Skip to main content
CVE-2026-7659 MEDIUM This Month

Stored cross-site scripting in the Advanced Social Media Icons WordPress plugin through version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, with execution occurring whenever any user views an affected page. The vulnerability affects all installations of the plugin up to and including version 1.2 and requires only Contributor-level WordPress access to exploit, making it a significant risk for multi-author sites.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5340 MEDIUM This Month

Stored Cross-Site Scripting in Fancy Image Show plugin for WordPress up to version 9.1 allows authenticated contributors and above to inject arbitrary JavaScript via the `fancy-img-show` shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, affecting site integrity and potentially compromising administrative accounts. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6247 MEDIUM This Month

Stored Cross-Site Scripting in Scratchblocks for WP plugin for WordPress allows authenticated contributors and above to inject arbitrary JavaScript through the 'element' attribute of the 'scratchblocks' shortcode due to insufficient input sanitization and output escaping. The vulnerability affects all versions up to 1.0.1 and enables malicious scripts to execute in the browsers of all users viewing affected pages, with cross-site scope impact.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6256 MEDIUM This Month

Stored Cross-Site Scripting in Credits Shortcode WordPress plugin up to version 1.2 allows authenticated contributors and above to inject arbitrary JavaScript via the 'link' attribute of the credits shortcode, which executes when other users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes. CVSS 6.4 reflects moderate risk with network vector and limited scope impact, though real-world risk depends on site contributor population and user awareness.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5715 MEDIUM This Month

Stored Cross-Site Scripting in Voyage Plus WordPress plugin versions up to 1.0.6 allows authenticated contributors and above to inject malicious scripts via the 'class' attribute of the 'post-content' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages, enabling credential theft, session hijacking, or malware distribution. No public exploit code or active KEV listing identified at time of analysis, but the vulnerability requires only contributor-level access and no user interaction, making it practical for insider threats or compromised contributor accounts.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4920 MEDIUM This Month

Stored Cross-Site Scripting in Next Date WordPress plugin (all versions up to 1.0) allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'default' shortcode attribute due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially compromising site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4859 MEDIUM This Month

SP Blog Designer plugin for WordPress versions up to 1.0.0 allows authenticated attackers with Contributor-level access to inject arbitrary web scripts via the 'design' attribute of the wpsbd_post_carousel shortcode, resulting in stored cross-site scripting (XSS) that executes for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in shortcode handling. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6237 MEDIUM This Month

Stored cross-site scripting in Quick Table plugin for WordPress allows authenticated contributors and above to inject malicious scripts via the 'style' attribute of the 'qtbl' shortcode, which execute when any user views the affected page. The vulnerability affects all versions up to 1.0.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7661 MEDIUM This Month

Stored cross-site scripting in the Bootstrap Shortcode plugin for WordPress allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the `box` shortcode, executing malicious scripts whenever users view affected pages. The vulnerability exists in all versions up to 1.0 due to insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at this time.

XSS WordPress Bootstrap
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-34664 MEDIUM This Month

Substance3D - Designer versions 15.1.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

Path Traversal Substance3D Designer
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-40133 MEDIUM This Month

Missing authorization checks in SAP S/4HANA Condition Maintenance allow authenticated attackers to view and modify condition table records they should not have access to, compromising data confidentiality and integrity while potentially denying legitimate users access to those same records. The vulnerability requires valid user credentials but affects all versions of the affected module, with CVSS 6.3 reflecting its multi-faceted impact across three security dimensions.

Authentication Bypass SAP
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-40380 MEDIUM PATCH Exploit Unlikely This Month

Heap-based buffer overflow in Volume Manager Extension Driver allows an authorized attacker to execute code with a physical attack.

Heap Overflow Buffer Overflow
NVD VulDB
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-41614 MEDIUM PATCH Exploit Unlikely This Month

Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.

Authentication Bypass M365 Copilot For Desktop
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34669 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34688 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34668 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34670 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34679 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34666 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34672 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Integer Overflow Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34671 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Integer Overflow Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34678 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34680 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Integer Overflow Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34673 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34667 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Integer Overflow Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-34677 MEDIUM This Month

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

Denial Of Service Cai Content Credentials
NVD VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-7464 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in WP Google Maps Integration plugin for WordPress versions up to 1.2 allows unauthenticated attackers to inject arbitrary web scripts via the `page` parameter due to insufficient input sanitization and output escaping. Exploitation requires tricking an administrator into clicking a malicious link, but successful attacks can hijack admin sessions, modify site content, or steal credentials with medium attack complexity and limited immediate confidentiality and integrity impact.

XSS WordPress Google
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-7437 MEDIUM This Month

Reflected Cross-Site Scripting in AzonPost WordPress plugin versions up to 1.3 allows unauthenticated attackers to inject arbitrary JavaScript via the `editpos_hidden` parameter, executing in the browsers of administrators who click malicious links. The vulnerability stems from insufficient input sanitization and output escaping, requiring user interaction but affecting all versions of the plugin without requiring authentication or special configuration.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-6808 MEDIUM This Month

Reflected Cross-Site Scripting in Pricing Tables for WP plugin allows unauthenticated attackers to inject arbitrary JavaScript via the 'page' parameter. The vulnerability affects all versions up to 1.1.0 due to insufficient input sanitization and output escaping. Exploitation requires social engineering (e.g., tricking an administrator into clicking a malicious link), but no public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-40137 MEDIUM This Month

SAP Business Server Pages TAF_APPLAUNCHER contains a cross-site scripting vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to attacker-controlled sites, potentially exposing or altering sensitive information. The vulnerability requires user interaction (clicking the link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been publicly confirmed at time of analysis.

XSS SAP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-7561 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Tm - WordPress Redirection plugin for WordPress versions up to 1.2 allows unauthenticated attackers to update plugin settings and inject malicious web scripts by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing or incorrect nonce validation on sensitive functions, enabling attackers to forge requests that execute administrative actions without the admin's explicit consent. CVSS score is 6.1 with network attack vector and low complexity, though exploitation requires user interaction (tricking administrator). No public exploit code or active exploitation has been identified at the time of analysis.

CSRF WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1681 MEDIUM This Month

Stack overflow in Zephyr RTOS network stack allows local attackers to trigger a denial of service by issuing an ICMP ping to the device's own IPv4 address via the `net ping` shell command, causing recursive re-entry of the input path on the same work-queue stack and exhausting stack memory. The vulnerability requires local access and user interaction to execute the shell command, affecting systems with Zephyr network functionality enabled.

Buffer Overflow Zephyr
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0802 MEDIUM PATCH This Month

Command injection in Axis OS ACAP configuration file processing allows privilege escalation when unsigned ACAP applications are enabled and a user installs a malicious application. The vulnerability requires high-privileged user interaction and local access but bypasses normal code signing protections to achieve code execution with elevated privileges.

Privilege Escalation Command Injection Axis Os
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-40300 MEDIUM PATCH This Month

Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This vulnerability is fixed in 12.0.

Authentication Bypass Zulip
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-8052 MEDIUM PATCH This Month

HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8052) is fixed in version 0.1.2 of the exec2 task driver.

Information Disclosure Hashicorp
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-6959 MEDIUM PATCH This Month

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-6959) is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11.

Information Disclosure Hashicorp
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-41125 MEDIUM CISA This Month

SQL injection in KACO Meteor server affecting all versions of blueplanet inverter product line allows authorized attackers on the local network to elevate privileges and modify system data. The vulnerability requires high-privilege credentials and abnormal configuration access (AC:H), limiting exploitation to insider threats or attackers who have already compromised administrative access. CVSS 6.0 with integrity and availability impact reflects significant risk within trusted network environments.

SQLi Blueplanet 100 Nx3 M8 Blueplanet 100 Tl3 Gen2 Blueplanet 105 Tl3 Blueplanet 105 Tl3 Gen2 +25
NVD VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-44347 MEDIUM This Month

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on the attacker's account (such as writing sensitive data to the attacker's SSH target, or logging into an HTTP target that the attacker set up). This vulnerability is fixed in 0.23.3.

Information Disclosure CSRF Warpgate
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-35991 MEDIUM This Month

Improper initialization in the UEFI firmware for some Intel platforms within Ring 0: Bare Metal OS may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Intel Information Disclosure
NVD
CVSS 4.0
5.6
EPSS
0.0%
CVE-2026-34339 MEDIUM PATCH Exploit Unlikely This Month

Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to deny service locally.

Denial Of Service Microsoft Null Pointer Dereference
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-35419 MEDIUM PATCH Exploit Unlikely This Month

Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.

Microsoft Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-34662 MEDIUM This Month

Illustrator versions 29.8.6, 30.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Denial Of Service Null Pointer Dereference Illustrator
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-44279 MEDIUM This Month

Improper export of Android application components in Fortinet FortiToken Android 5.2, 6.1, and 6.2 allows local authenticated attackers to gain unauthorized access to sensitive information via exposed application components that lack proper access control. The vulnerability has a CVSS score of 5.0 with local attack vector and requires low privileges, enabling information disclosure without user interaction. No public exploit code has been identified, and the vulnerability is not listed in active exploitation databases at the time of analysis.

Fortinet Information Disclosure Google Fortitokenandroid
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-34663 MEDIUM This Month

Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Information Disclosure Buffer Overflow Illustrator
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-1185 MEDIUM PATCH This Month

Improper input validation in an Axis OS configuration file allows authenticated SSH users to execute code and potentially escalate privileges. The vulnerability requires valid SSH credentials but affects all Axis OS versions, making it a significant risk for organizations running Axis network devices with SSH access exposed or shared credentials.

Privilege Escalation RCE Axis Os
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-35423 MEDIUM PATCH This Month

Out-of-bounds read in Telnet Client allows an unauthorized attacker to disclose information over a network.

Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-42838 MEDIUM PATCH Exploit Unlikely This Month

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.

Authentication Bypass Microsoft Google
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45210 MEDIUM This Month

Missing authorization in Broadstreet Ads WordPress plugin through version 1.52.2 allows authenticated users to bypass access controls and modify data, resulting in integrity and availability impact. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before executing sensitive operations. Exploitation requires valid user authentication but no special configuration or interaction.

Authentication Bypass Broadstreet Ads
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44873 MEDIUM This Month

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled.

Authentication Bypass Hpe Aruba Networking Wireless Operating System Aos
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-70842 MEDIUM This Month

Stored cross-site scripting (XSS) in FluentCMS 1.2.3 File Management module allows authenticated administrators to upload SVG files with embedded malicious JavaScript that executes when any user-including unauthenticated visitors-accesses the image URL directly. The vulnerability has public proof-of-concept code available via GitHub pull request, and CISA SSVC framework confirms exploitability is feasible but requires user interaction and is not automatable. CVSS 5.4 reflects the attack complexity introduced by authentication requirement and user interaction, but the cross-origin scope and ability to affect multiple users elevates real-world risk.

XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy