SQL injection in the Tyche Softwares 'Order Delivery Date for WooCommerce' WordPress plugin (versions up to and including 4.5.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) the flaw is network-reachable, requires no privileges or interaction, and results in a scope change with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but Patchstack tracking and the CWE-89 classification put this in a well-understood, easily weaponizable bug class for WordPress sites.
SQL injection in the Funnel Builder by FunnelKit WordPress plugin (versions up to and including 3.15.0.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries. The flaw, tracked by Patchstack and rated CVSS 9.3, requires no authentication or user interaction, enabling data exfiltration and limited integrity/availability impact across affected WordPress sites. There is no public exploit identified at time of analysis, but the trivial attack complexity and pre-auth nature make this a high-priority patching target.
Unauthenticated SQL injection in the wpForo Forum WordPress plugin (versions 3.0.4 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 and a scope-changing vector, exploitation can expose data beyond the plugin's own context, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Unauthenticated SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.152) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36951; no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. Given the WordPress plugin ecosystem's history of rapid weaponization for SQLi flaws, this should be treated as a priority despite the absence of confirmed in-the-wild activity.
Unauthenticated SQL injection in the Form Maker by 10Web WordPress plugin (versions ≤ 1.15.38) allows remote attackers to inject arbitrary SQL into backend queries without credentials, leading to database content disclosure and partial integrity/availability impact across a changed security scope. No public exploit identified at time of analysis, but the CVSS 9.3 and trivial network-reachable attack profile make this a high-priority issue for any WordPress site running the plugin. The Patchstack-coordinated disclosure indicates a vendor-tracked flaw, though no fixed version is confirmed in the supplied data.
Remote code execution in the WordPress 'Responsive Slider by MetaSlider' plugin (versions ≤3.106.0) allows authenticated users with Editor-level privileges to inject and execute arbitrary code on the underlying server. The flaw is tracked as CWE-94 (Improper Control of Generation of Code) and carries a CVSS 3.1 score of 9.1 because exploitation crosses a scope boundary, but no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Account takeover in team-alembic AshAuthentication (0.1.0 to <4.14.0 and 5.0.0-rc.0 to <5.0.0-rc.10) lets an unauthenticated attacker hijack any local user account by completing an OAuth2 or OIDC sign-in with the victim's email address. The library matched federated logins to local users by email rather than by the OpenID Connect iss/sub pair, so any accepted provider that allows an attacker to register or reuse the victim's email - including providers that return email_verified: false - resolves to the victim's existing account. No public exploit identified at time of analysis, but the underlying technique (OIDC email-claim takeover) is well-documented and trivially reproducible.
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.prototype by submitting dotted request-body keys such as '__proto__.polluted' to the missingKeyHandler. The 3.9.3 denylist blocked only literal unsafe keys; downstream backends (notably i18next-fs-backend ≤ 2.6.5) that split missing-key strings on the configured keySeparator then walked these segments into an unguarded setPath(). No public exploit identified at time of analysis, but PoC payloads are embedded in the upstream security test suite.
Prototype pollution in i18next-fs-backend versions prior to 2.6.6 allows remote attackers to write arbitrary properties onto Object.prototype by submitting crafted missing-translation keys such as '__proto__.polluted' to applications that expose i18next-http-middleware's missingKeyHandler to untrusted input. Backend.writeFile() split keys on the configured keySeparator (default '.') and the getLastOfPath walker in lib/utils.js did not filter unsafe segments before traversing the target object. No public exploit identified at time of analysis, but a coordinated-disclosure advisory (GHSA-2933-q333-qg83) and a fixing commit are public, and downstream impact can include denial of service, configuration poisoning, and bypass of property-based security checks.
Unauthenticated broken access control in the TrueBooker WordPress appointment-booking plugin (versions ≤ 1.1.9 by ThemeTechMount) allows remote attackers without credentials to invoke privileged plugin functionality that should be restricted, exposing booking data and permitting unauthorized state changes. The flaw is tracked by Patchstack and rated CVSS 9.1 with network attack vector and no privileges or user interaction required; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.
Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.
Private-key recovery is possible in Crypt::DSA for Perl (all versions before 1.21) because the module caches the per-signature DSA nonce (k) inside the Key object and never clears it, causing every call to sign() after the first to reuse the identical nonce and produce signatures with matching r values. Any attacker who can observe two or more DSA signatures produced by the same Key object can apply well-known algebraic techniques to recover the private key entirely, after which they can forge arbitrary signatures. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the cryptographic impact is catastrophic: all keys used to sign more than once under an affected version must be treated as fully compromised.
Arbitrary file write in remotion-dev Remotion v4.0.409 allows remote attackers to write attacker-controlled content to arbitrary filesystem locations without authentication, per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) and CWE-123 (Write-what-where) classification. Remotion is a React-based programmatic video rendering framework, and the flaw can lead to integrity and availability compromise of the host running the rendering engine. No public exploit identified at time of analysis, and the EPSS score of 0.15% (4th percentile) indicates low predicted exploitation likelihood despite the high CVSS score.
Server-Side Request Forgery in Project Firefly III v6.5.9 allows remote attackers to scan internal network resources by abusing improper access controls in the webhook management component via crafted POST requests. SSVC indicates a proof-of-concept exists and exploitation is automatable with total technical impact, though EPSS remains low (0.15%) and no public exploit identified at time of analysis beyond a referenced gist. The flaw is unauthenticated per the CVSS vector (PR:N) and provides a pivot point into otherwise unreachable internal services.
In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file writes outside of the desired extraction directory (to an attacker that can reach a tar decompression endpoint).
Server-side request forgery in Shlink v5.0.1's automatic short URL title resolution allows remote unauthenticated attackers to probe internal network resources by submitting a crafted longUrl value. The flaw carries a CVSS 9.1 rating reflecting high confidentiality and integrity impact, though EPSS exploitation probability remains low at 0.15% and there is no public exploit identified at time of analysis beyond a referenced gist. Shlink is a self-hosted URL shortener, making this a meaningful pivot point for attackers targeting internal infrastructure behind the shortener host.
Server impersonation in OCaml-TLS before 2.1.0 allows a malicious TLS server to present a certificate not intended for server authentication and still be accepted by client code, enabling man-in-the-middle and impersonation attacks against any application linking the library as a TLS client. The client fails to validate KeyUsage and ExtendedKeyUsage extensions properly, breaking a core PKIX trust assumption. No public exploit identified at time of analysis and EPSS sits at 0.15% (4th percentile), but the CVSS 9.1 reflects the broad confidentiality and integrity impact on encrypted sessions.
Authentication bypass in OCaml-TLS server implementations before version 2.1.0 allows remote attackers to impersonate legitimate clients during mutual TLS authentication by presenting certificates whose KeyUsage and ExtendedKeyUsage extensions do not authorize client authentication. The server fails to enforce these X.509 certificate purpose constraints, so any valid certificate chain trusted by the server may be accepted regardless of intended use. EPSS probability is low (0.12%, 2nd percentile) and no public exploit identified at time of analysis, but the CVSS 9.1 reflects the high impact on confidentiality and integrity of mTLS-protected services.
OS command injection in Fortra BoKS Manager (Core Privileged Access Manager) lets a malicious or already-compromised legacy tar-installed client execute arbitrary commands on the central BoKS Master when that client is selected for upgrade or patching. The flaw sits in the client version-handling logic of the legacy tar-based upgrade/patch tooling, turning a single rogue managed endpoint into a foothold on the security control plane. It is not in CISA KEV and no public exploit is identified at time of analysis; EPSS is low at 0.57% (43rd percentile), and CISA SSVC records exploitation as 'none' though technical impact as 'total'.
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a connecting client, potentially leading to remote code execution or denial of service. The flaw stems from validating rectangle area instead of individual dimensions, letting attacker-controlled rectangles extend beyond the framebuffer. No public exploit identified at time of analysis, though the issue affects GStreamer as shipped across Red Hat Enterprise Linux 6 through 10.
PHP Object Injection in the Post Duplicator WordPress plugin versions <= 3.0.10 allows authenticated users with Contributor-level privileges to trigger insecure deserialization, potentially leading to remote code execution, data tampering, or full site compromise. The flaw is rated CVSS 8.8 (High) and was disclosed by Patchstack. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Authenticated path traversal in the WP Customer Area WordPress plugin through version 8.3.4 allows users with low-privilege custom roles to escape intended directory boundaries and access or manipulate files outside the plugin's permitted scope. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates network-reachable exploitation by authenticated users with high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
PHP Object Injection in the Events Calendar for GeoDirectory WordPress plugin (versions <= 2.3.25) allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or denial of service on the host WordPress site. The flaw is tracked as CWE-502 and was disclosed via Patchstack with a CVSS 3.1 score of 8.8, but no public exploit identified at time of analysis. Patchstack reports the issue and no vendor-released patch identified at time of analysis based on the supplied data.
Server-side request forgery in @angular/platform-server allows remote unauthenticated attackers to bypass the allowedHosts allowlist by sending a malformed Host header or absolute-form request URI (e.g., 'evil.com:80:80'), causing the SSR runtime to redirect outbound HttpClient requests to attacker-controlled origins. The flaw stems from a parser differential between Node's strict WHATWG URL parser (used for allowlist validation) and Domino's lenient parser (used for DOM origin resolution). No public exploit identified at time of analysis, but proof-of-concept patterns are documented in the GitHub Security Advisory GHSA-xrxm-cp7j-8xf6.
Authenticated SQL injection in OpenSIPS Control Panel (opensips-cp) versions prior to 9.3.3 allows attackers with valid panel credentials to execute arbitrary SQL via the 'table' GET parameter in alias_management.php using time-based blind techniques. The flaw resides in the alias_management module and yields full database confidentiality, integrity, and availability impact per CVSS 8.8. No public exploit identified at time of analysis, and EPSS is low (0.28%, 19th percentile), but a third-party advisory documents the issue on GitHub.
OS command injection in the SSH Elevate Shell feature of Devolutions Remote Desktop Manager up to 2026.2.7 lets an authenticated user who can create or modify a shared SSH entry execute arbitrary commands on remote SSH hosts by smuggling shell metacharacters through a crafted alternate username, abusing stored elevation credentials they would not otherwise possess. No public exploit identified at time of analysis and EPSS is low (0.16%, 5th percentile), but the privilege-escalation angle - turning shared-entry write access into code execution under another user's sudo/elevation context - makes this attractive for insider or post-compromise abuse.
Incorrect access control in statping-ng v0.93.0 allows attackers to escalate privileges to Administrator and access sensitive components.
Cache key collision in Angular's @angular/common HttpTransferCache allows remote attackers to poison Server-Side Rendering (SSR) cache entries and replace responses for sensitive endpoints with attacker-controlled content. The weak 32-bit DJB2-like polynomial rolling hash used for TransferState cache keys is trivially brute-forceable, enabling state poisoning, DOM-based XSS, and information leakage when a victim follows a crafted link. No public exploit identified at time of analysis, but the vulnerability was discovered and reported by Google DeepMind's CodeMender and is patched in Angular 22.0.1, 21.2.17, and 20.3.25.
Privilege escalation in Dokan WordPress plugin versions 5.0.2 and earlier allows authenticated low-privileged customer accounts to elevate their permissions within the multivendor marketplace, potentially gaining vendor or administrative capabilities. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 8.8 with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Privilege escalation in the Amelia booking plugin for WordPress (versions 2.3 and earlier) allows an authenticated low-privileged user (Subscriber role) to gain higher WordPress privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) indicates a network-reachable flaw exploitable with only minimal account access, yielding high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege escalation in the B Blocks WordPress plugin through version 2.0.31 allows authenticated users with Contributor-level access to elevate their privileges on the affected site. Reported by Patchstack and tracked as EUVD-2026-36965, the issue carries a CVSS 3.1 score of 8.8 reflecting full confidentiality, integrity, and availability impact once a low-privileged WordPress account is obtained. No public exploit identified at time of analysis, but the low attack complexity and lack of required user interaction make weaponization straightforward once an exploitation primitive is published.
Authenticated PHP object injection in the WordPress 'Anti-Malware Security and Brute-Force Firewall' (GOTMLS) plugin through version 4.23.87 allows contributor-level users to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can pivot through existing PHP gadget chains in WordPress or other installed plugins to achieve high-impact compromise of the site. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Privilege escalation in the ThemeGrill Masteriyo LMS WordPress plugin (versions up to and including 2.2.0) allows authenticated low-privileged users to elevate their permissions to higher roles, including administrator. The flaw stems from incorrect privilege assignment (CWE-266) and carries a CVSS 8.8 with high confidentiality, integrity, and availability impact across the WordPress instance. No public exploit identified at time of analysis, and the Patchstack disclosure is the sole reference currently available.
Authentication bypass in WP Engine's Faust.js (faustwp) plugin through version 1.8.7 enables password recovery exploitation, allowing an attacker with low privileges to abuse an alternate authentication path and take over accounts. The flaw maps to CWE-288 and carries a CVSS 3.1 score of 8.8 (high) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the low attack complexity and network vector make this a high-priority concern for WordPress headless deployments.
CSV formula injection in MIA Technology's Pizzy Library (versions 1.0.0.26250 through 1.3.9.26250) allows authenticated attackers to inject malicious formula elements into generated CSV files, leading to code execution when the file is opened in a spreadsheet application. The flaw is rated CVSS 8.8 and was reported by TR-CERT, though no public exploit identified at time of analysis. Impact spans confidentiality, integrity, and availability on the system of any victim who opens the crafted CSV.
Authorization bypass in Symfony's Security component (symfony/security-http) lets unauthenticated attackers reach access_control-protected GET routes by abusing the DefaultAuthenticationFailureHandler. When a firewall uses form-login (or any authenticator on that handler) with failure_forward: true, an attacker-supplied _failure_path parameter is dispatched as a trusted internal SUB_REQUEST that skips the Firewall/AccessListener perimeter, exposing protected read endpoints such as data exports and internal APIs. No public exploit identified at time of analysis, and the flaw is not in CISA KEV; CVSS 4.0 base is 8.7 (High) reflecting high confidentiality impact with no auth required, though it depends on the non-default failure_forward configuration.
Denial of service in the elixir-grpc library (versions 0.4.0 through 0.x) allows unauthenticated remote attackers to crash BEAM nodes via a gzip decompression bomb. The GRPC.Compressor.Gzip module calls :zlib.gunzip/1 directly on attacker-controlled bytes without size limits, ratio checks, or incremental decoding, so a single small frame carrying the grpc-encoding: gzip header expands to multi-gigabyte allocations and triggers OOM kills. No public exploit identified at time of analysis, but a vendor patch is available in version 1.0.0.
Unauthenticated denial of service in the elixir-grpc library (versions 0.3.1 up to but not including 1.0.0) allows a single remote attacker to crash an Erlang/BEAM node by streaming an oversized or slow-trickle unary gRPC request body. The Cowboy handler's read_full_body/3 accumulates every chunk into one unbounded binary, and when no grpc-timeout header is sent the per-chunk read timeout collapses to :infinity, so memory grows without bound until the VM dies. No public exploit identified at time of analysis, but the fix is upstream in commit 49e18c3 and the issue is trivial to trigger.
Authentication bypass in @nestjs/platform-fastify versions 11.1.23 and earlier allows remote attackers to skip route-scoped middleware (including authentication and authorization checks) by simply appending a trailing slash to the request URL. The flaw affects default Fastify adapter configurations with standard CRUD routes registered via MiddlewareConsumer.forRoutes(), and no public exploit identified at time of analysis despite the trivially low exploitation effort.
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. No public exploit identified at time of analysis, but the CVSS 8.6 (scope unchanged here, network vector, no privileges) makes this a high-priority patch for any Spring AI deployment ingesting untrusted text.
Unauthenticated arbitrary file deletion in the WordPress plugin Contact Form Extender for Divi (versions <= 1.0.6) allows remote attackers to delete arbitrary files on the host filesystem via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Cross-site scripting in @angular/platform-server allows attackers to inject executing script into SSR-rendered pages that bind user-controlled text inside a `<noscript>` element. The bundled `domino` DOM emulator omitted `<noscript>` from raw-text closing-tag escaping, so a `</noscript>` substring in dynamic content broke out of the element and ran an attacker-controlled `<script>` sibling in the victim's origin. No public exploit identified at time of analysis, but a fix-validating test in the upstream patch effectively demonstrates the technique.
Same-origin Cross-Site Scripting in @angular/platform-server (SSR) allows attackers who control bound dynamic text inside raw-text elements (script, style, iframe, noscript) to break out of the raw-text context and execute arbitrary JavaScript in the victim's browser. The root cause is a Unicode index-alignment bug in the bundled domino DOM library: astral characters (e.g. emojis) before a closing tag shift the replacement offset, leaving the closing tag unescaped. Publicly available exploit code exists in the upstream PR's regression tests, but there is no public exploit identified in the wild and the CVE is not on CISA KEV.
DOM Clobbering and HTTP Transfer Cache poisoning in Angular's Client Hydration (provideClientHydration) allows remote attackers to inject arbitrary JSON into the TransferState by hijacking the predictable 'ng-state' element ID. Affected versions are @angular/core 20.x through 22.x prior to the fixes, and the flaw can be leveraged for DOM-based XSS, privilege escalation, or UI hijacking when applications bind untrusted input to element id attributes. No public exploit identified at time of analysis, but a vendor patch and detailed advisory (GHSA-rgjc-h3x7-9mwg) are available.
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof client identity by injecting X-Forwarded-For and Forwarded headers that the gateway then forwards from untrusted proxies in certain configuration scenarios. The flaw, tracked as CVE-2026-47825 with a CVSS 3.1 base score of 8.6 (Scope:Changed, Integrity:High), affects Spring Cloud Gateway 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. No public exploit identified at time of analysis, but the trust-boundary nature of the issue makes it an attractive target for downstream authentication and access-control bypass.
Authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables low-privileged authenticated users to reach hidden web endpoints and perform restricted operations including branch switching, arbitrary file upload/download, and viewing details of arbitrary branches. The flaw stems from missing access control on endpoints that exist server-side but are not surfaced in the UI, breaking the product's tenancy/segregation between branches. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.6 (high).