Skip to main content
CVE-2026-4070 MEDIUM This Month

Cross-Site Request Forgery in the Alfie - Feed Plugin for WordPress (all versions ≤ 1.2.1) allows unauthenticated remote attackers to delete arbitrary plugin feed data by tricking a logged-in site administrator into clicking a crafted link. The missing nonce validation on the alfie_manage() function means any forged GET request containing the 'delete' parameter will be processed without verifying its origin, permanently removing records from the plugin's four database tables. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and purely social-engineering prerequisite make it a credible threat against active WordPress sites using this plugin.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2518 MEDIUM This Month

Missing authorization controls in the FastX WordPress theme allow authenticated Subscriber-level users to install and activate the PostX plugin without administrative approval. The vulnerability exists in two AJAX callback functions - 'ultp_install_callback' and 'ultp_activate_callback' - which fail to verify whether the requesting user holds sufficient capabilities before executing privileged plugin management operations. All versions up to and including 1.0.2 are affected per WPXPO's theme codebase on themes.trac.wordpress.org. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7249 MEDIUM This Month

Unauthorized modification of weather display settings in the Location Weather WordPress plugin (versions ≤3.0.2) is achievable by any authenticated user with Contributor-level access or above, due to missing capability checks on the administrative functions `splw_update_block_options()` and `lwp_clean_weather_transients()`. Affected sites expose the protective nonce to all authenticated sessions via `wp_localize_script()` on the `init` hook, neutralizing what would otherwise be a secondary CSRF defense and making exploitation straightforward for any logged-in user. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world impact is limited to disruption of weather widget display and cache integrity rather than data theft or code execution.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-32745 MEDIUM PATCH This Month

Improper certificate validation in Dell PowerFlex Manager version 4.6.2 and earlier allows an unauthenticated attacker on an adjacent network to intercept and tamper with protected communications. The flaw (CWE-295) means the product fails to adequately verify peer certificates during TLS/SSL exchanges, enabling a man-in-the-middle position to read or modify in-transit management data. No active exploitation is confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.

Dell Information Disclosure Powerflex Manager Appliance Powerflex Manager Rack Powerflex Manager
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-47165 MEDIUM PATCH GHSA This Month

Information disclosure in Magick.NET's distributed pixel cache server exposes sensitive pixel data due to the absence of a challenge-response authentication model on the cache service. All Magick.NET NuGet packages (Q16, Q16-HDRI, and OpenMP variants across AnyCPU, x64, x86, arm64 architectures) prior to version 14.12.0 are affected. A highly privileged local attacker meeting the high-complexity conditions of this vulnerability could read pixel cache contents belonging to other processes, leaking potentially sensitive image data. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-46692 MEDIUM PATCH GHSA This Month

Heap buffer over-write in ImageMagick's distributed pixel cache server (`magick -distribute-cache`) allows an attacker who can connect to the service to corrupt the server process's heap memory, resulting in a high-severity denial-of-service condition. All Magick.NET NuGet package variants (Q16, HDRI, OpenMP, across arm64/x64/x86/AnyCPU architectures) prior to version 14.12.0 are confirmed affected. No public exploit has been identified at time of analysis and the vulnerability does not appear in CISA KEV; however, a notable discrepancy exists between the CVSS attack vector (AV:L, local) and the description's implication of service-level connectivity, which warrants independent verification before fully trusting the low CVSS score.

Buffer Overflow Heap Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-46693 MEDIUM PATCH GHSA This Month

File descriptor hijacking in ImageMagick's distributed pixel cache server (magick -distribute-cache) exposes sensitive data via a race condition exploitable by a privileged local attacker. Affected are all Magick.NET NuGet packages across Q16, Q16-HDRI, OpenMP, and ARM64 variants prior to version 14.12.0. Successful exploitation yields high-confidentiality impact - an attacker can read file descriptors belonging to the server process - though no public exploit code exists and this is not currently listed in the CISA KEV catalog.

Information Disclosure Race Condition Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.1
EPSS
0.0%
CVE-2025-32746 MEDIUM PATCH This Month

Insecure storage of sensitive information in Dell PowerFlex Manager versions up to and including 4.6.2 exposes credentials, keys, or configuration secrets to any attacker with local OS-level access to the appliance - no PowerFlex Manager authentication required. The CVSS vector (AV:L/AC:L/PR:N/UI:N) confirms the attacker needs only local system access, not application credentials, to retrieve the improperly protected data. No public exploit identified at time of analysis and no CISA KEV listing; however, the 'Authentication Bypass' tag in the intelligence data suggests the exposed sensitive material may itself enable downstream privilege escalation or authentication bypass against PowerFlex or its managed infrastructure.

Dell Authentication Bypass Powerflex Manager Appliance Powerflex Manager Rack Powerflex Manager
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-46715 MEDIUM PATCH GHSA This Month

Session freshness bypass in Flask-Security-Too 5.8.0 allows an attacker who controls a stale authenticated victim session to satisfy the victim session's reauthentication requirement using their own OAuth identity, not the victim's. The flaw in `oauth_glue.py` causes `oauth_verify_response()` to update `session["fs_paa"]` (the freshness timestamp) without verifying that the OAuth-resolved user matches the currently authenticated session user. Exploitation was confirmed via a detailed proof-of-concept that successfully changed a victim user's username through the built-in `/change-username` route after bypassing the freshness gate. Publicly available exploit code exists; no CISA KEV listing at time of analysis.

Python CSRF Authentication Bypass Suse
NVD GitHub
EPSS
0.0%
CVE-2026-8997 MEDIUM PATCH This Week

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

Buffer Overflow Heap Overflow Vifm Suse
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy