete_wcfm_customer' function which fails to validate user-controlled 'customerid' parameters, allowing privilege escalation through unauthorized user deletion. Patch available in version 6.7.26 per Trac changeset 3483695. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 8.1 (High) reflects significant real-world impact if exploited by malicious vendors on WooCommerce marketplaces.

WordPress Authentication Bypass
CVE-2026-2052 HIGH CVSS 8.8
Remote code execution in Widget Options plugin for WordPress (all versions ≤4.2.2) allows authenticated Contributor-level users to execute arbitrary PHP code on the server by bypassing input validation in the Display Logic feature. The plugin's unsafe use of eval() on user-controlled expressions, combined with insufficient authorization checks on the extended_widget_opts_block attribute, enables attackers to chain array_map with string concatenation to bypass blocklists. Version 4.2.0 included a partial patch, indicating the vulnerability remains exploitable in current versions. No CISA KEV listing or public POC identified at time of analysis, but EPSS data not provided for risk calibration.

WordPress RCE Code Injection
CVE-2026-7670 MEDIUM CVSS 5.5
SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the DeptIDList parameter in UserSel.aspx. The vulnerability permits unauthorized database access with potential for data exfiltration, modification, and limited system compromise. Public exploit code exists on GitHub (zzlln/cvecve), significantly lowering the barrier to exploitation. Vendor did not respond to disclosure, leaving patch status unknown.

SQLi
CVE-2026-7669 MEDIUM CVSS 6.3
Unsafe deserialization in SGLang's HuggingFace Transformer Handler allows remote attackers to trigger deserialization attacks via the get_tokenizer function in versions up to 0.5.9, potentially leading to code execution or information disclosure. The vulnerability requires high attack complexity and has not been patched despite early vendor notification.

Python Deserialization
CVE-2026-7668 MEDIUM CVSS 5.5
Out-of-bounds read in MikroTik RouterOS 6.49.8 SCEP endpoint allows remote unauthenticated attackers to trigger memory disclosure and potential service disruption via malformed transactionID or messageType parameters. Public exploit code exists on GitHub. CVSS 7.3 reflects network-accessible attack surface with low complexity, though impact is rated limited across confidentiality, integrity, and availability. Vendor non-responsive to coordinated disclosure attempts.

Buffer Overflow Information Disclosure Mikrotik
CVE-2026-7645 MEDIUM CVSS 5.5
Path traversal in the MCP Interface export_state function of ruvnet sublinear-time-solver 1.5.0 allows remote unauthenticated attackers to manipulate file paths, resulting in information disclosure and integrity compromise. Public exploit code is available and the vulnerability has CVSS 6.5 (medium severity) with proof-of-concept publicly disclosed, though the vendor has not yet responded to early notification.

Path Traversal
CVE-2026-7644 MEDIUM CVSS 5.5
Improper authorization in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote unauthenticated attackers to bypass access controls in the addMcpServer function (app/mcp/actions.ts), potentially disclosing sensitive information. The vulnerability has a CVSS score of 5.5 (moderate severity) with public exploit code available, though the vendor has not yet responded to the disclosed issue.

Information Disclosure
CVE-2026-7638 MEDIUM CVSS 5.3
Authenticated attackers with Subscriber-level access can modify the profile avatar of any WordPress user, including administrators, via an Insecure Direct Object Reference in the App Builder - Create Native Android & iOS Apps On The Flight plugin versions up to 5.6.0. The `/wp-json/app-builder/v1/upload-avatar` endpoint fails to validate that the authenticated user owns the target account before processing avatar uploads, allowing privilege escalation and account compromise through arbitrary user_id parameter submission in POST requests. No public exploit code or active exploitation has been identified at time of analysis.

WordPress Authentication Bypass Google Apple
CVE-2026-7633 MEDIUM CVSS 5.5
External file inclusion in Totolink N300RH firmware 6.1c.1353_B20190305 allows remote unauthenticated attackers to manipulate the FileName parameter in the setUploadSetting function via /cgi-bin/cstecgi.cgi, enabling arbitrary file writes and denial of service. Publicly available exploit code exists, and the vulnerability carries a CVSS score of 6.5 reflecting network-accessible attack vector with low complexity.

Information Disclosure
CVE-2026-7632 MEDIUM CVSS 5.5
SQL injection in code-projects Online Hospital Management System 1.0 allows remote unauthenticated attackers to manipulate the delid parameter in /viewappointment.php, enabling database queries with limited confidentiality and integrity impact. The vulnerability is publicly disclosed with available exploit code and poses a network-accessible risk to unpatched deployments.

PHP SQLi
CVE-2026-7630 MEDIUM CVSS 5.5
InnoShop e-commerce platform versions up to 0.7.8 allow unauthenticated remote attackers to bypass authentication controls in the installation endpoint via improper authentication handling in InstallServiceProvider::boot. The vulnerability permits unauthorized access to installation functionality even after initial setup is complete, enabling attackers to achieve partial confidentiality, integrity, and availability impact. Publicly available exploit code exists (GitHub issue #314), and vendor has released patch commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9.

PHP Authentication Bypass
CVE-2026-7611 MEDIUM CVSS 6.3
Insufficient verification of firmware authenticity in TRENDnet TEW-821DAP up to version 1.12B01 allows remote attackers to manipulate firmware updates through the cameo_dev.sh update handler, potentially leading to information disclosure. The vulnerability requires high attack complexity and difficult exploitation conditions. The affected hardware (v1.xR) reached end-of-life eight years ago and is no longer supported by the vendor, significantly limiting real-world exposure.

Information Disclosure
CVE-2026-7606 MEDIUM CVSS 6.3
Insufficient verification of data authenticity in the firmware update handler of TRENDnet TEW-821DAP 1.12B01 allows remote attackers to manipulate the dest argument during firmware updates, leading to integrity violations. The vulnerability requires high attack complexity and affects only end-of-life hardware (version 1.xR) discontinued 8 years ago. CVSS score is 3.7 (low) with integrity impact but no confidentiality or availability impact; no public exploit confirmed.

Information Disclosure
CVE-2026-7601 MEDIUM CVSS 5.3
Denial of service in Open5GS AMF (Access and Mobility Function) up to version 2.7.6 allows authenticated remote attackers to cause service unavailability by sending crafted registration requests with manipulated reg_type arguments. The vulnerability exists in the GMM (Mobility Management) handler due to insufficient validation of registration type values, potentially triggering null pointer dereferences or assertion failures. Vendor-released patch version 2.7.7 is available.

Denial Of Service
CVE-2026-7209 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in Simple Link Directory plugin for WordPress up to version 8.9.2 allows authenticated contributors and above to inject arbitrary JavaScript through insufficiently sanitized shortcode attributes like `title_font_size`, which executes in the browsers of all users accessing affected pages. The vulnerability affects the `qcopd-directory` shortcode and requires contributor-level WordPress access to exploit, making it a moderate-to-high risk for multi-author WordPress sites without strict role management.

WordPress XSS
CVE-2026-6916 MEDIUM CVSS 6.4
Stored cross-site scripting in Jeg Kit for Elementor WordPress plugin versions up to 3.1.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'sg_content_number_prefix' parameter, which executes when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Fun Fact widget element, affecting any WordPress site using this popular page builder addon. CVSS score of 6.4 reflects the network attack vector and broad scope, though exploitation requires valid contributor-level credentials.

WordPress XSS
CVE-2026-6817 MEDIUM CVSS 5.8
Stored Cross-Site Scripting (XSS) in Quiz Maker by AYS WordPress plugin versions up to 6.7.1.29 allows unauthenticated attackers to inject arbitrary JavaScript through the 'rate_reason' parameter due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling credential theft, malware distribution, or defacement without requiring authentication or user interaction.

WordPress XSS
CVE-2026-6812 MEDIUM CVSS 4.4
Server-Side Request Forgery in the Ona WordPress theme versions up to 1.26 via the ona_activate_child_theme function allows authenticated administrators to make arbitrary web requests originating from the affected server, enabling query and modification of internal services. The vulnerability requires administrator-level privileges and high attack complexity, limiting real-world exploitation to compromised or malicious admin accounts. No public exploit code or active exploitation has been identified.

WordPress SSRF
CVE-2026-6525 MEDIUM CVSS 5.5
Wireshark 4.6.0 through 4.6.4 crashes when processing malformed IEEE 802.11 frames due to a null pointer dereference in the protocol dissector. An attacker can trigger denial of service by crafting or replaying a specially malformed wireless packet that causes the dissector to crash when analyzed, rendering packet analysis impossible until the application restarts. CVSS score 5.5 reflects local attack vector with user interaction required; no public exploit code has been identified at time of analysis.

Denial Of Service Null Pointer Dereference Red Hat Suse
CVE-2026-6457 MEDIUM CVSS 6.5
Time-based blind SQL injection in Geo Mashup WordPress plugin versions up to 1.13.19 allows authenticated attackers with subscriber-level access to extract sensitive database information via the 'geo_mashup_null_fields' parameter due to insufficient escaping and lack of prepared statement usage. The vulnerability requires valid WordPress authentication but grants high-confidence data confidentiality compromise without requiring user interaction, affecting all installations of this geolocation plugin with vulnerable versions active.

WordPress SQLi
CVE-2026-6449 MEDIUM CVSS 5.3
Unauthenticated attackers can approve any WordPress booking in 'waiting' status via the admin-ajax endpoint in Amelia plugin versions up to 2.1.2, due to a logical short-circuit flaw that skips token validation when the booking status matches a specific condition. An attacker can craft a direct request to the publicly-accessible endpoint to approve arbitrary bookings without authentication. This impacts all installations with pending bookings and exposes the booking workflow integrity across WordPress sites using this plugin.

WordPress Authentication Bypass
CVE-2026-6447 MEDIUM CVSS 4.4
Stored Cross-Site Scripting in Call for Price for WooCommerce plugin versions up to 4.2.0 allows authenticated administrators to inject arbitrary JavaScript via plugin settings that executes for all users visiting affected pages. The vulnerability requires administrator-level access and is limited to WordPress multisite installations or single-site installations with the unfiltered_html capability disabled, significantly reducing real-world exposure compared to the CVSS score of 4.4 suggests.

WordPress XSS
CVE-2026-6446 MEDIUM CVSS 5.4
My Social Feeds - Social Feeds Embedder WordPress plugin up to version 1.0.4 exposes sensitive TikTok OAuth credentials via an unauthenticated AJAX endpoint due to missing authorization and nonce checks. Authenticated attackers with Subscriber-level access can retrieve stored access_token and refresh_token values belonging to administrator-connected TikTok accounts, enabling them to impersonate the site owner in TikTok API interactions. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability is trivial to exploit once network access is established.

WordPress Information Disclosure
CVE-2026-6378 MEDIUM CVSS 6.4
Stored cross-site scripting in Maxi Blocks plugin for WordPress versions up to 2.1.9 allows authenticated attackers with Author-level access and above to inject arbitrary JavaScript via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint through insufficient sanitization of the `sc_styles` parameter. Injected scripts execute on every page where style card styles are loaded, including the WordPress admin panel, affecting all website visitors and administrators. The vendor released patched version 2.1.10 on 27 April 2026 with input sanitization fixes (wp_strip_all_tags applied to sc_styles parameter) and privilege escalation mitigation in the image crop functionality.

WordPress XSS
CVE-2026-5077 MEDIUM CVSS 5.4
Stored Cross-Site Scripting in Total WordPress theme versions up to 2.2.1 allows authenticated contributors and above to inject arbitrary JavaScript via post titles in the home blog section. The vulnerability stems from insufficient output escaping when rendering post titles in HTML attribute context. Exploitation requires the malicious post to be published and displayed with a featured image on the home page, where the injected script will execute in the browsers of all users viewing the page. No public exploit code has been identified, and active exploitation has not been confirmed.

WordPress XSS
CVE-2026-4790 MEDIUM CVSS 5.4
Stored Cross-Site Scripting in Premium Addons for Elementor plugin for WordPress up to version 4.11.70 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript via the 'custom_svg' parameter, which executes in the browsers of users viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping on a user-controllable SVG parameter. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress XSS
CVE-2026-4658 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in Essential Blocks WordPress plugin versions up to 6.0.4 allows authenticated Contributor-level users to inject arbitrary JavaScript into the Add to Cart block via unescaped className, classHook, and blockId attributes, executing malicious scripts in pages viewed by any site visitor. The vulnerability stems from use of raw sprintf() and implode() functions without WordPress escaping functions (esc_attr) in the render_callback() function, despite the outer wrapper using proper escaping. CVSS 6.4 (medium) reflects the requirement for authenticated access; however, the stored nature and cross-site scope elevate real-world risk on multi-author WordPress sites.

WordPress XSS
CVE-2026-4650 MEDIUM CVSS 5.3
Unauthenticated attackers can bypass authorization controls in FundPress WordPress Donation Plugin versions up to 2.0.8 to arbitrarily modify donation statuses via the donate_action_status() AJAX handler, which lacks nonce verification and capability checks despite being exposed to unauthenticated users. By enumerating sequential donation IDs and sending crafted POST requests, attackers can mark donations as completed, pending, or cancelled, potentially triggering email notifications and corrupting donation records without any user interaction or authentication.

WordPress Authentication Bypass
CVE-2026-4024 MEDIUM CVSS 5.3
Unauthenticated attackers can modify form action metadata on WordPress posts through the Royal Addons for Elementor plugin (versions up to 1.7.1056) due to a missing capability check on the wpr_update_form_action_meta AJAX endpoint. The endpoint registers on both wp_ajax and wp_ajax_nopriv hooks, is accessible without authentication, and relies on a nonce that is publicly exposed in frontend JavaScript, allowing attackers to bypass the nonce protection and alter email, Mailchimp, and webhook settings on any post. This enables attackers to hijack form submissions, exfiltrate data via modified webhook URLs, or redirect emails to attacker-controlled addresses without any user interaction or special configuration required.

WordPress Authentication Bypass
CVE-2026-3504 MEDIUM CVSS 5.3
Unauthenticated remote attackers can extract sensitive user information including email addresses, usernames, and user IDs through the '/dokan/v1/stores/{id}/reviews' REST API endpoint in Dokan plugin versions up to 4.3.1. The vulnerability affects only installations with the Pro version activated and store reviews enabled, allowing information disclosure of all customers who left vendor reviews. No public exploit code has been identified, but the attack requires no authentication or user interaction and can be automated at scale.

WordPress Information Disclosure
CVE-2026-0703 MEDIUM CVSS 6.4
Stored cross-site scripting in NextMove Lite - Thank You Page for WooCommerce plugin allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via the 'xlwcty_current_date' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browser of any user viewing affected pages, potentially compromising WordPress site integrity and user sessions. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
CVE-2025-14726 MEDIUM CVSS 6.5
Unauthenticated attackers can access and modify plugin settings in the Widgets for Social Photo Feed WordPress plugin through missing capability checks on two REST API endpoints, allowing unauthorized data access and configuration changes in all versions up to and including 1.8. The vulnerability requires only network access with no user interaction, making it trivially exploitable by remote attackers without authentication credentials.

WordPress Authentication Bypass Information Disclosure
CVE-2026-43058 None
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix pass-by-value structs causing MSAN warnings vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their argument structs by value, causing MSAN to report uninit-value warnings. While only vidtv_ts_null_wr...

Information Disclosure Linux
CVE-2026-7671 LOW CVSS 2.9
Improper restriction of excessive authentication attempts in CodeWise Tornet Scooter Mobile App 4.75 on iOS and Android allows remote attackers to bypass rate-limiting controls on the /TwoFactor endpoint, potentially enabling brute-force attacks against two-factor authentication mechanisms. Publicly available exploit code exists. The vendor did not respond to early disclosure notification.

Information Disclosure Google Apple
CVE-2026-7653 LOW CVSS 2.1
Remote authenticated command injection in r-huijts mcp-server-rijksmuseum up to version 1.0.4 allows attackers with login credentials to execute arbitrary OS commands via manipulation of the imageUrl argument in the open_image_in_browser function. The vulnerability has publicly available exploit code and the vendor has not yet responded to early disclosure.

Command Injection
CVE-2026-7643 LOW CVSS 2.1
Permissive cross-domain policy in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote attackers with user interaction to manipulate the Next.js API endpoint and enable untrusted domains to access application resources, leading to information disclosure. Public exploit code exists for this vulnerability, though the vendor has not yet responded to early disclosure notification.

Information Disclosure
CVE-2026-7642 LOW CVSS 2.1
OS command injection in pskill9 website-downloader through 0.1.0 allows authenticated remote attackers to execute arbitrary system commands by manipulating the outputPath argument in the download_website function of the MCP Interface. Publicly available exploit code exists, though the low CVSS score (2.1) reflects required authentication and limited scope of impact; the vulnerability remains relevant for deployments where the MCP Interface is exposed to untrusted authenticated users.

Command Injection
CVE-2026-7631 LOW CVSS 2.1
Improper authorization in code-projects Online Hospital Management System 1.0 allows authenticated remote attackers to manipulate the Username parameter in the Registration Handler, bypassing access controls and modifying user authorization. The vulnerability requires valid authentication credentials but results in integrity impact to user accounts. Publicly available exploit code exists for this vulnerability.

Authentication Bypass
CVE-2026-7629 LOW CVSS 2.1
Command injection in awesome-cursor-mpc-server up to version 2.0.1 allows authenticated remote attackers to execute arbitrary system commands via the Code-Review Tool's runCodeReviewTool function in src/tools/codeReview.ts. The vulnerability stems from unsafe use of execSync with user-controlled input in git command construction. Publicly available exploit code exists, and a patch via PR #14 is available from the vendor, though formal release status is not confirmed.

Command Injection
CVE-2026-7628 LOW CVSS 2.1
Remote command injection in crazyrabbitLTC mcp-code-review-server up to version 0.1.0 allows authenticated attackers to execute arbitrary system commands via manipulation of the executeRepomix function in the RepoMix Command Handler. The vulnerability stems from unsafe use of the exec() function with unsanitized user-supplied options. Public exploit code is available, and while a fix has been proposed via pull request, the maintainer has not yet merged or released a patched version.

Command Injection
CVE-2026-7627 LOW CVSS 2.1
Path traversal in 8nite metatrader-4-mcp 1.0.0 allows authenticated remote attackers to access arbitrary files via manipulation of the ea_name argument in the CallToolRequestSchema function of src/index.ts. The vulnerability affects the sync_ea_from_file component, has publicly available exploit code, and impacts confidentiality with a CVSS score of 2.1. The vendor has not responded to early disclosure notification.

Path Traversal
CVE-2026-7612 LOW CVSS 2.0
SQL injection in itsourcecode Courier Management System 1.0 allows high-privilege remote attackers to manipulate the ID parameter in /edit_user.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Exploit code has been publicly disclosed, though the CVSS 4.0 score of 2.0 and requirement for high-privilege authentication significantly constrain real-world risk.

PHP SQLi
CVE-2026-7610 LOW CVSS 2.9
TRENDnet TEW-821DAP firmware version 1.12B01 transmits sensitive information in cleartext via the /www/cgi/ssi endpoint during firmware updates, allowing remote unauthenticated attackers to intercept credentials or configuration data. The vulnerability affects end-of-life hardware (version v1.xR) discontinued 8 years ago and no longer supported by the vendor. Public exploit code is available, though the attack requires high complexity conditions to execute successfully.

Information Disclosure
CVE-2026-7609 LOW CVSS 2.1
OS command injection in TRENDnet TEW-821DAP firmware up to version 1.12B01 allows authenticated remote attackers to execute arbitrary commands via the tools_diagnostic function in the firmware update component. The vulnerability affects only end-of-life hardware (version v1.xR) discontinued 8 years ago, significantly limiting practical exposure despite publicly available exploit code.

Command Injection
CVE-2026-7608 LOW CVSS 2.0
OS command injection in TRENDnet TEW-821DAP up to firmware version 1.12B01 allows authenticated local attackers to execute arbitrary commands via the tools_diagnostic function. The vulnerability affects only end-of-life hardware (v1.xR) discontinued 8 years ago and no longer receiving vendor support. Exploit code is publicly available, but real-world risk is severely constrained by the authentication requirement (PR:L), local network access (AV:A), and the product's obsolete status with no active install base.

Command Injection
CVE-2026-7605 LOW CVSS 2.1
Server-side request forgery in JeecgBoot up to 3.9.1 allows authenticated remote attackers to manipulate the CommonController.uploadImgByHttp endpoint and trigger arbitrary HTTP requests from the server, with publicly available exploit code and vendor confirmation of the issue. The vulnerability affects the image upload functionality through HttpFileToMultipartFileUtil.httpFileToMultipartFile and downloadImageData methods, enabling attackers with valid credentials to abuse the application as a proxy for outbound requests.

Java SSRF
CVE-2026-7604 LOW CVSS 2.1
Server-side request forgery in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the originUrl parameter in OpenApiController.add and OpenApiController.call methods, enabling arbitrary HTTP requests from the affected server. The vulnerability requires low-level authentication privileges and carries minimal direct impact (CVSS 2.1), but public exploit code exists and vendors confirmed the issue with a fix planned for an upcoming release.

Java SSRF
CVE-2026-7603 LOW CVSS 2.1
Server-side request forgery in JeecgBoot up to version 3.9.1 affects the checkPathTraversalBatch function in FileDownloadUtils.java within the LoadFile endpoint. Authenticated remote attackers can manipulate the files argument to trigger SSRF, allowing them to make unauthorized requests to internal or external resources. Publicly disclosed exploit code exists, and the vendor has confirmed the issue with a fix promised in an upcoming release.

SSRF
CVE-2026-7602 LOW CVSS 2.1
Improper authorization in JeecgBoot up to version 3.9.1 allows authenticated remote attackers to manipulate the ruleClass parameter in the /sys/fillRule/edit endpoint, leading to unauthorized access and information disclosure. The vulnerability affects the FillRuleUtil component and has publicly available exploit code; the vendor confirmed the issue and committed to patching in an upcoming release.

Information Disclosure
CVE-2026-7600 LOW CVSS 2.1
Remote OS command injection in ArtMin96 yii2-mcp-server 1.0.2 allows authenticated remote attackers to execute arbitrary operating system commands via manipulation of the yii_command_help or yii_execute_command functions in the MCP Interface component. Exploit code is publicly available, and the vendor has not yet responded to early disclosure through issue reporting.

Command Injection

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities