Skip to main content
CVE-2026-7312 CRITICAL PATCH Act Now

Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve plaintext credentials used to connect to the Sitefinity Insight analytics service. The CVSS 10.0 score reflects network-reachable, no-auth, no-interaction exploitation with cross-scope impact, though exploitation is gated on the site having active Sitefinity Insight integration and a non-default configuration. No public exploit identified at time of analysis and the vendor (Progress) is the sole reporting source via a May 2026 advisory.

Information Disclosure Sitefinity
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-7198 CRITICAL PATCH Act Now

Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to reach restricted content via the product's web services, leading to full compromise of confidentiality, integrity, and availability. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects trivial network-reachable exploitation, and Progress has issued a coordinated advisory covering this and four sibling CVEs; no public exploit identified at time of analysis.

Authentication Bypass Sitefinity
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-49448 CRITICAL PATCH Act Now

Authentication bypass in authentik identity provider (versions prior to 2025.12.6, 2026.2.4, and 2026.5.1) allows remote unauthenticated attackers to circumvent the Source stage by submitting an empty POST request. With a CVSS score of 9.8 and CWE-287 (Improper Authentication), this flaw effectively defeats a core identity verification control; no public exploit identified at time of analysis, though the trivial trigger condition makes weaponization straightforward once details are widely studied.

Authentication Bypass Authentik
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-38967 CRITICAL Act Now

HTTP response header injection in CrowCpp Crow through v1.3.1 allows remote attackers to inject arbitrary CR/LF sequences into response headers when application code passes unvalidated input to header-setting APIs. The flaw stems from the framework not stripping \r\n characters in header keys or values, enabling CRLF injection that can lead to response splitting, cache poisoning, or XSS depending on how the embedding application uses user input. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the upstream fix in PR #1167 confirms the issue and provides a sanitization routine.

Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-5076 CRITICAL Act Now

Account takeover in the ARMember Premium WordPress plugin through version 7.3.1 stems from the plugin storing a plaintext password reset key in the `arm_reset_password_key` user meta field alongside WordPress core's properly hashed token. When chained with the companion SQL injection issues CVE-2026-5073/5074, an unauthenticated attacker can extract the plaintext key and invoke the plugin's `armrp` reset action to set a new password for any user, including administrators. No public exploit identified at time of analysis, though the chain is described in detail by Wordfence and the CVSS 9.8 rating reflects unauthenticated remote compromise.

SQLi WordPress Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-53209 CRITICAL Act Now

Privilege escalation in Themeisle Masteriyo LMS PRO (WordPress plugin) up to and including version 2.20.0 allows remote unauthenticated attackers to gain elevated privileges through incorrect privilege assignment (CWE-266). The CVSS 9.8 score reflects network-reachable, no-authentication exploitation with high impact to confidentiality, integrity, and availability; no public exploit identified at time of analysis, but the Patchstack advisory confirms the flaw class and affected version range.

Privilege Escalation Masteriyo Lms Pro
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8206 CRITICAL Act Now

Account takeover in the Kirki Freeform Page Builder WordPress plugin (versions 6.0.0 through 6.0.6) allows unauthenticated remote attackers to hijack any registered account, including administrators, by redirecting password reset links to attacker-controlled email addresses. The flaw stems from the plugin honoring an arbitrary email value supplied alongside a valid username in password reset requests, breaking the trust binding between account and recovery destination. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's published advisory make weaponization straightforward.

Privilege Escalation WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-32625 CRITICAL Act Now

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to transmit CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI to an attacker-controlled host. No public exploit identified at time of analysis, and the issue is fixed in 0.8.4-rc1.

Information Disclosure Librechat
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-34906 CRITICAL Act Now

Remote code execution in Wirtualna Uczelnia (versions up to wu#2016.437.295#0#20260327_105545) allows unauthenticated network attackers to execute arbitrary commands via Server-Side Template Injection in the redirectToUrl endpoint's redirectUrlParameter. The CVSS 4.0 base score of 9.3 reflects no authentication, no user interaction, and high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV. Disclosure originated from CERT-PL, indicating a vetted advisory channel for this Polish academic management product.

Ssti RCE
NVD
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-47117 CRITICAL PATCH GHSA Act Now

Remote code execution in OpenMed before 1.5.2 allows unauthenticated attackers to execute arbitrary Python code on the OpenMed service by abusing broad substring matching in the PII privacy-filter model dispatcher to load attacker-controlled Hugging Face repositories with trust_remote_code=True. The flaw, reported by VulnCheck and tracked as CWE-94 (Code Injection), carries a CVSS 4.0 score of 9.3 and a vendor-released patch is available; no public exploit identified at time of analysis.

RCE Code Injection Openmed
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-42849 CRITICAL PATCH Act Now

Cross-site scripting in authentik identity provider versions prior to 2025.12.5 and 2026.2.3 allows remote attackers to execute arbitrary JavaScript in a victim's browser by abusing the AutosubmitStage within the Simple Flow Executor (SFE). With a CVSS of 9.3 reflecting scope change and high impact to confidentiality/integrity, exploitation enables session hijacking against an identity provider, but no public exploit identified at time of analysis.

XSS Authentik
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-42684 CRITICAL Act Now

Blind SQL injection in the WP Job Portal WordPress plugin (versions up to and including 2.5.1) allows remote unauthenticated attackers to manipulate backend database queries by sending crafted input to vulnerable parameters. The flaw carries a CVSS 9.3 rating due to network-reachable, no-privileges, no-user-interaction exploitation with scope change, and no public exploit code has been identified at time of analysis. The vulnerability was reported through Patchstack's WordPress security program, with no CISA KEV listing.

SQLi Wp Job Portal
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-0611 CRITICAL PATCH Act Now

Unauthenticated remote code execution in Spacelabs Healthcare Sentinel (versions 10.5.x and 11.x prior to 11.6.0) allows network attackers to drop ASPX webshells into the IIS wwwroot via a legacy .NET Remoting HTTP channel on TCP/8989. The flaw stems from missing authentication (CWE-306) on a deprecated Microsoft remoting endpoint, and while a vendor patch is available, no public exploit identified at time of analysis. Exploitation requires that port 8989 has been deliberately exposed to the network, since it is not reachable in default Sentinel deployments.

RCE Authentication Bypass Sentinel
NVD
CVSS 4.0
9.2
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy