Skip to main content
CVE-2026-6405 MEDIUM This Month

Stored Cross-Site Scripting via CSRF in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows unauthenticated remote attackers to inject persistent JavaScript into the WordPress admin panel by tricking a logged-in administrator into visiting an attacker-controlled page. The attack chains two flaws: a missing nonce check on the settings handler (no check_admin_referer()) that permits any cross-origin POST to modify plugin settings, and a double-quote escape bypass where the API key value is stored after sanitize_text_field() sanitization but rendered into an HTML attribute via bare echo without esc_attr(), allowing the payload to survive both sanitization and storage. No public exploit has been identified at time of analysis, and the CVE is not listed in the CISA KEV catalog.

WordPress PHP CSRF XSS
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8419 MEDIUM This Month

Cross-Site Request Forgery in the Amazon Scraper WordPress plugin (submone, all versions through 1.1) allows unauthenticated remote attackers to modify plugin settings and inject persistent malicious scripts by tricking an authenticated site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation across multiple functions in amazon-admin.php (identified at lines 13, 26, 45, and 49). No public exploit has been identified at time of analysis, and the plugin has not been added to the CISA KEV catalog, but the Wordfence-reported disclosure includes direct source code references making exploitation straightforward for a motivated attacker.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8423 MEDIUM This Month

Cross-Site Request Forgery in the JaviBola Custom Theme Test WordPress plugin (all versions through 2.0.5) enables unauthenticated remote attackers to silently replace the site's active theme by forging a request that modifies the `jbct_theme` option. Exploitation requires social-engineering a logged-in site administrator into clicking a crafted link - the CVSS UI:R requirement reflects this dependency. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8418 MEDIUM This Month

Cross-Site Request Forgery in the Games Catalog WordPress plugin (versions ≤ 1.2.0) enables unauthenticated attackers to delete arbitrary game catalog entries and their associated WordPress posts by tricking a logged-in site administrator into clicking a crafted link. The vulnerable gc_crud() function in admin-crud.php processes the action=delete parameter via a GET request with no wp_verify_nonce() or check_admin_referer() call, bypassing WordPress's standard CSRF defenses entirely. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface is fully visible in the public WordPress plugin Trac repository, making it trivially constructible.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8424 MEDIUM This Month

Settings-reset CSRF in the Remove Yellow BGBOX WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to overwrite the plugin's stored configuration by tricking a logged-in site administrator into loading a forged request. The vulnerability stems from absent nonce validation on the rybb_api_settings page, confirmed by Wordfence with direct source code references to admin/rybb_api_settings.php and includes/functions.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited integrity impact keeps real-world priority low.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6452 MEDIUM This Month

Cross-Site Request Forgery in the Bigfishgames Syndicate WordPress plugin (all versions through 1.2) enables unauthenticated remote attackers to reset and overwrite plugin settings by forging admin-panel requests. The vulnerability resides in the bigfishgames_syndicate_submenu() function, which lacks proper WordPress nonce validation, meaning any crafted HTTP request bearing a valid admin session will be accepted as legitimate. Exploitation requires tricking an authenticated site administrator into triggering the forged request; no public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46431 MEDIUM PATCH GHSA This Month

Cross-origin read access to Algernon's SSE auto-refresh event server (versions ≤ 1.17.6) allows any web page visited by a developer to silently subscribe to the live file-change stream via a browser-native EventSource. The root cause is a hardcoded wildcard `Access-Control-Allow-Origin: *` response header in the dedicated SSE port activated by the `-a` flag, with no origin inspection or allow-list logic present in the vendored recwatch handler. No public exploit identified at time of analysis per KEV absence, though a complete working proof-of-concept - including exploit HTML and curl verification transcript - is published in GHSA-hw27-4v2q-5qff.

Information Disclosure Cors Misconfiguration Microsoft Apple Canonical
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46430 MEDIUM PATCH GHSA This Month

Algernon's auto-refresh SSE event server unintentionally exposes developer file-change streams to unauthenticated LAN peers on Linux and macOS due to a platform-dependent bind address default that was never intended to reach adjacent hosts. On non-Windows platforms, the SSE listener resolves to 0.0.0.0:5553 (all interfaces), while Windows correctly binds to 127.0.0.1:5553 - a silent asymmetry introduced in engine/flags.go that leaves developers on the most common Algernon platforms exposed whenever they work on shared networks. A publicly available proof-of-concept demonstrates that any host on the same subnet can enumerate project filenames and edit timing with a single unauthenticated curl command, with no developer interaction required; no public exploit identified at time of analysis rises to confirmed active exploitation (not in CISA KEV).

Microsoft Information Disclosure Apple
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27424 MEDIUM This Month

Missing Authorization in the Image Photo Gallery Final Tiles Grid WordPress plugin (by WP Chill) allows low-privileged authenticated attackers to exploit incorrectly configured access control, resulting in unauthorized read access to restricted data. All plugin versions through 3.6.11 are affected per NVD and Patchstack. No public exploit identified at time of analysis, and the limited confidentiality impact (C:L) and authentication requirement (PR:L) constrain real-world blast radius, though the vulnerability remains a valid risk for multi-tenant or shared-access WordPress deployments.

Authentication Bypass Image Photo Gallery Final Tiles Grid
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9110 MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 148.0.7778.179) enables a remote attacker who has already achieved renderer process compromise to deceive end users through a crafted HTML page, exploiting CWE-451 (UI Misrepresentation of Critical Information). Affected users on Windows running any Chrome version below 148.0.7778.179 are exposed to potential phishing or credential-harvesting scenarios dressed up as legitimate browser UI. No public exploit code or CISA KEV listing exists at time of analysis, but the Chromium team assigned a Critical internal severity - a meaningful contrast with the NVD CVSS score of 4.2 - suggesting the spoofing potential carries downstream risk beyond what the base score reflects.

Microsoft Information Disclosure Google Suse Red Hat +1
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2023-7346 MEDIUM This Month

Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of. Rated medium severity (CVSS 4.1), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Ledger Bitcoin App
NVD
CVSS 4.0
4.1
EPSS
0.0%
CVE-2025-31973 MEDIUM This Month

HCL BigFix Service Management (SM) ships container deployments built on outdated or insecure base images, inheriting known vulnerabilities from those upstream layers rather than introducing a discrete code-level flaw. The CVSS vector (AV:L/PR:H/UI:R) constrains real-world risk significantly: exploitation requires local access, high privileges, and user interaction, making opportunistic remote attack unlikely. The actual exploitability and impact depend entirely on which specific vulnerabilities are present in the underlying base image versions in use. No public exploit code and no CISA KEV listing exist at the time of analysis.

Information Disclosure Bigfix Service Management
NVD VulDB
CVSS 3.1
4.0
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy