Stored Cross-Site Scripting in the WP Nano AD WordPress plugin (all versions through 1.31) allows authenticated administrators to inject persistent malicious scripts via the 'blogrole_link' parameter in add_links.php, with execution occurring in any victim's browser upon visiting the compromised page. Exploitation is restricted to WordPress multi-site networks or single-site installations where the unfiltered_html capability has been explicitly disabled - notably a configuration common in security-hardened deployments. No public exploit identified at time of analysis, though a public security writeup by BFS-Lab has been published on GitHub, increasing the likelihood of weaponized attempts against qualifying environments.
Cross-site scripting in React Router's Framework Mode (versions 7.5.1-7.13.1) allows an authenticated attacker with influence over redirect destinations to inject malicious content into statically pre-rendered HTML files via an unsanitized HTTP Location header. Exploitation requires both low-privilege authentication (confirmed by CVSS PR:L) and victim user interaction (UI:R), limiting mass exploitation. No public exploit has been identified at time of analysis, and CISA KEV status is not confirmed. A vendor-released patch exists in version 7.13.2.
OAuth login CSRF in NamelessMC 2.2.4 and prior enables session swapping by exploiting the absence of server-side state parameter validation during OAuth callback handling. An unauthenticated attacker (PR:N) who controls their own OAuth-linked account can capture a valid callback URL and socially engineer a victim (UI:R) into navigating to it, causing the victim's browser session to become authenticated as the attacker's account - effectively hijacking the victim's logged-in state. No public exploit has been identified and this is not listed in the CISA KEV catalog, but the patch to version 2.2.5 is confirmed via GitHub Security Advisory GHSA-pmpw-2xvh-5xj6.
Missing authorization controls in the Elementor Website Builder WordPress plugin through version 4.1.0 allow low-privilege authenticated users to exploit incorrectly configured access control levels, resulting in limited unauthorized read and write access to restricted plugin functionality. The flaw (CWE-862) means the plugin fails to validate whether the authenticated requestor holds sufficient WordPress capabilities before granting access to protected operations. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, though the low attack complexity makes this straightforward to exploit once a valid account is obtained.
Broken access control in the Crew HRM WordPress plugin (versions through 1.2.2) permits authenticated low-privileged users to invoke plugin functionality beyond their intended authorization level, resulting in limited unauthorized data modification and availability impact. The flaw, rooted in CWE-862 Missing Authorization, means the plugin fails to validate whether the requesting user holds the required WordPress capability before executing sensitive operations. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Improper access control in Devolutions Server 2026.1.19 and earlier allows an authenticated low-privilege user to delete PAM network discovery scan configurations that should be restricted to administrators. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation requires only a valid low-privilege account over the network with no user interaction. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Stored cross-site scripting in the Tiled Gallery Carousel Without JetPack WordPress plugin (versions up to and including 3.1) allows authenticated attackers with contributor-level access to inject persistent malicious JavaScript via the 'data-image-title' parameter. The injected script executes in victims' browsers each time an affected gallery page is visited, enabling session theft, credential harvesting, or malicious redirects against site visitors and administrators. No public exploit or CISA KEV listing has been identified at time of analysis, though the low privilege barrier (contributor access) broadens the potential attacker pool on sites with open registration.
LDAP filter injection in Yandex Database (all versions prior to 25.3.1.25) enables a network-accessible attacker holding valid LDAP credentials to manipulate the group membership validation queries sent to the directory service, bypassing access controls and gaining unauthorized database access beyond their permitted scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) and the Automatable:Yes (AU:Y) attribute confirm this is a low-complexity, scriptable attack requiring no user interaction, increasing risk in environments with large LDAP user populations. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; a vendor-released patch is available at version 25.3.1.25.
Stored cross-site scripting in OpenCTI's email-message observable rendering allows an unauthenticated attacker to inject malicious script payloads via STIX data sharing or platform ingesters, which then execute in the browsers of authenticated users who view the affected observable. Versions prior to 7.260227.0 are affected; the body field of email-message observables is passed to the renderer without sanitization. Successful exploitation can chain into CSRF attacks and large-scale session token theft across the user base. No public exploit or CISA KEV listing exists at time of analysis; vendor-released patch is available.
Missing authorization in NamelessMC 2.2.4 allows authenticated low-privileged users to add reactions to wall posts on private profiles or profiles that have blocked them, bypassing expected privacy and blocking controls. The flaw exists in `core/classes/Misc/ProfilePostReactionContext.php`, which validates only that the target post exists but performs no check against the profile's visibility settings or block relationships. No public exploit identified at time of analysis, and the vendor has released a patch in version 2.2.5.
Error message injection in Go's net/textproto standard library package allows unauthenticated remote attackers to embed attacker-controlled content into error strings that applications subsequently print or log. Affected Go releases span all net/textproto versions prior to 1.25.11 and 1.26.4, covering a broad surface area of Go-based HTTP, MIME, and mail-handling applications. No public exploit code exists and exploitation probability is extremely low (EPSS 0.02%, 5th percentile), but the integrity risk is real in deployments where net/textproto errors are surfaced to logs, monitoring systems, or user-facing output without sanitization.
Authentication bypass in CloudburstMC Protocol, the Minecraft Bedrock Edition protocol library, allows remote unauthenticated attackers to partially bypass token validation by exploiting incomplete checks in EncryptionUtils for FULL type authentication tokens. All versions prior to 3.0.0.Beta12-20260420.182526-15 are affected, impacting any publicly accessible software - such as Bedrock-compatible game servers - that depends on this library's auth payload validation logic. The CVSS vector (AV:N/AC:L/PR:N/UI:N/I:L) confirms low-complexity remote exploitation with limited integrity impact; no public exploit code or CISA KEV listing has been identified at time of analysis.
Transmission BitTorrent client through version 4.1.1 fails to emit anti-clickjacking HTTP response headers on its browser-facing WebUI and RPC endpoint, enabling an attacker to embed the interface in a cross-origin iframe and redirect authenticated user interactions to unintended RPC actions. The fix confirmed in upstream PR #8747 adds both X-Frame-Options: SAMEORIGIN and Content-Security-Policy: frame-ancestors 'self' to all relevant responses. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) indicates low current exploitation interest.
Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain an information disclosure vulnerability that allows unauthenticated network attackers to access log files over a network. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Authorization bypass in NamelessMC 2.2.4's profile wall system allows low-privileged authenticated users to post to private or blocking profiles, and to inject replies into wall posts belonging to arbitrary profiles they would otherwise be restricted from accessing. The profile.php module processes wall post submissions before performing the visibility and block-list authorization checks, meaning the write completes before any rejection occurs. A second independent flaw in the reply branch skips verification that the target wall post belongs to the profile being accessed, enabling cross-profile reply injection via a restricted profile URL. No public exploit code has been identified and this is not listed in CISA KEV, but a patch is available in version 2.2.5.
NamelessMC 2.2.4's forum module exposes a broken object-level authorization flaw that allows authenticated users to read and modify reactions on topics they are explicitly forbidden from viewing. The vulnerability exists in `modules/Forum/classes/ForumPostReactionContext.php`, which enforces only forum-level access (`can view the forum`) but omits the topic-level `view_other_topics` permission check - meaning the access control boundary is incomplete by design. Attackers with a low-privilege forum account in a restricted forum can bypass the `view_other_topics` restriction to interact with other users' topic reactions. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis.
Improper access control in Devolutions Server 2026.1.19 and earlier allows an authenticated user holding entry edit privileges to modify asset information beyond their authorized scope, bypassing the permission validation layer. The flaw resides in the permission validation component and enables privilege overreach within the platform's access control model - an authenticated low-privilege user can alter data they should have no write access to. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unauthenticated broken access control in the Constructor WordPress theme (versions through 1.6.5) exposes restricted functionality to any remote visitor without authentication. The missing authorization check (CWE-862) allows network-accessible exploitation with no user interaction required, resulting in unauthorized read access to data or functionality that should be ACL-protected. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS vector confirms trivially low exploitation complexity.
Reflected XSS in Wirtualna Uczelnia (Simple SA) allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers by embedding payloads in the locale parameter across multiple application endpoints. All versions up to wu#2016.437.295#0#20260327_105545 are affected; the flaw was disclosed by CERT-PL and catalogued under ENISA EUVD-2026-33903. No public exploit or CISA KEV listing is confirmed at time of analysis, but the zero-privilege, low-complexity attack vector makes social-engineering-driven exploitation straightforward for any attacker who can induce a victim to click a crafted URL.
Symlink following in Gleam's Hex package export pipeline silently embeds arbitrary local files into published package artifacts, enabling credential exfiltration via supply chain. Affected versions span 0.10.0-rc1 through the 1.16.x line, with the fix landing in 1.17.0. An authenticated attacker with write access to a Gleam repository can plant a symlink in a tracked publishable directory (src/, priv/), causing a maintainer's sensitive local files - SSH keys, API tokens, CI secrets - to be bundled into the publicly distributed Hex tarball without any warning. No public exploit identified and no CISA KEV listing at time of analysis, but the attack is trivially repeatable using standard shell tooling.
Arbitrary file read via path traversal in alf.io's extension sandbox allows a high-privileged user to silently exfiltrate any file accessible to the JVM process to an attacker-controlled server. All versions prior to 2.0-M5-2606 automatically inject an unrestricted `simpleHttpClient` into every extension script scope, where `postFileAndSaveResponse()` constructs a raw `FileInputStream` from a caller-supplied path with no validation, directory restriction, or allowlist. No public exploit identified at time of analysis; the PR:H CVSS prerequisite (extension management rights) meaningfully constrains the attack surface but does not eliminate risk, particularly in multi-tenant or insider-threat scenarios.
Out-of-bounds write in Seagate's openSeaChest v26.03.0 allows a high-privileged local user to write 16 bytes beyond the allocated memory buffer during a Trim/Unmap (SCSI UNMAP / ATA DSM) storage operation. The flaw is confined to the LBA range descriptor construction logic and produces limited observable impact - low confidentiality exposure to the local system and a secondary system, with no integrity or availability consequences per the CVSS 4.0 vector. No public exploit identified at time of analysis, and CISA KEV does not list this vulnerability; Seagate self-disclosed the issue, suggesting responsible internal discovery.
Path traversal in Gleam's documentation build tooling allows arbitrary file read and write on a developer's workstation when gleam docs build is run against a malicious project. The documentation.pages[].source and documentation.pages[].path fields in gleam.toml accept unsanitized filesystem paths, enabling an attacker who controls gleam.toml content to exfiltrate local files (embedded into generated docs artifacts) or write generated files to arbitrary locations outside build/dev/docs/. Affected versions span only Gleam 1.16.x; no public exploit identified at time of analysis and no KEV listing, but the attack surface is any developer who clones and builds documentation for an untrusted Gleam project.
Stored Cross-Site Scripting in the Word Replacer WordPress plugin (versions up to and including 0.4) allows authenticated attackers with Administrator-level access to persist arbitrary JavaScript payloads via the 'replacement' parameter, which subsequently execute in the browsers of any user visiting an affected page. Reported by Wordfence, the root cause is insufficient input sanitization and output escaping in word-replacer.php at multiple code locations (lines 191, 230, 339, 343). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
JIT miscompilation in Firefox's JavaScript engine exposes users to a denial-of-service condition when visiting attacker-controlled web content. The vulnerability stems from a type confusion flaw (CWE-843) in the JIT compiler component, where incorrect type assumptions during optimization can corrupt memory state and crash the browser. No active exploitation has been confirmed (no CISA KEV listing), EPSS stands at 0.02% (5th percentile), and vendor-released patch Firefox 151.0.3 is available per Mozilla advisory mfsa2026-54.
Improper authorization in Apache Kafka 4.0.0-4.3.0 arises from a discrepancy between the documented ACL requirement and the actual runtime behavior of the CONSUMER_GROUP_DESCRIBE (API key 69) endpoint. The API checks for DESCRIBE permission on the GROUP resource at runtime, while official Kafka documentation and KIP-848 specify READ as the required operation - causing administrators who followed the documentation to configure ACLs that either over-grant READ access to users who should only observe group metadata, or under-restrict DESCRIBE-only users who can nonetheless access sensitive consumer group state. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (4th percentile), indicating negligible opportunistic exploitation risk.
Reflected XSS in NamelessMC 2.2.4 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `id` parameter at the `/index.php?route=/queries/user/` endpoint. Exploitation requires victim interaction (UI:R per CVSS), making this a social-engineering-dependent attack suited to targeted phishing against Minecraft server administrators or users. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; version 2.2.5 fully resolves the issue.
Missing authorization in the ThimPress Thim Core WordPress plugin (all versions through 2.3.3) allows authenticated low-privileged users to perform actions exceeding their intended permission level due to improperly enforced access control checks. The flaw, classified as CWE-862 (Missing Authorization), results in unauthorized integrity-impacting operations without requiring administrative credentials, as confirmed by the CVSS vector (PR:L/I:L). No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Cross-Site Request Forgery in the Laiser Tag WordPress plugin (versions up to and including 1.2.5) allows unauthenticated remote attackers to overwrite critical plugin settings - including API keys, tag blacklists, relevance thresholds, batch sizes, and tagging toggles - by tricking a logged-in site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation on the addOptionsPageFields function, as identified by Wordfence and corroborated by source references pointing to Tagging.php and adminOptionPage.php in the plugin's trunk. No public exploit code or CISA KEV listing has been identified at time of analysis, keeping real-world exploitation opportunity relatively constrained by the required administrator interaction.
Cross-Site Request Forgery in the Remove Meta Boxes Per User Role WordPress plugin (all versions ≤1.01) enables unauthenticated remote attackers to modify or reset per-role admin dashboard meta box visibility settings by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation on the plugin's settings page, which is the standard WordPress anti-CSRF mechanism. No public exploit has been identified and the issue is not listed in CISA KEV; real-world impact is limited to low-integrity administrative configuration tampering.
Cross-Site Request Forgery in the Remove NoFollow Commenter URL WordPress plugin (all versions ≤ 1.0) allows unauthenticated remote attackers to modify the plugin's comment-display settings by tricking a logged-in site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation in the `gmz_comment_settings_save` function, meaning the plugin accepts state-changing POST requests without verifying they originated from a legitimate admin session. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS score of 4.3 (Medium) reflects the required user interaction as a meaningful limiting factor.
Cross-Site Request Forgery in the Tectite Forms WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by inducing an authenticated administrator to click a crafted link. The vulnerable surface is the admin_init function, which lacks proper nonce validation (CWE-352), permitting forged requests to alter options such as tectite_forms_button. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Cross-site request forgery in the Google Plus One Bottom WordPress plugin (all versions ≤ 0.0.2) enables unauthenticated remote attackers to overwrite plugin settings stored in the WordPress database by tricking an authenticated administrator into clicking a crafted link. The root cause is missing nonce validation in the googlePlusOneAdmin function, exposing the plusone-lang, plusone-callback, and plusone-url options to unauthorized modification. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the social-engineering dependency is the primary limiting factor rather than any technical barrier.
Cross-Site Request Forgery in the BirdSeed WordPress plugin (all versions up to and including 2.2.0) enables unauthenticated remote attackers to overwrite the plugin's API token by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from birdseed_plugin_settings_page() accepting the birdseed_token GET parameter and persisting it via update_option() with no nonce verification, bypassing WordPress's standard CSRF protection entirely. No public exploit has been identified at time of analysis; CVSS rates this Medium (4.3) reflecting narrow integrity impact limited to token replacement.
Missing authorization controls in the JTL-Connector for WooCommerce WordPress plugin (all versions through 2.4.1) allow authenticated attackers holding only Subscriber-level access to invoke three unprotected server-side actions: modifying arbitrary plugin settings, downloading a ZIP archive of developer log files, and deleting those logs. The root cause is the complete absence of WordPress capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector handler and the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX handlers. No public exploit has been identified at time of analysis, and no patched version is confirmed in the available data.
Slider Revolution, a widely deployed WordPress visual slider plugin, exposes an unauthorized plugin-deactivation capability to any authenticated user holding a Contributor-level role or above, across two major release branches. The root cause is a missing authorization check (CWE-862) that fails to verify whether the requesting user holds the WordPress capability required to manage installed plugins. Although the CVSS score of 4.3 reflects the authentication prerequisite, real-world impact in multi-user or open-registration WordPress environments can significantly exceed the score: a malicious contributor could selectively deactivate security plugins - firewalls, login hardeners, or audit loggers - clearing the path for follow-on attacks. No active exploitation has been confirmed (no CISA KEV listing) and no public POC has been identified at time of analysis.
Slider Revolution WordPress plugin versions 7.0.0 through 7.0.14 exposes raw social media API credentials - including Instagram OAuth tokens, Flickr API keys, YouTube Data API keys, and Facebook App IDs - to any authenticated user holding Contributor-level access or higher. The flaw stems from insufficient authorization controls on the 'slider.get.full' AJAX action, which returns full slider configuration data without verifying whether the requesting user should have access to sensitive credential fields. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the real-world impact of credential theft for active social media integrations exceeds what the medium CVSS score alone suggests.