Skip to main content
CVE-2026-5064 HIGH PATCH This Week

Local privilege escalation and denial of service in HP One Agent software on HP PC products allow authenticated low-privileged users to gain elevated rights or disrupt the agent. HP has acknowledged the issue and is releasing software updates as mitigation. No public exploit identified at time of analysis, and the flaw is not listed on CISA KEV.

Privilege Escalation HP Denial Of Service Hp One Agent Software
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-52700 HIGH This Week

SQL injection in the WCMultiShipping WordPress plugin (Mondial Relay & Chronopost for WooCommerce) versions 3.0.2 and earlier allows authenticated users holding only the low-privilege Subscriber role to inject arbitrary SQL into backend queries. The scope-changed CVSS 8.5 reflects high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. Disclosure originates from Patchstack's WordPress vulnerability database.

SQLi Wcmultishipping
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-52697 HIGH This Week

SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.

SQLi Taskbuilder
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-48964 HIGH This Week

SQL injection in the ELEX WordPress HelpDesk & Customer Ticketing System plugin (versions <= 3.3.6) allows authenticated users with low-privilege Subscriber accounts to inject arbitrary SQL into backend database queries. Successful exploitation results in high confidentiality impact with a scope change, enabling access to data beyond the plugin's own tables, plus limited availability impact. No public exploit identified at time of analysis, but the disclosure originates from Patchstack's WordPress plugin vulnerability program.

WordPress SQLi Elex Wordpress Helpdesk Customer Ticketing System
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-48882 HIGH This Week

SQL injection in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows authenticated Subscriber-level users to inject arbitrary SQL into backend database queries. The CVSS 3.1 vector indicates a scope change with high confidentiality impact, meaning an attacker who only holds the lowest WordPress role can read data beyond the plugin's own scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Wp Time Slots Booking Form
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-48874 HIGH This Week

SQL injection in the GamiPress WordPress plugin versions 7.8.7 and earlier allows authenticated users with subscriber-level privileges to inject arbitrary SQL queries against the WordPress database. The flaw was reported by Patchstack and affects standard installations of the plugin, enabling attackers with the lowest authenticated role to read sensitive database contents and cause limited integrity or availability impact via the scope-changed condition. No public exploit identified at time of analysis.

SQLi Gamipress
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-39118 HIGH This Week

Local privilege escalation in Iru, Inc Kandji Agent versions prior to 4.7.5(5374) allows a local attacker to invoke restricted agent functionality by exploiting a client-side validation gap. The flaw maps to CWE-269 (Improper Privilege Management) and carries a CVSS 8.4 rating due to high impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis and EPSS is low at 0.14%.

Privilege Escalation N A
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-54264 HIGH PATCH GHSA This Week

Sensitive header leakage in @angular/service-worker allows remote attackers to capture Authorization tokens, Proxy-Authorization credentials, and session cookies when a credentialed asset fetch is redirected cross-origin, because the worker preserved request headers instead of stripping them per the Fetch redirect algorithm. Affected versions span Angular 20.x, 21.x, and 22.x prereleases (and all 19.x and earlier), and no public exploit identified at time of analysis. The flaw was discovered by Google DeepMind's CodeMender and patched in 22.0.1, 21.2.17, and 20.3.25.

Google Information Disclosure
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.3
EPSS
0.4%
CVE-2026-54268 HIGH PATCH GHSA This Week

Denial of service in @angular/common's formatDate function (and the DatePipe that wraps it) allows remote attackers to exhaust CPU and memory by supplying an excessively long, attacker-controlled date format string. On Server-Side Rendered Angular apps this triggers a JavaScript heap out-of-memory crash that takes down the application for all users; on Client-Side Rendered apps it freezes the victim's browser tab. No public exploit identified at time of analysis, but the upstream patch and regression tests are public in angular/angular#69197.

Denial Of Service
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-50170 HIGH PATCH GHSA This Week

Information disclosure in @angular/common HttpTransferCache allows unauthenticated attackers to obtain other users' private data when Server-Side Rendering and hydration are enabled. The flaw stems from the cache failing to inspect the withCredentials flag or Cookie header, allowing credentialed responses to be serialized into SSR HTML and inadvertently shared via downstream CDN/reverse-proxy caches. No public exploit identified at time of analysis, but a vendor patch and detailed advisory describing the conditions are available.

Information Disclosure
NVD GitHub HeroDevs VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-50171 HIGH PATCH GHSA This Week

Denial of service in Angular's @angular/common package allows attackers to exhaust CPU and memory by passing crafted digitsInfo strings (e.g., '1.200000000-200000000') to formatNumber, DecimalPipe, PercentPipe, or CurrencyPipe. On SSR deployments this crashes the Node.js process with a heap-out-of-memory error, while client-side rendering freezes the browser tab. No public exploit identified at time of analysis, though the patched code and triggering input strings are documented in PR #68840.

Node.js Google Denial Of Service
NVD GitHub HeroDevs VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-42664 HIGH This Week

Unauthenticated broken access control in the AI Product Search for WooCommerce - Motive Commerce Search WordPress plugin (versions <= 1.38.2) allows remote attackers to invoke privileged functionality without authentication, leading to data integrity tampering and significant availability impact on affected WooCommerce storefronts. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, the issue stems from missing authorization checks (CWE-862) on plugin endpoints reachable over the network with no user interaction.

Authentication Bypass WordPress Ai Product Search For Woocommerce 8211 Motive Commerce Search
NVD
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-54271 HIGH PATCH GHSA This Week

Code injection in protobufjs-cli pbjs static and static-module code generation allows attacker-influenced JSON descriptor names to be emitted as unsafe JavaScript references in generated output, leading to arbitrary code execution when the generated file is later imported and an affected API path is invoked. This affects npm protobufjs-cli versions <= 1.3.1 and 2.0.0 through 2.4.2, and is an incomplete-fix bypass of CVE-2026-44295 (GHSA-6r35-46g8-jcw9). At time of analysis, no public exploit identified and no CISA KEV listing, but vendor-released patches exist in 1.3.2 and 2.5.0.

Code Injection RCE
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-50874 HIGH This Week

Authenticated command injection in kanishka-linux Reminiscence v0.3.0 lets remote attackers execute arbitrary OS commands by submitting crafted input to the /manage/features/media endpoint. The flaw maps to CWE-78 with CVSS 8.1 (PR:L), and publicly available exploit code exists in a referenced gist; EPSS is modest at 0.66% (47th percentile) and the issue is not on CISA KEV.

Command Injection N A
NVD GitHub
CVSS 3.1
8.1
EPSS
0.7%
CVE-2026-49065 HIGH This Week

Unauthenticated broken access control in the Hippoo Mobile App for WooCommerce WordPress plugin (versions 1.9.5 and earlier) allows remote attackers to access protected functionality or data without valid credentials. The flaw is reported by Patchstack and stems from missing authorization checks (CWE-862), enabling unauthenticated retrieval or manipulation of resources that should be gated behind authentication. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.

Authentication Bypass WordPress Hippoo Mobile App For Woocommerce
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-27333 HIGH This Week

Unauthenticated PHP object injection in the Paid Videochat Turnkey Site WordPress plugin (versions 7.3.23 and earlier, also marketed as 'ppv-live-webcams') allows remote attackers to deserialize untrusted data and potentially achieve full compromise of the underlying site. The flaw was reported by Patchstack and tracked as EUVD-2026-36915; no public exploit code or CISA KEV listing is identified at time of analysis, though the CVSS 8.1 score reflects confidentiality, integrity, and availability impact gated by high attack complexity.

Deserialization Paid Videochat Turnkey Site
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39587 HIGH This Week

Unauthenticated privilege escalation in the WP BASE Booking WordPress plugin (versions through 5.9.0) allows remote attackers to elevate privileges without credentials, with potential to fully compromise affected WordPress sites. The flaw is rated CVSS 8.1 (high) with no public exploit identified at time of analysis, but the unauthenticated nature and high impact on confidentiality, integrity, and availability make it a notable risk for sites running the plugin.

Privilege Escalation Wp Base Booking
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-50891 HIGH This Week

Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.

N A Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-50888 HIGH This Week

An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.

SSRF N A
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-50881 HIGH This Week

Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-50875 HIGH This Week

Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.

N A Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-48970 HIGH This Week

Authentication bypass in the Really Simple SSL WordPress plugin versions 9.5.10 and earlier allows remote attackers to circumvent identity verification controls (CWE-288), potentially gaining unauthorized access to WordPress sites that rely on the plugin's two-factor or login security features. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.1 driven by high impact on confidentiality, integrity, and availability, though high attack complexity (AC:H) suggests non-trivial preconditions. No public exploit identified at time of analysis and EPSS data was not supplied.

Information Disclosure Really Simple Ssl
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-42687 HIGH This Week

Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows remote attackers to inject crafted serialized PHP objects that may trigger arbitrary deserialization-driven gadget chains, leading to potential remote code execution, file manipulation, or data tampering. The flaw is reachable without authentication but carries CVSS:3.1 AC:H, indicating non-trivial preconditions for successful exploitation. No public exploit identified at time of analysis, but Patchstack disclosure typically precedes broader exploit development against the WordPress plugin ecosystem.

PHP Deserialization Eventprime
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-42411 HIGH This Week

Authentication bypass in the CloudSecure WP Security WordPress plugin (versions ≤ 1.4.7) allows remote unauthenticated attackers to subvert the plugin's authentication controls, leading to high impact on confidentiality, integrity, and availability of affected WordPress sites. The flaw is tracked by Patchstack and ENISA EUVD as a broken authentication issue (CWE-288) with a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Cloudsecure Wp Security
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-68713 HIGH This Week

An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.

Denial Of Service Google RCE N A
NVD GitHub
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-48723 HIGH This Week

OS command injection in BrowserStack's browserstack-cypress-cli versions prior to 1.36.6 allows attackers who control the cypress_config_filepath value to execute arbitrary shell commands in the context of the user running the CLI. The vulnerable loadJsFile() function in readCypressConfigUtil.js interpolated the path into a shell command executed via child_process.execSync(), letting embedded quote and semicolon characters break out of the quoted argument. No public exploit identified at time of analysis, though the upstream commit and added negative tests effectively document the exact payload pattern.

Command Injection Browserstack Cypress Cli
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2026-36213 HIGH POC This Week

Local privilege escalation in Microvirt MEmu Android Emulator 9.2.7.0 allows a low-privileged local user to abuse the MemuService.exe component to gain elevated rights on the host Windows system. Mapped to CWE-269 (Improper Privilege Management), with no public exploit identified at time of analysis and an EPSS score of 0.21% indicating low predicted exploitation likelihood. Researcher PoC repository exists on GitHub (sec-zone/CVE-2026-36213) but active exploitation has not been reported.

Privilege Escalation Google N A
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2025-56814 HIGH This Week

Arbitrary code execution in OpenCPN v5.12.0 allows local authenticated users to run shell commands by embedding shell metacharacters in input passed to the wxExecute() function. CVSS 3.1 rates it 7.8 (High) with local attack vector and low privileges required, and SSVC assesses technical impact as total but with no observed exploitation. No public exploit identified at time of analysis beyond a researcher write-up referenced in the advisory.

Command Injection RCE N A
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12057 HIGH This Week

Arbitrary code execution in Foxit AI (versions before 2026-06-15) occurs when the application processes JavaScript embedded in a PDF inside its sandbox but fails to intercept dangerous interfaces, permitting remote script loading. A user must open a malicious PDF for exploitation to succeed, and no public exploit identified at time of analysis with EPSS at only 0.13%. SSVC reports total technical impact but no observed exploitation.

RCE Foxit Ai
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-49853 HIGH PATCH GHSA This Week

Credential leakage in Tornado's SimpleAsyncHTTPClient (versions prior to 6.5.6) allows sensitive Authorization headers and HTTP auth parameters to be forwarded to attacker-controlled origins during 3xx redirect handling. Because follow_redirects=True is the default behavior, any Tornado-based client making outbound HTTP requests with credentials may inadvertently disclose them to a redirect target on a different scheme, host, or port. No public exploit identified at time of analysis, and this issue is not listed in CISA KEV.

Information Disclosure
NVD GitHub
CVSS 3.1
7.7
EPSS
0.5%
CVE-2026-40779 HIGH This Week

Arbitrary file deletion in the Link Library WordPress plugin (versions 7.8.8 and earlier) allows authenticated contributors to delete arbitrary files on the server via a path traversal flaw. Reported by Patchstack and tracked as EUVD-2026-36986, the issue enables low-privileged authors of WordPress content to disrupt site availability by removing critical files such as wp-config.php; no public exploit identified at time of analysis.

Path Traversal Link Library
NVD
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-6517 HIGH This Week

Credential leakage in Mattermost Desktop App versions up to 6.1 and 5.5.13.0 allows authenticated server users to harvest NTLM credentials from other users by embedding images that resolve to attacker-controlled external web servers. The client fails to enforce a strict domain allow list before forwarding Windows NTLM authentication challenges, so any post in a server without the image proxy enabled becomes a credential capture vector. No public exploit identified at time of analysis and EPSS is low (0.18%), but the scope-change CVSS of 7.7 reflects cross-user impact.

Mattermost Information Disclosure
NVD VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-40727 HIGH This Week

Arbitrary file deletion in the Groundhogg WordPress plugin (versions 4.4 and earlier) allows authenticated users with the Sales Representative role to delete files outside the plugin's intended scope via a path traversal flaw. With no public exploit identified at time of analysis and a CVSS 7.7 driven by scope change and high availability impact, the issue threatens site integrity and uptime rather than data confidentiality. The vulnerability was disclosed by Patchstack and is tracked in the ENISA EUVD as EUVD-2026-36971.

Path Traversal Groundhogg
NVD
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-48599 HIGH PATCH This Week

Authorization bypass in elixir-grpc (grpc library for Elixir) versions 0.8.0 through 0.x allows authenticated attackers to override path-bound URL parameters via query string or request body values, defeating ownership and multi-tenancy checks. The flaw stems from incorrect Map.merge/2 precedence in GRPC.Server.Transcode.map_request/5, where attacker-controlled query/body values silently overwrite the router-extracted path bindings used by handlers for authorization. No public exploit identified at time of analysis, but upstream patch and detailed regression tests are publicly available.

Authentication Bypass Grpc
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.3%
CVE-2026-53705 HIGH This Week

Heap memory corruption in the WavPack audio decoder of GStreamer's gst-plugins-good package allows remote attackers to crash applications or potentially achieve arbitrary code execution when a victim opens a malicious WavPack (.wv) audio file. The flaw, tracked as CVE-2026-53705 and reported by Red Hat, affects Red Hat Enterprise Linux versions 7, 8, 9, and 10, and stems from an integer overflow during buffer size calculation that produces an undersized heap allocation later overrun by decoded samples. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the multimedia decoder attack surface combined with RCE potential makes it a meaningful patching priority.

Buffer Overflow Integer Overflow RCE Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-49855 HIGH PATCH GHSA This Week

Denial of service in Tornado web framework versions prior to 6.5.6 allows a malicious HTTP server to exhaust client memory through a gzip decompression bomb against SimpleAsyncHTTPClient in its default configuration. The flaw stems from missing cumulative size enforcement on decompressed response bodies; HTTPServer is also vulnerable when explicitly configured with decompress_request=True. No public exploit identified at time of analysis, though the technique (gzip bomb) is well-understood and trivial to weaponize.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-48818 HIGH PATCH GHSA This Week

Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.

Python Nginx Microsoft SSRF
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-41708 HIGH PATCH This Week

Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust application availability by sending specially crafted calls processed by the spring-cloud-sleuth-instrumentation library when Spring TX (transaction) instrumentation is enabled. The flaw is network-reachable with low attack complexity and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but there is no public exploit identified at time of analysis and no CISA KEV listing. Impact is limited to availability - no confidentiality or integrity compromise is possible.

Java Denial Of Service Spring Cloud Sleuth
NVD HeroDevs
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-40776 HIGH This Week

Unauthenticated information disclosure in the Arraytics WP Event Solution (Eventin) WordPress plugin through version 4.1.8 allows remote attackers to bypass access control checks and read data they should not be permitted to access. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36985; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Wp Event Solution
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-39480 HIGH This Week

Unauthenticated sensitive data exposure in the Inisev Backup Migration WordPress plugin (versions through 2.1.1) allows remote attackers to retrieve confidential information without credentials or user interaction. Patchstack rates the issue at CVSS 7.5 with high confidentiality impact; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Backup Migration
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-11860 HIGH This Week

Unsafe PHP deserialization in Quick.CMS by OpenSolution lets an on-path attacker who can tamper with the plaintext HTTP channel inject malicious serialized objects that are deserialized when an administrator opens the admin panel, yielding arbitrary code execution on the server. The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:P) reflects that exploitation requires adjacent-network MITM positioning plus an administrator session, and no public exploit identified at time of analysis. CERT-PL reported the issue and OpenSolution shipped a patch for version 6.8 on 14.05.2026 that mitigates the flaw by forcing HTTPS.

Deserialization RCE Quick Cms
NVD
CVSS 4.0
7.5
EPSS
0.4%
CVE-2026-48708 HIGH POC PATCH GHSA This Week

Concurrent action execution in OliveTin versions 3000.0.0 and prior triggers a race condition in a shared text/template.Template instance, enabling cross-user command contamination, runtime panics, and execution of unintended commands. Authenticated users of the OliveTin web interface can exploit this by issuing parallel ExecRequests; no public exploit is identified at time of analysis, but the bug manifests during normal multi-user operation. The vendor patched the issue in version 3000.13.0.

Race Condition Information Disclosure Olivetin
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-49112 HIGH This Week

Unauthenticated path traversal in the Shared Files WordPress plugin (versions 1.7.64 and earlier) allows remote attackers to read arbitrary files outside the plugin's intended directory scope on the underlying WordPress host. The flaw is reachable without authentication over the network and carries a CVSS 7.5 with high confidentiality impact, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Disclosed by Patchstack, the bug primarily threatens sensitive files such as wp-config.php and other server-side secrets accessible to the web user.

Path Traversal Shared Files
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-48712 HIGH PATCH GHSA This Week

{json:true}), or JSON.stringify(), unbounded recursion exhausts the JavaScript call stack. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-wcpc-wj8m-hjx6 provides full technical detail and patched versions are available.

Google Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-39534 HIGH This Week

Unauthenticated broken access control in the WP Directory Kit WordPress plugin (versions ≤ 1.5.0) allows remote attackers to bypass authorization checks on plugin endpoints and access functionality or data that should require authentication. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36963; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Wp Directory Kit
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-48835 HIGH This Week

Broken access control in the Contact Form by WPForms plugin (versions <= 1.10.0.4) for WordPress allows remote unauthenticated attackers to perform unauthorized actions affecting data integrity. The flaw stems from missing authorization checks (CWE-862) on plugin functionality, enabling tampering without any credentials or user interaction. No public exploit identified at time of analysis, and EPSS data was not provided in the input.

Authentication Bypass Contact Form By Wpforms
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-39533 HIGH This Week

Availability-impacting broken access control in the AWP Classifieds (Another WordPress Classifieds Plugin) WordPress plugin through version 4.4.4 allows unauthenticated remote attackers to invoke privileged functionality due to a missing authorization check (CWE-862). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) indicates the flaw exposes a sensitive action - most plausibly a destructive or resource-consuming operation - over the network with no credentials or user interaction. No public exploit identified at time of analysis.

Authentication Bypass Awp Classifieds
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-34891 HIGH This Week

Unauthenticated sensitive data exposure in the IDPay Payment Gateway for WooCommerce WordPress plugin (versions ≤ 2.2.5) allows remote attackers to retrieve confidential information without credentials or user interaction over the network. The flaw was reported by Patchstack and tracked as EUVD-2026-36918; no public exploit identified at time of analysis. With a CVSS 7.5 (high) score driven entirely by confidentiality impact, the issue is significant for any WooCommerce site processing payments through this Iranian payment gateway integration.

WordPress Information Disclosure Idpay Payment Gateway For Woocommerce
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-42384 HIGH PATCH This Week

Unauthenticated sensitive data exposure in the Simply Schedule Appointments WordPress plugin versions prior to 1.6.11.2 allows remote attackers to retrieve protected information without credentials over the network. The flaw is reported by Patchstack and carries a CVSS 7.5 (high) confidentiality-only impact, with no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Simply Schedule Appointments
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-39513 HIGH This Week

Unauthenticated information disclosure in the Easy Appointments WordPress plugin (versions ≤ 3.12.21) allows remote attackers to access protected appointment data without authentication due to missing authorization checks. Patchstack reports the issue as a broken access control flaw with high confidentiality impact (CVSS 7.5); no public exploit identified at time of analysis, and the plugin is not currently listed in CISA KEV.

Authentication Bypass Easy Appointments
NVD
CVSS 3.1
7.5
EPSS
0.3%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy