Unauthenticated SQL injection in the SpeakOut! Email Petitions WordPress plugin (versions ≤ 4.6.5) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. Reported by Patchstack and tracked as EUVD-2026-36960, the flaw carries a CVSS 3.1 score of 9.3 driven by a changed scope and network-reachable attack surface. No public exploit identified at time of analysis, but the trivial exploitability and WordPress plugin ecosystem make opportunistic mass-scanning likely.
Unauthenticated SQL injection in the WP Photo Album Plus WordPress plugin (versions ≤ 9.1.08.001) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 (scope-changed) and no public exploit identified at time of analysis, the flaw exposes WordPress sites running the plugin to database content disclosure and limited integrity/availability impact. Patchstack reported the issue and it carries CWE-89 (SQL Injection).
Unauthenticated SQL injection in Realtyna Organic IDX WordPress plugin (versions 5.1.0 and earlier) allows remote attackers to inject arbitrary SQL into backend queries without credentials. The flaw carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the plugin's own data boundary, though no public exploit identified at time of analysis. The vulnerability was disclosed via Patchstack and affects WordPress sites running this real-estate listing plugin.
Unauthenticated SQL injection in the Contest Gallery WordPress plugin (versions ≤28.1.6) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36980; no public exploit identified at time of analysis, but the CVSS 9.3 score and PR:N attack vector make it a high-priority issue for any WordPress site running the plugin.
Unauthenticated SQL injection in the GeekyBot WordPress plugin versions 1.2.0 and earlier allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw was disclosed via Patchstack and carries a high CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the plugin's own security context. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated SQL injection in the Feed KuantoKusta for WooCommerce Free WordPress plugin (versions n/a through 5.3) allows remote attackers to inject crafted SQL statements without prior authentication. Disclosed via Patchstack and tracked as EUVD-2026-36926, the flaw carries a CVSS 3.1 score of 9.3 with a changed scope, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, and no EPSS or KEV signal was provided in the input.
Heap buffer under/overflow in Electron's Node.js Buffer API (versions 42.3.1 through 42.3.2) causes most apps to crash and may lead to incorrect buffer allocations resulting in unexpected truncation or memory corruption. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 reflects network-reachable, unauthenticated memory corruption with high impact to confidentiality, integrity, and availability. Affects any Electron-based desktop application shipping the vulnerable runtime.
Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remote attackers to crash the BEAM VM via atom-table exhaustion or achieve remote code execution by sending crafted gRPC payloads with Content-Type application/grpc+erlpack. The flaw lives in GRPC.Codec.Erlpack.decode/2, which calls :erlang.binary_to_term/1 without the :safe option, size bounds, or type guards. No public exploit is identified at time of analysis, but the upstream fix is published at commit 272a97a and a patched 1.0.0 release is available.
Unauthenticated SQL injection in the implecode eCommerce Product Catalog WordPress plugin (versions 3.5.5 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact, meaning data outside the plugin's database context can be reached. No public exploit identified at time of analysis, though the Patchstack advisory confirms the vendor-tracked vulnerability class.
Unauthenticated SQL injection in the GPTranslate - Multilingual AI Translation for WordPress plugin (versions 2.32.6 and earlier) by jExtensions Store allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact and low availability impact, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin attack surface make this a high-priority patch.
SQL injection in the Advanced 301 and 302 Redirect WordPress plugin (versions <= 1.6.9) allows remote unauthenticated attackers to inject arbitrary SQL queries into the underlying WordPress database. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating attacker-controlled input crosses a trust boundary. No public exploit identified at time of analysis, and EPSS data was not provided in the input.
SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to inject arbitrary SQL into backend database queries. The flaw was disclosed via Patchstack and carries a CVSS 9.3 with scope change, meaning successful exploitation can read database contents beyond the plugin's own data. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in the WP Data Access WordPress plugin (versions <= 5.5.70) allows remote attackers to inject arbitrary SQL through the plugin's interfaces without authentication. The high CVSS 9.3 score reflects a scope change (S:C) that lets the injection reach beyond the vulnerable component, exposing the entire WordPress database to confidentiality compromise. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated SQL injection in the GD Rating System WordPress plugin (versions <= 3.6.2) allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with scope change, indicating database tampering can affect resources beyond the plugin itself. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
SQL injection in the Tyche Softwares 'Order Delivery Date for WooCommerce' WordPress plugin (versions up to and including 4.5.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) the flaw is network-reachable, requires no privileges or interaction, and results in a scope change with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but Patchstack tracking and the CWE-89 classification put this in a well-understood, easily weaponizable bug class for WordPress sites.
SQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries. The flaw, tracked by Patchstack and rated CVSS 9.3, requires no authentication or user interaction, enabling data exfiltration and limited integrity/availability impact across affected WordPress sites. There is no public exploit identified at time of analysis, but the trivial attack complexity and pre-auth nature make this a high-priority patching target.
Unauthenticated SQL injection in the wpForo Forum WordPress plugin (versions 3.0.4 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 and a scope-changing vector, exploitation can expose data beyond the plugin's own context, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Unauthenticated SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.152) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36951; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. Given the WordPress plugin ecosystem's history of rapid weaponization for SQLi flaws, this should be treated as a priority despite the absence of confirmed in-the-wild activity.
Unauthenticated SQL injection in the Form Maker by 10Web WordPress plugin (versions ≤ 1.15.38) allows remote attackers to inject arbitrary SQL into backend queries without credentials, leading to database content disclosure and partial integrity/availability impact across a changed security scope. No public exploit identified at time of analysis, but the CVSS 9.3 and trivial network-reachable attack profile make this a high-priority issue for any WordPress site running the plugin. The Patchstack-coordinated disclosure indicates a vendor-tracked flaw, though no fixed version is confirmed in the supplied data.
Remote code execution in the WordPress 'Responsive Slider by MetaSlider' plugin (versions ≤3.106.0) allows authenticated users with Editor-level privileges to inject and execute arbitrary code on the underlying server. The flaw is tracked as CWE-94 (Improper Control of Generation of Code) and carries a CVSS 3.1 score of 9.1 because exploitation crosses a scope boundary, but no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Account takeover in team-alembic AshAuthentication (0.1.0 to <4.14.0 and 5.0.0-rc.0 to <5.0.0-rc.10) lets an unauthenticated attacker hijack any local user account by completing an OAuth2 or OIDC sign-in with the victim's email address. The library matched federated logins to local users by email rather than by the OpenID Connect iss/sub pair, so any accepted provider that allows an attacker to register or reuse the victim's email - including providers that return email_verified: false - resolves to the victim's existing account. No public exploit identified at time of analysis, but the underlying technique (OIDC email-claim takeover) is well-documented and trivially reproducible.
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.prototype by submitting dotted request-body keys such as '__proto__.polluted' to the missingKeyHandler. The 3.9.3 denylist blocked only literal unsafe keys; downstream backends (notably i18next-fs-backend ≤ 2.6.5) that split missing-key strings on the configured keySeparator then walked these segments into an unguarded setPath(). No public exploit identified at time of analysis, but PoC payloads are embedded in the upstream security test suite.
Prototype pollution in i18next-fs-backend versions prior to 2.6.6 allows remote attackers to write arbitrary properties onto Object.prototype by submitting crafted missing-translation keys such as '__proto__.polluted' to applications that expose i18next-http-middleware's missingKeyHandler to untrusted input. Backend.writeFile() split keys on the configured keySeparator (default '.') and the getLastOfPath walker in lib/utils.js did not filter unsafe segments before traversing the target object. No public exploit identified at time of analysis, but a coordinated-disclosure advisory (GHSA-2933-q333-qg83) and a fixing commit are public, and downstream impact can include denial of service, configuration poisoning, and bypass of property-based security checks.
Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.
Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.
Private-key recovery is possible in Crypt::DSA for Perl (all versions before 1.21) because the module caches the per-signature DSA nonce (k) inside the Key object and never clears it, causing every call to sign() after the first to reuse the identical nonce and produce signatures with matching r values. Any attacker who can observe two or more DSA signatures produced by the same Key object can apply well-known algebraic techniques to recover the private key entirely, after which they can forge arbitrary signatures. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the cryptographic impact is catastrophic: all keys used to sign more than once under an affected version must be treated as fully compromised.
In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file writes outside of the desired extraction directory (to an attacker that can reach a tar decompression endpoint).
Arbitrary file write in remotion-dev Remotion v4.0.409 allows remote attackers to write attacker-controlled content to arbitrary filesystem locations without authentication, per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) and CWE-123 (Write-what-where) classification. Remotion is a React-based programmatic video rendering framework, and the flaw can lead to integrity and availability compromise of the host running the rendering engine. No public exploit identified at time of analysis, and the EPSS score of 0.15% (4th percentile) indicates low predicted exploitation likelihood despite the high CVSS score.
Server-side request forgery in Shlink v5.0.1's automatic short URL title resolution allows remote unauthenticated attackers to probe internal network resources by submitting a crafted longUrl value. The flaw carries a CVSS 9.1 rating reflecting high confidentiality and integrity impact, though EPSS exploitation probability remains low at 0.15% and there is no public exploit identified at time of analysis beyond a referenced gist. Shlink is a self-hosted URL shortener, making this a meaningful pivot point for attackers targeting internal infrastructure behind the shortener host.
Server-Side Request Forgery in Project Firefly III v6.5.9 allows remote attackers to scan internal network resources by abusing improper access controls in the webhook management component via crafted POST requests. SSVC indicates a proof-of-concept exists and exploitation is automatable with total technical impact, though EPSS remains low (0.15%) and no public exploit identified at time of analysis beyond a referenced gist. The flaw is unauthenticated per the CVSS vector (PR:N) and provides a pivot point into otherwise unreachable internal services.
Server impersonation in OCaml-TLS before 2.1.0 allows a malicious TLS server to present a certificate not intended for server authentication and still be accepted by client code, enabling man-in-the-middle and impersonation attacks against any application linking the library as a TLS client. The client fails to validate KeyUsage and ExtendedKeyUsage extensions properly, breaking a core PKIX trust assumption. No public exploit identified at time of analysis and EPSS sits at 0.15% (4th percentile), but the CVSS 9.1 reflects the broad confidentiality and integrity impact on encrypted sessions.
Authentication bypass in OCaml-TLS server implementations before version 2.1.0 allows remote attackers to impersonate legitimate clients during mutual TLS authentication by presenting certificates whose KeyUsage and ExtendedKeyUsage extensions do not authorize client authentication. The server fails to enforce these X.509 certificate purpose constraints, so any valid certificate chain trusted by the server may be accepted regardless of intended use. EPSS probability is low (0.12%, 2nd percentile) and no public exploit identified at time of analysis, but the CVSS 9.1 reflects the high impact on confidentiality and integrity of mTLS-protected services.