Skip to main content
CVE-2016-20068 HIGH POC This Week

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20071 HIGH POC Monitor

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi 404 Redirection Manager
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20073 HIGH POC Monitor

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Answer My Question
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20072 HIGH POC Monitor

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Information Disclosure Bbs E Franchise
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20069 HIGH POC This Week

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.2%
CVE-2016-20081 HIGH POC Monitor

WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal Hb Audio Gallery Lite
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2016-20076 HIGH POC This Week

WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal Simple Backup
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2016-20075 HIGH POC This Week

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Authentication Bypass RCE WordPress +1
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2018-25437 HIGH POC Monitor

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Information Disclosure WordPress PHP Cherry Framework Themes
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-49954 HIGH POC This Week

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.

File Upload RCE LFI Path Traversal PHP +1
NVD
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-53571 HIGH POC PATCH GHSA This Week

Arbitrary file disclosure in Vite's development server on Windows allows remote unauthenticated attackers to read sensitive files (such as `.env`, `*.pem`, `*.crt`) that are nominally protected by the `server.fs.deny` allowlist. The flaw stems from Windows-specific path-form quirks (NTFS Alternate Data Stream syntax `::$DATA` and 8.3 short filename aliases) that bypass deny-list normalization, and publicly available exploit code exists in the GHSA advisory. Only dev servers explicitly exposed to the network via `--host`/`server.host` are reachable.

Path Traversal Microsoft Node.js
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-48779 HIGH POC PATCH GHSA This Week

Memory exhaustion denial of service in the npm 'ws' WebSocket library allows a remote unauthenticated peer to crash a Node.js process by streaming many tiny WebSocket fragments that force the receiver to allocate structural wrappers far exceeding the documented maxPayload limit, ultimately triggering an out-of-memory termination. The flaw affects ws versions prior to 5.2.5, 6.2.4, 7.5.11, and 8.21.0, and publicly available exploit code exists in the GitHub Security Advisory GHSA-96hv-2xvq-fx4p.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-12222 HIGH POC This Week

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-network attackers to corrupt memory via the BlueToothTest handler exposed by the Web FastCGI service. Supplying crafted btMac, pin, or reserved parameters to /api/inner/bttest triggers the overflow inside mod_webd.BlueToothTest, with publicly available exploit code exists demonstrating an off-by-one write. The flaw is reachable from the LAN rather than the public internet, but the vendor has not responded to disclosure and no patched firmware has been published.

Stack Overflow Buffer Overflow Sip T46U
NVD VulDB
CVSS 4.0
7.3
EPSS
0.4%
CVE-2026-12221 HIGH POC This Week

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low privileges to corrupt memory via crafted uid or start_offset parameters sent to the /api/upgrade/upgrade firmware chunk upload endpoint. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving deployed devices without an official patch. CVSS 4.0 rates this 8.6 (High) with proof-of-concept maturity (E:P).

Stack Overflow Buffer Overflow Sip T46U
NVD VulDB
CVSS 4.0
7.3
EPSS
0.4%
CVE-2026-12220 HIGH POC This Week

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low-privilege credentials to corrupt memory via the uid parameter of the /api/upgrade/accupgradebychunk firmware chunk upload endpoint. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, raising the practical risk despite the adjacent-only attack vector. No public exploit identified as actively exploited in the wild (not on CISA KEV).

Stack Overflow Buffer Overflow Sip T46U
NVD VulDB
CVSS 4.0
7.3
EPSS
0.4%
CVE-2026-12218 HIGH POC This Week

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers with low-privileged access to corrupt memory via the port argument processed by the StartReportInformation function in the /api/inner/beforewifitest endpoint of the Web FastCGI Service. Publicly available exploit code exists, and the vendor was notified without response, leaving deployed devices unmitigated. No public exploit identified as active in-the-wild campaigns, but exploitation is feasible given the released PoC.

Stack Overflow Buffer Overflow Sip T46U
NVD VulDB
CVSS 4.0
7.3
EPSS
0.4%
CVE-2019-25746 HIGH POC This Week

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post'. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Sliced Invoices
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-9863 HIGH This Week

OS command injection in Fortra BoKS Manager (Core Privileged Access Manager) lets a malicious or already-compromised legacy tar-installed client execute arbitrary commands on the central BoKS Master when that client is selected for upgrade or patching. The flaw sits in the client version-handling logic of the legacy tar-based upgrade/patch tooling, turning a single rogue managed endpoint into a foothold on the security control plane. It is not in CISA KEV and no public exploit is identified at time of analysis; EPSS is low at 0.57% (43rd percentile), and CISA SSVC records exploitation as 'none' though technical impact as 'total'.

Command Injection Core Privileged Access Manager Boks
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-52720 HIGH PATCH This Week

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a connecting client, potentially leading to remote code execution or denial of service. The flaw stems from validating rectangle area instead of individual dimensions, letting attacker-controlled rectangles extend beyond the framebuffer. No public exploit identified at time of analysis, though the issue affects GStreamer as shipped across Red Hat Enterprise Linux 6 through 10.

RCE Heap Overflow Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-39474 HIGH This Week

PHP Object Injection in the Post Duplicator WordPress plugin versions <= 3.0.10 allows authenticated users with Contributor-level privileges to trigger insecure deserialization, potentially leading to remote code execution, data tampering, or full site compromise. The flaw is rated CVSS 8.8 (High) and was disclosed by Patchstack. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Post Duplicator
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-42661 HIGH This Week

Authenticated path traversal in the WP Customer Area WordPress plugin through version 8.3.4 allows users with low-privilege custom roles to escape intended directory boundaries and access or manipulate files outside the plugin's permitted scope. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates network-reachable exploitation by authenticated users with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Path Traversal Wp Customer Area
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-39532 HIGH This Week

PHP Object Injection in the Events Calendar for GeoDirectory WordPress plugin (versions <= 2.3.25) allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or denial of service on the host WordPress site. The flaw is tracked as CWE-502 and was disclosed via Patchstack with a CVSS 3.1 score of 8.8, but no public exploit identified at time of analysis. Patchstack reports the issue and no vendor-released patch identified at time of analysis based on the supplied data.

PHP Deserialization Events Calendar For Geodirectory
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-50168 HIGH PATCH GHSA This Week

Server-side request forgery in @angular/platform-server allows remote unauthenticated attackers to bypass the allowedHosts allowlist by sending a malformed Host header or absolute-form request URI (e.g., 'evil.com:80:80'), causing the SSR runtime to redirect outbound HttpClient requests to attacker-controlled origins. The flaw stems from a parser differential between Node's strict WHATWG URL parser (used for allowlist validation) and Domino's lenient parser (used for DOM origin resolution). No public exploit identified at time of analysis, but proof-of-concept patterns are documented in the GitHub Security Advisory GHSA-xrxm-cp7j-8xf6.

SSRF
NVD GitHub HeroDevs VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-36670 HIGH This Week

Authenticated SQL injection in OpenSIPS Control Panel (opensips-cp) versions prior to 9.3.3 allows attackers with valid panel credentials to execute arbitrary SQL via the 'table' GET parameter in alias_management.php using time-based blind techniques. The flaw resides in the alias_management module and yields full database confidentiality, integrity, and availability impact per CVSS 8.8. No public exploit identified at time of analysis, and EPSS is low (0.28%, 19th percentile), but a third-party advisory documents the issue on GitHub.

PHP SQLi N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-12161 HIGH This Week

OS command injection in the SSH Elevate Shell feature of Devolutions Remote Desktop Manager up to 2026.2.7 lets an authenticated user who can create or modify a shared SSH entry execute arbitrary commands on remote SSH hosts by smuggling shell metacharacters through a crafted alternate username, abusing stored elevation credentials they would not otherwise possess. No public exploit identified at time of analysis and EPSS is low (0.16%, 5th percentile), but the privilege-escalation angle - turning shared-entry write access into code execution under another user's sudo/elevation context - makes this attractive for insider or post-compromise abuse.

Command Injection Remote Desktop Manager
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-50884 HIGH This Week

Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.

N A Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-54266 HIGH PATCH GHSA This Week

Cache key collision in Angular's @angular/common HttpTransferCache allows remote attackers to poison Server-Side Rendering (SSR) cache entries and replace responses for sensitive endpoints with attacker-controlled content. The weak 32-bit DJB2-like polynomial rolling hash used for TransferState cache keys is trivially brute-forceable, enabling state poisoning, DOM-based XSS, and information leakage when a victim follows a crafted link. No public exploit identified at time of analysis, but the vulnerability was discovered and reported by Google DeepMind's CodeMender and is patched in Angular 22.0.1, 21.2.17, and 20.3.25.

Google XSS Information Disclosure
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-49780 HIGH This Week

Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer accounts to elevate their permissions within the multivendor marketplace, potentially gaining vendor or administrative capabilities. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Dokan
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-48889 HIGH This Week

Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Amelia
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-39579 HIGH This Week

Privilege escalation in the B Blocks WordPress plugin through version 2.0.31 allows authenticated users with Contributor-level access to elevate their privileges on the affected site. Reported by Patchstack and tracked as EUVD-2026-36965, the issue carries a CVSS 3.1 score of 8.8 reflecting full confidentiality, integrity, and availability impact once a low-privileged WordPress account is obtained. No public exploit identified at time of analysis, but the low attack complexity and lack of required user interaction make weaponization straightforward once an exploitation primitive is published.

Privilege Escalation B Blocks
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-39478 HIGH This Week

Authenticated PHP object injection in the WordPress 'Anti-Malware Security and Brute-Force Firewall' (GOTMLS) plugin through version 4.23.87 allows contributor-level users to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can pivot through existing PHP gadget chains in WordPress or other installed plugins to achieve high-impact compromise of the site. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

PHP Deserialization Anti Malware Security And Brute Force Firewall
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-49111 HIGH This Week

Privilege escalation in the ThemeGrill Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows authenticated low-privileged users to elevate their permissions to higher roles, including administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 8.8 with high confidentiality, integrity, and availability impact across the WordPress instance. No public exploit identified at time of analysis, and the Patchstack disclosure is the sole reference currently available.

Privilege Escalation Masteriyo Lms
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-49062 HIGH This Week

Authentication bypass in WP Engine's Faust.js (faustwp) plugin through version 1.8.7 enables password recovery exploitation, allowing an attacker with low privileges to abuse an alternate authentication path and take over accounts. The flaw maps to CWE-288 and carries a CVSS 3.1 score of 8.8 (high) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the low attack complexity and network vector make this a high-priority concern for WordPress headless deployments.

Authentication Bypass Faust Js
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-5242 HIGH PATCH This Week

CSV formula injection in MIA Technology's Pizzy Library (versions 1.0.0.26250 through 1.3.9.26250) allows authenticated attackers to inject malicious formula elements into generated CSV files, leading to code execution when the file is opened in a spreadsheet application. The flaw is rated CVSS 8.8 and was reported by TR-CERT, though no public exploit identified at time of analysis. Impact spans confidentiality, integrity, and availability on the system of any victim who opens the crafted CSV.

Code Injection Pizzy Library
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-48489 HIGH PATCH GHSA This Week

Authorization bypass in Symfony's Security component (symfony/security-http) lets unauthenticated attackers reach access_control-protected GET routes by abusing the DefaultAuthenticationFailureHandler. When a firewall uses form-login (or any authenticator on that handler) with failure_forward: true, an attacker-supplied _failure_path parameter is dispatched as a trusted internal SUB_REQUEST that skips the Firewall/AccessListener perimeter, exposing protected read endpoints such as data exports and internal APIs. No public exploit identified at time of analysis, and the flaw is not in CISA KEV; CVSS 4.0 base is 8.7 (High) reflecting high confidentiality impact with no auth required, though it depends on the non-default failure_forward configuration.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-53430 HIGH PATCH This Week

Denial of service in the elixir-grpc library (versions 0.4.0 through 0.x) allows unauthenticated remote attackers to crash BEAM nodes via a gzip decompression bomb. The GRPC.Compressor.Gzip module calls :zlib.gunzip/1 directly on attacker-controlled bytes without size limits, ratio checks, or incremental decoding, so a single small frame carrying the grpc-encoding: gzip header expands to multi-gigabyte allocations and triggers OOM kills. No public exploit identified at time of analysis, but a vendor patch is available in version 1.0.0.

Denial Of Service Grpc
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-48854 HIGH PATCH This Week

Unauthenticated denial of service in the elixir-grpc library (versions 0.3.1 up to but not including 1.0.0) allows a single remote attacker to crash an Erlang/BEAM node by streaming an oversized or slow-trickle unary gRPC request body. The Cowboy handler's read_full_body/3 accumulates every chunk into one unbounded binary, and when no grpc-timeout header is sent the per-chunk read timeout collapses to :infinity, so memory grows without bound until the VM dies. No public exploit identified at time of analysis, but the fix is upstream in commit 49e18c3 and the issue is trivial to trigger.

Denial Of Service Grpc
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-54281 HIGH PATCH GHSA This Week

Authentication bypass in @nestjs/platform-fastify versions 11.1.23 and earlier allows remote attackers to skip route-scoped middleware (including authentication and authorization checks) by simply appending a trailing slash to the request URL. The flaw affects default Fastify adapter configurations with standard CRUD routes registered via MiddlewareConsumer.forRoutes(), and no public exploit identified at time of analysis despite the trivially low exploitation effort.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-47835 HIGH PATCH This Week

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.

Nosql Injection Java Elastic Information Disclosure Spring Ai
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-40769 HIGH This Week

Unauthenticated arbitrary file deletion in the WordPress plugin Contact Form Extender for Divi (versions <= 1.0.6) allows remote attackers to delete arbitrary files on the host filesystem via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal File Upload Contact Form Extender For Divi 8211 Save Entries File Upload Amp Country Code Field
NVD
CVSS 3.1
8.6
EPSS
0.4%
CVE-2026-50556 HIGH PATCH GHSA This Week

Cross-site scripting in @angular/platform-server allows attackers to inject executing script into SSR-rendered pages that bind user-controlled text inside a `<noscript>` element. The bundled `domino` DOM emulator omitted `<noscript>` from raw-text closing-tag escaping, so a `</noscript>` substring in dynamic content broke out of the element and ran an attacker-controlled `<script>` sibling in the victim's origin. No public exploit identified at time of analysis, but a fix-validating test in the upstream patch effectively demonstrates the technique.

XSS
NVD GitHub HeroDevs VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-50555 HIGH PATCH GHSA This Week

Same-origin Cross-Site Scripting in @angular/platform-server (SSR) allows attackers who control bound dynamic text inside raw-text elements (script, style, iframe, noscript) to break out of the raw-text context and execute arbitrary JavaScript in the victim's browser. The root cause is a Unicode index-alignment bug in the bundled domino DOM library: astral characters (e.g. emojis) before a closing tag shift the replacement offset, leaving the closing tag unescaped. Publicly available exploit code exists in the upstream PR's regression tests, but there is no public exploit identified in the wild and the CVE is not on CISA KEV.

XSS
NVD GitHub HeroDevs VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-54267 HIGH PATCH GHSA This Week

DOM Clobbering and HTTP Transfer Cache poisoning in Angular's Client Hydration (provideClientHydration) allows remote attackers to inject arbitrary JSON into the TransferState by hijacking the predictable 'ng-state' element ID. Affected versions are @angular/core 20.x through 22.x prior to the fixes, and the flaw can be leveraged for DOM-based XSS, privilege escalation, or UI hijacking when applications bind untrusted input to element id attributes. No public exploit identified at time of analysis, but a vendor patch and detailed advisory (GHSA-rgjc-h3x7-9mwg) are available.

Privilege Escalation XSS
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-47825 HIGH PATCH This Week

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof client identity by injecting X-Forwarded-For and Forwarded headers that the gateway then forwards from untrusted proxies in certain configuration scenarios. The flaw, tracked as CVE-2026-47825 with a CVSS 3.1 base score of 8.6 (Scope:Changed, Integrity:High), affects Spring Cloud Gateway 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. No public exploit identified at time of analysis, but the trust-boundary nature of the issue makes it an attractive target for downstream authentication and access-control bypass.

Java Information Disclosure Spring Cloud Gateway
NVD HeroDevs
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-34024 HIGH This Week

Authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables low-privileged authenticated users to reach hidden web endpoints and perform restricted operations including branch switching, arbitrary file upload/download, and viewing details of arbitrary branches. The flaw stems from missing access control on endpoints that exist server-side but are not surfaced in the UI, breaking the product's tenancy/segregation between branches. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.6 (high).

Authentication Bypass Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-34021 HIGH This Week

Authentication bypass via replay attack affects Wertheim SafeController 5400 and Controller 5400 (AssemblyVersion 6.11.8130.22320) vault room safe deposit locker systems, where RS-485 traffic between the server and microcontroller flows without cryptographic protection. An adjacent attacker with physical access to the RS-485 bus can capture legitimate commands and replay them - for instance, repeatedly injecting a 'quit alarm' message to silently disable the safe's alarm. No public exploit identified at time of analysis, and there is no published CISA KEV listing or EPSS data for this physical-bus weakness.

Information Disclosure Wertheim Safecontroller 5400 Hardware For Vault Rooms Safe Deposit Locker System Microcontroller
NVD
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-40766 HIGH This Week

SQL injection in the MasterStudy LMS WordPress plugin (versions 3.7.25 and earlier) allows authenticated users at the Subscriber privilege level to inject crafted SQL into backend database queries, leading to high-impact disclosure of confidential database contents and limited availability degradation. The flaw was reported by Patchstack and carries a scope-changed CVSS 3.1 score of 8.5; no public exploit identified at time of analysis.

SQLi Masterstudy Lms
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-24637 HIGH This Week

SQL injection in the Blubrry PowerPress Podcasting WordPress plugin through version 11.15.10 allows authenticated users with Contributor-level privileges to inject arbitrary SQL into backend queries. The flaw, reported by Patchstack and tracked as EUVD-2026-36910, scores CVSS 8.5 due to scope change reaching the underlying database, but no public exploit identified at time of analysis. Confidentiality impact is high while integrity is unaffected, suggesting data exfiltration rather than tampering is the primary risk.

SQLi Powerpress Podcasting
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-50100 HIGH This Week

Local privilege escalation in multiple Ricoh and Konica Minolta printer drivers on Windows hosts allows an authenticated low-privileged user to gain higher privileges by supplying a specially crafted driver component. The flaw is rooted in CWE-427 (Uncontrolled Search Path Element), and at time of analysis no public exploit identified at time of analysis. CVSS 4.0 of 8.5 reflects high confidentiality, integrity, and availability impact despite requiring local access.

Privilege Escalation Multiple Printer Drivers
NVD
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-48124 HIGH PATCH This Week

Unauthorized hook command execution in Cursor Desktop versions prior to 3.0.0 allows a malicious workspace to silently run local commands by registering Claude hooks in .claude/settings.local.json without prompting the user for approval. The flaw, tracked under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), enables sandbox escape, persistence, and follow-on compromise the moment an agent turn completes. No public exploit identified at time of analysis, but the vendor advisory GHSA-pc9j-3qc2-95wv confirms the issue and the CVSS 4.0 base score of 8.5 (High) reflects full CIA impact on the victim's workstation.

Information Disclosure Cursor
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy