Skip to main content
CVE-2026-49143 HIGH POC GHSA Monitor

Remote code execution in BrowserStack Runner through version 0.9.5 allows network-adjacent unauthenticated attackers to execute arbitrary code on the host system by sending crafted JSON to the /_log HTTP handler. The flaw stems from unsafe use of vm.runInNewContext() combined with eval(), and a known sandbox-escape technique via util.format and this.constructor.constructor enables full host compromise. No public exploit identified at time of analysis, but the technique is well-documented and the CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability.

RCE Code Injection Node.js Browserstack Runner
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-42211 HIGH POC PATCH GHSA This Week

Remote code execution in React Router 7.0.0 through 7.14.1 affects applications running in Framework Mode by chaining an application-level prototype pollution flaw with router internals to achieve unauthenticated RCE on the server. Applications using Declarative Mode (BrowserRouter) or Data Mode (createBrowserRouter/RouterProvider) are unaffected. No public exploit identified at time of analysis; CVSS 8.1 reflects high impact tempered by high attack complexity due to the prerequisite prototype pollution gadget.

RCE Deserialization React Router
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-8293 HIGH POC PATCH This Week

Two-factor authentication bypass in the Really Simple Security WordPress plugin before 9.5.10.1 allows attackers who already possess a valid username and password to hijack a fully authenticated WordPress session without completing the email OTP challenge. Two REST endpoints in the plugin's 2FA flow fail to enforce the second-factor challenge, effectively neutralizing the MFA protection the plugin is marketed to provide. Publicly available exploit code exists (WPScan), and a vendor patch has been released.

WordPress Authentication Bypass
NVD WPScan
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-5073 HIGH POC This Week

Unauthenticated SQL injection in the ARMember Premium WordPress plugin (versions up to and including 7.3.1) allows remote attackers to extract sensitive database contents by injecting crafted values into the 'order' and 'orderby' parameters of the arm_directory_paging_action AJAX endpoint. With CVSS 7.5 reflecting confidentiality-only impact and no public exploit identified at time of analysis, the bug is reachable without credentials but EPSS data was not provided to estimate exploitation likelihood.

SQLi WordPress
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42342 HIGH POC PATCH GHSA This Week

Denial of service in React Router 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4 allows remote unauthenticated attackers to exhaust server resources by sending crafted requests to the __manifest endpoint, which triggers unbounded path expansion. Only applications running in React Router Framework Mode or Remix are affected; Declarative Mode (<BrowserRouter>) and Data Mode (createBrowserRouter) deployments are not. No public exploit identified at time of analysis, and the issue is patched in react-router 7.15.0 and @remix-run/server-runtime 2.17.5.

Denial Of Service React Router Remix Run Server Runtime Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-34077 HIGH POC PATCH GHSA This Week

Client-side Cross-Site Scripting in React Router 7.7.0 through 7.13.1 affects applications using the unstable React Server Components (RSC) APIs, where redirect handling fails to sanitize destinations originating from untrusted sources. An attacker who can influence redirect targets consumed by RSC handlers may inject script payloads that execute in the victim's browser, with no public exploit identified at time of analysis. The advisory is published as GHSA-rxv8-25v2-qmq8 and the issue is fixed in 7.13.2.

XSS Denial Of Service React Router Turbo Stream Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-49144 HIGH POC GHSA Monitor

Arbitrary file disclosure in BrowserStack Runner versions through 0.9.5 allows unauthenticated network-adjacent attackers to read sensitive files outside the project root by abusing a path traversal flaw in the default HTTP handler of lib/server.js. Because the embedded test server binds on all interfaces by default, any attacker on the same network segment (Wi-Fi, VLAN, or shared LAN) can retrieve source code, credentials, or environment files. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-8rpw-6cqh-2v9h) has been published.

Path Traversal Browserstack Runner
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-1829 HIGH This Week

Remote code execution in the Content Visibility for Divi Builder WordPress plugin (versions ≤ 4.02) allows authenticated attackers with Contributor-level access or higher to execute arbitrary PHP on the server by abusing the 'cvdb_content_visibility_check' parameter of the 'et_pb_text' shortcode. The flaw is a CWE-94 code injection issue disclosed by Wordfence and carries a CVSS 3.1 score of 8.8. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

RCE WordPress Code Injection
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-30650 HIGH This Week

Remote code execution in Vivotek FD8136 IP cameras running firmware FD8136-VVTK-0300a allows authenticated attackers to gain root-level command execution by triggering a buffer overflow in the /cgi-bin/admin/eventtask.cgi admin endpoint. Publicly available exploit code exists in a GitHub research repository, though EPSS scoring (0.09%, 25th percentile) suggests low observed exploitation activity and the CVE is not listed in CISA KEV.

Buffer Overflow RCE N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7195 HIGH PATCH This Week

Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenticated attacker to violate the integrity and confidentiality of user accounts when an administrator runs a non-default site configuration and a victim is induced to interact with attacker-controlled content. The flaw is rooted in improper input validation (CWE-20) in Sitefinity's web services and carries a high CVSS of 8.8, but no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Sitefinity
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30652 HIGH This Week

Authenticated remote code execution in Vivotek FD8136 IP cameras running firmware FD8136-VVTK-0300a allows attackers with valid admin-interface credentials to overflow a buffer in the /cgi-bin/dido/setdo.cgi endpoint and execute arbitrary code as root. No public exploit identified at time of analysis, though a vulnerability research repository on GitHub describes the issue, and EPSS estimates exploitation probability at 0.05% (17th percentile), suggesting low broad-scale exploitation interest despite the high CVSS 8.8 score.

Buffer Overflow RCE N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2022-4992 HIGH This Week

Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors versions VG4.1.1, VG4.0.3, and lower (with VG4.2 partially affected) contain a network message handling vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Infinity Acute Care System Standalone Infinity M540 Patient Monitor
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-7201 HIGH PATCH This Week

Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to modify account properties belonging to other users - including potentially higher-privileged accounts - by manipulating user-controlled identifiers in web service requests. The flaw is an IDOR-style authorization bypass (CWE-639) and, while no public exploit has been identified at time of analysis, the 8.8 CVSS rating reflects realistic escalation to account compromise once a foothold exists. No vendor-released patch data, KEV listing, or EPSS score was supplied with this advisory.

Authentication Bypass Sitefinity
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-49443 HIGH PATCH This Week

Authentication bypass in authentik identity provider versions prior to 2025.12.6, 2026.2.4, and 2026.5.1 allows a low-privileged attacker who can modify a source connection and holds an account in one of the configured external sources to log into any account on the system. The flaw (CWE-287) carries a CVSS 8.8 rating with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Authentication Bypass Authentik
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2019-25719 HIGH This Week

Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-1784 HIGH This Week

HAProxy configuration injection in Red Hat OpenShift Container Platform 4 allows a low-privileged tenant with permission to create or modify Route resources to inject controlled directives into the cluster ingress configuration via the spec.path field. No public exploit identified at time of analysis, but the CVSS 8.8 score with scope change (S:C) reflects the ability to break out of the tenant boundary and impact the shared HAProxy router serving the entire cluster.

Code Injection Red Hat Openshift Container Platform 4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9844 HIGH This Week

Default credential exposure in Roche Diagnostics navify Digital Pathology (versions 2.0.0 through 2.4.0) lets remote unauthenticated attackers log into the embedded RabbitMQ Management interface using factory-shipped usernames and passwords. CVSS 4.0 rates the issue 8.8 with network attack vector and no privileges required, and no public exploit identified at time of analysis. Successful access exposes message-broker administration, enabling data interception, queue manipulation, and downstream tampering with pathology workflows.

Information Disclosure
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-53345 HIGH This Week

Privilege-bound arbitrary code execution in ThimPress Thim Core (WordPress plugin) versions through 2.3.3 allows authenticated low-privilege users to bypass authorization checks and execute arbitrary code on affected sites, per Patchstack's advisory tagging this as an authentication bypass leading to RCE. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with low attack complexity over the network. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Thim Core
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-14036 HIGH PATCH This Week

Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted,. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Core M540 Converter Service
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-7313 HIGH PATCH This Week

Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to retrieve plain-text credentials used by the CMS to connect to the Sitefinity Insight analytics service. The CVSS 3.1 score of 8.7 with scope change (S:C) reflects that stolen Insight credentials can pivot into an adjacent system beyond the CMS itself. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; EPSS data was not provided in the input.

Information Disclosure Sitefinity
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-10591 HIGH PATCH This Week

Arbitrary command execution in Amazon Kiro IDE versions prior to 0.11 allows remote attackers to plant malicious task definitions (e.g., .vscode/tasks.json) via the IDE's file write tool, which then auto-execute when a developer opens the affected workspace folder. The CVSS 4.0 score of 8.6 reflects network-reachable abuse with high confidentiality, integrity, and availability impact contingent on a single user action (folder open). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Kiro Ide
NVD VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-10047 HIGH This Week

Out-of-bounds write in the Bitdefender Napoca bare-metal hypervisor allows a low-privileged guest to corrupt hypervisor heap memory via crafted SS:SP register values processed by the real-mode hook handler. The flaw, tracked as EUVD-2026-33944 and reported by Bitdefender itself, affects an end-of-life product with no public exploit identified at time of analysis. Successful exploitation breaks the guest-to-hypervisor boundary, yielding total compromise of confidentiality, integrity, and availability of the host hypervisor.

Memory Corruption Buffer Overflow Napoca Bare Metal Hypervisor
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-10046 HIGH This Week

Out-of-bounds heap write in the Bitdefender Napoca bare-metal hypervisor lets a malicious guest VM operating in real mode corrupt hypervisor memory through a crafted INT 0x15/E820 BIOS call, potentially enabling guest-to-host escape. The flaw resides in napoca/guests/bios_handlers.c, which computes a write offset from attacker-controlled ES:EDI register values without bounds checking against the 1MB RealModeMemory buffer. No public exploit identified at time of analysis, and CISA SSVC classifies exploitation status as 'none' - but the product is end-of-life and unsupported, raising the long-term risk profile.

Memory Corruption Buffer Overflow Napoca Bare Metal Hypervisor
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-5385 HIGH PATCH This Week

Stored cross-site scripting in GLPI before 11.0.7 allows an attacker with write access to the knowledge base to embed a persistent XSS payload that executes in the browsers of users who later view the affected knowledge base item. The flaw was reported by Fluid Attacks and is rated High severity (CVSS 8.4) by the vendor, who shipped a fix in the 11.0.7 security release; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

XSS Glpi
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-8036 HIGH This Week

Local privilege escalation in National Instruments NI-PAL versions 26.3.0 and earlier on Windows and Linux allows authenticated low-privileged users to read arbitrary system memory through improper input validation, potentially leading to full privilege escalation. CVSS 4.0 base score is 8.4 (High) reflecting the local attack vector but high confidentiality and integrity impact. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Privilege Escalation Microsoft
NVD VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2021-4481 HIGH PATCH This Week

Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

RCE Privilege Escalation Protector Software
NVD VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2021-4480 HIGH PATCH This Week

Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

RCE Privilege Escalation Protector Software
NVD
CVSS 4.0
8.3
EPSS
0.0%
CVE-2021-4478 HIGH PATCH This Week

Dräger CC-Vision Basic before 7.5.3 and Dräger CC-Vision E-Cal before 7.2.5.0 contain an out-of-bounds write vulnerability when loading .gdt files. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity.

Memory Corruption Buffer Overflow Cc Vision Basic Cc Vision E Cal
NVD
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-10611 HIGH This Week

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_otp=true, allowing attackers with valid LDAP (or other plugin) credentials to skip the mandatory second factor. Because the plugin-driven login establishes the session during the AppController beforeFilter phase, an attacker can authenticate, ignore the /users/otp challenge page, and browse directly to any authorized application URL as the victim. No public exploit identified at time of analysis, though the upstream commit clearly documents the bypass technique.

Authentication Bypass Misp
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-28299 HIGH This Week

Denial-of-service in SolarWinds Web Help Desk allows remote unauthenticated attackers to crash the server by exhausting available memory. The flaw is network-reachable with low attack complexity and requires no privileges or user interaction (CVSS 8.2), and no public exploit identified at time of analysis. The issue was reported by SolarWinds and addressed in the Web Help Desk 2026.2 release.

Denial Of Service Web Help Desk
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-10622 HIGH PATCH This Week

Authentication bypass in Collibra Platform's REST API allows remote unauthenticated attackers to reach privileged functionality through exposed '/rest/*' endpoints across multiple SaaS and on-premises release trains. The flaw carries a CVSS 8.2 (high) score reflecting network-reachable, no-privilege exploitation with high confidentiality impact, and no public exploit identified at time of analysis. A vendor patch has been issued across all affected branches, and reporting via CERT/CC (VU#873170) indicates coordinated disclosure rather than active exploitation.

Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-48594 HIGH POC PATCH GHSA This Week

Denial-of-service in elixir-tesla Tesla versions 0.6.0 through 1.18.2 allows remote servers to crash or freeze calling Elixir/BEAM processes by returning a tiny gzip- or deflate-encoded response body that decompresses into gigabytes. The flaw lives in Tesla.Middleware.DecompressResponse / Tesla.Middleware.Compression, which eagerly inflated response bodies with no size cap and recursed once per token in the content-encoding header, so a header of 'gzip, gzip, gzip, gzip' produced exponential amplification. No public exploit identified at time of analysis, but the vendor has shipped a patch in 1.18.3 and the CVSS 4.0 score of 8.2 (VA:H) reflects high availability impact.

Denial Of Service Tesla
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48595 HIGH POC PATCH GHSA This Week

Credential leakage in elixir-tesla (Tesla HTTP client for Elixir) versions 1.4.0 through 1.18.2 allows Authorization and Host headers to be forwarded to attacker-controlled origins during cross-origin HTTP redirects. The Tesla.Middleware.FollowRedirects component compares header names case-sensitively against a lowercase filter list, so headers using the RFC 7235 canonical casing (e.g., 'Authorization') bypass stripping and reach the redirect target. No public exploit identified at time of analysis, but the upstream fix is committed and a patched release (1.18.3) is available.

Information Disclosure Canonical
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48597 HIGH POC PATCH GHSA This Week

Denial of service in the Elixir Tesla HTTP client (versions 1.3.0 through 1.18.2) when using the Tesla.Adapter.Mint adapter allows remote attackers to crash the entire BEAM VM by exhausting the atom table. Each request whose URL scheme is attacker-controlled mints a fresh, never-garbage-collected atom via String.to_atom/1, and after roughly 1,048,576 such requests the VM terminates. No public exploit identified at time of analysis, but the upstream fix and a regression test that asserts no atoms are minted for unknown schemes are both publicly visible on GitHub.

Denial Of Service Tesla
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-25861 HIGH PATCH This Week

Weak password hashing in QloApps through 1.7.0 enables credential compromise because Tools::encrypt() in classes/Tools.php hashes passwords with unsalted MD5 concatenated with a static cookie key, allowing offline brute-force recovery of customer and employee credentials. The risk is amplified by an 8-character auto-generated password used during guest-to-customer conversion in classes/Customer.php, making cracked hashes practically trivial. No public exploit identified at time of analysis, but the upstream fix in commit 64e9722 replaces MD5 with the PasswordHashing class for credential storage.

Information Disclosure PHP Qloapps
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-8936 HIGH PATCH This Week

Denial of service in Docker Desktop versions 4.33.0 through 4.75.x allows a local low-privileged user inside a container to crash the underlying Linux VM by triggering unbounded recursion in the grpcfuse kernel module. The flaw is exercised by creating deeply nested directories on a bind-mounted host folder and forcing a dentry invalidation event, which panics the virtualization layer that backs the entire Docker engine. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Docker Information Disclosure
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-10584 HIGH PATCH This Week

Information disclosure in AWS Graph Explorer before v3.0.1 occurs because the bundled proxy server silently falls back to plaintext HTTP when its TLS certificate files cannot be loaded, causing requests intended for HTTPS to traverse the network unencrypted. Network-positioned attackers can intercept these requests and harvest sensitive graph queries, headers, or credentials. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Information Disclosure Graph Explorer
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-49754 HIGH POC PATCH GHSA This Week

Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP/2 server to crash the client's BEAM process via a CONTINUATION frame flood. The client's receive path buffers HEADERS and CONTINUATION fragments into an unbounded accumulator because SETTINGS_MAX_HEADER_LIST_SIZE defaulted to :infinity and was only enforced on outbound requests, so a single attacker-controlled endpoint can force unlimited iolist growth until the process dies. No public exploit identified at time of analysis, but a verified upstream patch and detailed advisory exist.

Denial Of Service Mint
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48862 HIGH POC PATCH GHSA This Week

Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to crash the client process by flooding PUSH_PROMISE frames without follow-up HEADERS, since reserved stream entries bypass the max_concurrent_streams cap. CVSS 4.0 score is 8.2 with attack vector network and high availability impact, but no public exploit is identified at time of analysis and the bug requires the client to connect to a hostile server. Server push is accepted by default (enable_push=true), so any Mint-based HTTP client reaching an attacker-controlled origin is exposed.

Denial Of Service Mint
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-5422 HIGH PATCH This Week

Path traversal in Jupyter Server 2.17.0 allows authenticated users to read and write files in sibling directories outside the configured root, via a flawed startswith() boundary check in _get_os_path() combined with to_os_path() failing to strip '..' sequences. With CVSS 8.1 (high confidentiality and integrity impact) and a publicly available proof-of-concept disclosed through huntr, the issue is particularly dangerous in shared/multi-tenant hosting where multiple Jupyter instances share a parent directory. EPSS is currently low (0.05%), and there is no public exploit identified at time of analysis beyond the huntr POC reference.

Information Disclosure Path Traversal Red Hat Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-39555 HIGH This Week

PHP object injection in the Elated-Themes Askka WordPress theme through version 1.3.1 allows remote attackers to deserialize untrusted data, potentially leading to arbitrary code execution, file manipulation, or full site compromise depending on available gadget chains. The CVSS score of 8.1 reflects high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers immediate exploitability. No public exploit identified at time of analysis.

Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-39553 HIGH This Week

Local File Inclusion in Select-Themes WaveRide WordPress theme versions up to and including 1.4 allows remote attackers to coerce the application into including arbitrary local PHP files via improper validation of a filename used in an include/require statement. The flaw is rated CVSS 8.1 (high) with network attack vector and no authentication required, though high attack complexity tempers exploitability; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-39552 HIGH PATCH This Week

Local File Inclusion in Code Supply Co. Blueprint WordPress theme versions prior to 1.1.5 allows remote unauthenticated attackers to include arbitrary local PHP files through improper filename validation in include/require statements. CVSS rates the issue 8.1 (High) with high attack complexity, and no public exploit has been identified at time of analysis. Despite the CWE-98 classification suggesting Remote File Inclusion, the vendor advisory explicitly scopes the impact to Local File Inclusion.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-69369 HIGH This Week

Local File Inclusion in Axiomthemes Racquet WordPress theme (versions through 1.12.0) allows remote unauthenticated attackers to include arbitrary local PHP files via improperly validated filename input, leading to information disclosure and potential code execution. The flaw is classified as CWE-98 (PHP Remote File Inclusion) with a CVSS 8.1 (High) rating, though high attack complexity (AC:H) tempers its real-world exploitability. No public exploit identified at time of analysis, and the issue was reported through the Patchstack research program.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-68886 HIGH This Week

Local File Inclusion in androThemes Cookiteer WordPress theme versions up to and including 1.4.8 allows remote unauthenticated attackers to include and execute arbitrary local PHP files on the underlying server. The flaw is classified as PHP Remote File Inclusion (CWE-98) but the practical impact described is LFI, which can lead to sensitive information disclosure and potential code execution through log poisoning or session file abuse. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58897 HIGH This Week

Local File Inclusion in Axiomthemes Fermentio WordPress theme through version 1.5.0 allows remote unauthenticated attackers to include arbitrary local files via improperly controlled filename parameters in PHP include/require statements. The flaw is tracked under CWE-98 (PHP Remote File Inclusion) but per the description is exploitable as LFI, with no public exploit identified at time of analysis and high attack complexity reflected in the CVSS vector.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58707 HIGH This Week

Local File Inclusion in the Axiomthemes Spin WordPress theme (versions up to and including 1.8) allows remote attackers to coerce the PHP runtime into including arbitrary local files via an unsanitized filename parameter passed to an include/require statement. Successful exploitation can disclose sensitive configuration data (such as wp-config.php) and, depending on server configuration, escalate into remote code execution by including attacker-controlled content. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-39551 HIGH This Week

PHP object injection in the Elated-Themes Töbel WordPress theme (versions up to and including 1.8.1) allows remote attackers to trigger unsafe deserialization of attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or data tampering depending on available POP gadgets. Rated CVSS 8.1 (High) with no public exploit identified at time of analysis and no CISA KEV listing, though the network attack vector and lack of authentication requirement make it a meaningful risk to any WordPress site running the theme.

Deserialization T Bel
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-39550 HIGH This Week

Object injection in the Elated-Themes Aperitif WordPress theme through version 1.6 allows remote attackers to trigger PHP deserialization of attacker-controlled data, potentially leading to code execution, file manipulation, or full site compromise when a suitable gadget chain is present. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Deserialization Aperitif
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-58705 HIGH This Week

Local file inclusion in the Axiomthemes Crafti WordPress theme (versions up to and including 1.12) allows remote unauthenticated attackers to coerce the PHP runtime into including arbitrary local files through improperly validated include/require parameters. Successful exploitation can lead to disclosure of sensitive server-side files, configuration data, and under certain conditions code execution via included content. No public exploit identified at time of analysis, but the issue is catalogued by Patchstack in their WordPress vulnerability database.

LFI Information Disclosure PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy