Skip to main content
CVE-2026-42656 MEDIUM This Month

Cross-site scripting in the Contest Gallery WordPress plugin (versions <= 28.1.6) can be triggered by a subscriber-level authenticated user, injecting malicious scripts that execute in the browsers of higher-privileged users such as administrators. The CVSS Scope:Changed metric confirms the payload escapes the subscriber's privilege boundary and impacts other user sessions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and broad WordPress ecosystem deployment surface make this a meaningful risk for any site accepting subscriber registrations.

XSS Contest Gallery
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-42640 MEDIUM This Month

Broken Access Control in the Classified Listing WordPress plugin (versions ≤ 5.3.8) allows unauthenticated remote attackers to bypass authorization checks, enabling limited read and write access to plugin-managed listing data without any credentials. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is network-exploitable against any internet-exposed WordPress installation running the affected plugin with no authentication or user interaction required. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Classified Listing
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-40795 MEDIUM This Month

Broken access control in the Amelia booking plugin for WordPress (versions up to and including 2.2) allows low-privileged subscriber-level users to perform unauthorized high-integrity actions within the booking system. The flaw stems from missing authorization checks (CWE-862), permitting registered users - typically clients or end-users of the booking portal - to interact with data or functionality restricted to higher roles such as managers or administrators. No public exploit has been identified at time of analysis, and KEV listing is absent, but the low attack complexity and network accessibility make this a straightforward target once a subscriber account is obtained.

Authentication Bypass Amelia
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-40794 MEDIUM This Month

Broken access control in the myCred WordPress plugin (all versions through 3.0.3) allows authenticated users with only subscriber-level privileges to bypass authorization checks and perform actions reserved for higher-privileged roles, yielding high integrity impact on affected installations. The root cause is missing authorization enforcement (CWE-862) on one or more plugin endpoints, meaning the plugin executes sensitive operations - such as manipulating loyalty points or reward data - without verifying the requesting user's actual capabilities. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the low complexity and no-user-interaction requirement make exploitation straightforward for any attacker holding a valid account.

Authentication Bypass Mycred
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-40793 MEDIUM PATCH This Month

Broken access control in the Groundhogg WordPress CRM/marketing automation plugin (all versions below 4.4.1) allows low-privileged subscriber-level users to perform unauthorized privileged operations due to missing authorization checks (CWE-862), resulting in high integrity impact. The vulnerability is network-exploitable with low complexity, requiring only a subscriber-level WordPress account - a role freely obtainable via self-registration on many WordPress sites. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; a vendor-released patch (version 4.4.1) is confirmed available.

Authentication Bypass Groundhogg
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-40790 MEDIUM This Month

Sensitive SMS subscriber data exposure in the VeronaLabs WP SMS WordPress plugin (versions <= 7.2.1) permits authenticated subscriber-role users to access protected data through an authorization bypass path. The flaw, classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel), enables the lowest-privilege WordPress account tier to retrieve sensitive information - likely including phone numbers, message history, or subscriber records - that should be restricted to privileged roles. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA KEV, though the low attack complexity combined with open WordPress registration on many sites meaningfully lowers the real-world exploitation barrier.

Information Disclosure Wp Sms
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-40782 MEDIUM This Month

Broken access control in WPAdverts WordPress plugin versions up to and including 2.3.0 permits unauthenticated remote attackers to bypass authorization gates and perform restricted plugin actions, resulting in limited integrity and availability impact. The flaw is rooted in CWE-862 (Missing Authorization), a well-understood WordPress plugin vulnerability class where endpoints lack capability or permission checks before executing privileged operations. No active exploitation has been confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; however, the fully unauthenticated, low-complexity network attack vector meaningfully lowers the exploitation barrier for any internet-exposed WordPress site running the affected plugin.

Authentication Bypass Wpadverts
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-15659 MEDIUM This Month

Stored Cross-Site Scripting in the Elizaibots WordPress chatbot plugin (versions <= 1.0.2) allows authenticated Contributor-level users to inject malicious scripts that execute in the browser context of higher-privileged users - including site administrators - when they visit affected pages. The CVSS scope-change indicator (S:C) confirms the payload escapes the contributor's privilege boundary and can compromise admin sessions, enabling privilege escalation or site takeover. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

XSS Elizaibots
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64215 MEDIUM PATCH This Month

Missing Authorization in StylemixThemes MasterStudy LMS Pro (WordPress plugin) exposes restricted LMS functionality to unauthenticated remote attackers, enabling unauthorized modification of course content or platform data and limited disruption of availability. All versions before 4.7.16 are affected, with the flaw rooted in the plugin's failure to enforce access control checks on certain endpoints - effectively allowing callers to bypass intended privilege gates entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low-complexity, unauthenticated attack surface warrants prompt patching on any publicly reachable WordPress installation.

Authentication Bypass Masterstudy Lms Pro
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48969 MEDIUM This Month

Broken access control in the Really Simple SSL WordPress plugin versions 9.5.9 and earlier permits any authenticated subscriber - the lowest default WordPress user role - to perform privileged actions that should be restricted to administrators. The CVSS vector (PR:L/I:H) confirms that low-privilege authenticated users can achieve high-integrity impact, likely by manipulating SSL redirect rules or plugin security settings without authorization. No public exploit has been identified at time of analysis, but the network-accessible, low-complexity nature of the flaw makes it trivially exploitable by any user who can obtain a subscriber account on an affected installation.

Authentication Bypass Really Simple Ssl
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-39594 MEDIUM This Month

Broken access control in Ultra Addons for WPForms (WordPress plugin by Themefic) through version 1.0.11 allows authenticated subscriber-level users to perform privileged actions beyond their intended role. The vulnerability stems from missing authorization checks (CWE-862), enabling a low-privilege attacker with only a subscriber account to manipulate plugin functionality in ways restricted to higher-privilege roles such as administrators or editors. With a CVSS 3.1 score of 6.4 Medium and a scope-changed vector, the impact extends beyond the plugin itself to affect WordPress site integrity and availability. No public exploit code and no confirmed active exploitation have been identified at time of analysis.

Authentication Bypass Ultra Addons For Wpforms
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-12219 LOW POC Monitor

Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary OS commands via the unsanitized `Time` argument passed to the `mod_diagnose.CommandShellByType` function at the `/api/diagnosis/start` diagnostic endpoint. The exploit leverages the Web FastCGI Service's failure to neutralize shell metacharacters before invoking underlying system commands, consistent with CWE-77. A public proof-of-concept exploit archive is confirmed available, no CISA KEV listing exists at time of analysis, and the vendor did not respond to disclosure - leaving the vulnerability unpatched.

Command Injection Sip T46U
NVD VulDB
CVSS 4.0
2.1
EPSS
1.5%
CVE-2026-49978 MEDIUM PATCH GHSA This Month

DOMPurify's HTML sanitizer silently skips shadow DOM contents nested inside <template> elements, allowing stored or reflected XSS payloads to survive sanitization untouched in versions up to and including 3.4.6. When a consuming application clones and inserts the sanitized template into the live DOM - the standard and intended usage pattern for HTML templates - any attacker-controlled payload within the shadow root executes with full script privileges in the victim's browser context. A publicly available proof-of-concept (poc.html) has been released alongside the advisory; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis, but the low attack complexity and broad deployment of DOMPurify across web applications make this a high-priority patching target.

XSS
NVD GitHub
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-54276 MEDIUM PATCH GHSA This Month

DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirect targets. Applications using DigestAuthMiddleware with the default follow_redirects behavior are affected in versions up to and including 3.14.0. When a server responds with a cross-origin redirect, the middleware incorrectly computes and sends a digest authentication response to the redirect destination, exposing the auth digest to the third-party domain. No public exploit has been identified at time of analysis, but exploitation is plausible wherever an open redirect exists on the origin server.

Information Disclosure Open Redirect
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-39451 MEDIUM This Month

Unauthenticated cross-site scripting in the WP Google Review Slider WordPress plugin (versions up to and including 18.0) allows a remote, unauthenticated attacker to inject arbitrary JavaScript that executes in the browser of any user who interacts with the affected page. Reported by Patchstack and tracked as EUVD-2026-36930, the vulnerability stems from improper input sanitization in a publicly accessible plugin component. No public exploit code or CISA KEV listing has been identified at the time of analysis, placing this in the medium-priority tier despite the unauthenticated attack vector.

Google XSS Wp Google Review Slider
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-68049 MEDIUM This Month

Broken Access Control in the bunny.net WordPress plugin (versions ≤ 2.3.6) enables subscriber-level authenticated users to invoke functionality restricted to higher-privileged roles, such as administrators. The root cause is CWE-862 (Missing Authorization) - the plugin fails to verify whether the authenticated requestor holds sufficient privileges before executing sensitive operations. Reported by Patchstack, this is a medium-severity finding (CVSS 6.3); no public exploit code and no CISA KEV listing have been identified at time of analysis, though the low barrier of a standard subscriber account on any affected WordPress site makes it noteworthy for multi-tenant or membership-based deployments.

Authentication Bypass Bunny Net
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2025-70102 MEDIUM This Month

NULL pointer dereference in dhcpcd 10.3.0 allows an unauthenticated attacker on the same network segment to crash the DHCP client daemon by sending a crafted packet with unexpected or invalid option tokens. The fault occurs in parse_option() at src/if-options.c:1886, where a NULL return from option lookup is immediately dereferenced as a 'struct dhcp_opt' member without a null check, causing a runtime abort. No public exploit or CISA KEV listing exists, and EPSS sits at the 4th percentile, indicating low but real crash-level risk for any host running this specific dhcpcd version on a shared or adversarially accessible network segment.

Denial Of Service Null Pointer Dereference N A Red Hat Suse
NVD VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-12223 LOW POC Monitor

Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attackers to execute arbitrary operating system commands by manipulating the `ip` or `port` arguments submitted to the `/api/inner/tftpuploadiperf` Web FastCGI endpoint. Publicly available exploit code exists, and Yealink did not respond to responsible disclosure, meaning no vendor-released patch has been identified at time of analysis. No KEV listing confirms active exploitation, but the combination of a public proof-of-concept, an absent vendor response, and a default-enabled attack surface on widely deployed enterprise VoIP phones elevates practical risk beyond the moderate CVSS 4.0 score of 5.1.

Command Injection Sip T46U
NVD VulDB
CVSS 4.0
2.0
EPSS
1.5%
CVE-2026-42651 MEDIUM This Month

Broken access control in the Classified Listing WordPress plugin (versions ≤ 5.3.9) allows subscriber-level authenticated users to perform actions that should be restricted to higher-privileged roles, yielding partial confidentiality, integrity, and availability impact. Reported by Patchstack and tracked under ENISA EUVD-2026-36819, the flaw stems from missing authorization checks (CWE-862) within plugin functionality accessible to the lowest default WordPress user role. No public exploit identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass Classified Listing
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-40792 MEDIUM This Month

Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows any authenticated subscriber to bypass object-level authorization and access or modify records belonging to other users. Because WordPress subscriber is the default role for self-registered users, this effectively exposes sensitive healthcare data - including patient records, appointments, and prescriptions - to any registered site user who can enumerate or guess object identifiers. No public exploit has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass Kivicare
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-48747 MEDIUM PATCH GHSA This Month

Algorithm-confusion in Symfony's Mailomat webhook parser allows an attacker to downgrade the HMAC primitive used for signature verification, bypassing webhook authentication. Symfony packages symfony/mailomat-mailer and symfony/symfony versions 7.2.0 through 7.4.12 and 8.0.0 through 8.0.12 accept an attacker-controlled algorithm field from the inbound X-MOM-Webhook-Signature request header and pass it directly to PHP's hash_hmac(), enabling an adversary who can exploit cryptographic weaknesses in weaker HMAC primitives (e.g., HMAC-MD4 existential forgery) to inject fraudulent webhook payloads. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Canonical Jwt Attack PHP Information Disclosure
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-49458 MEDIUM PATCH GHSA This Month

{ IN_PLACE: true })` - a pattern common in email-preview panes, WYSIWYG editors, and declarative shadow DOM consumers. Three working proof-of-concept exploits are publicly available, confirmed against DOMPurify 3.4.5 and HEAD commit `89da34e` on Chromium 148; no CISA KEV listing exists at time of analysis.

Google XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-48157 MEDIUM PATCH GHSA This Month

Reflected XSS in Slim PHP framework (versions 4.4.0 through 4.15.1) allows attackers to inject arbitrary HTML and JavaScript into HTML error pages when application code passes request-derived data into HttpException::setTitle() or setDescription(). The payload executes in a victim's browser upon rendering the crafted error page, and critically this occurs even when displayErrorDetails is set to false, since the unescaped values are rendered on a separate code path. No public exploit code or CISA KEV listing has been identified; exploitation is scoped to applications that explicitly feed untrusted input into these specific exception setter methods.

PHP XSS Slim
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-49459 MEDIUM PATCH GHSA This Month

Cross-site scripting in DOMPurify ≤ 3.4.5 allows attacker-controlled event handlers, javascript: URIs, and template syntax to survive sanitization when the IN_PLACE: true API is used with an HTMLFormElement root. Two interacting bugs create the bypass: _forceRemove silently no-ops on detached (parent-less) nodes per WebIDL spec, and _sanitizeAttributes unconditionally early-returns on clobbered nodes under the now-broken assumption that _sanitizeElements already removed them. A publicly available working PoC has been verified against Chromium 148.0.7778.96 and DOMPurify 3.4.5 including the HEAD commit 89da34e, which addressed a related shadow-root traversal issue but left this main-pipeline path unpatched. No KEV listing is present at time of analysis.

Google Mozilla Apple XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-12210 LOW POC Monitor

Server-side request forgery in python-utcp 1.1.0's utcp-gql and utcp-websocket components allows remote low-privileged attackers to coerce the server into issuing arbitrary outbound HTTP requests, potentially reaching internal infrastructure not exposed to the public internet. The affected library implements the universal-tool-calling-protocol and the vulnerable code paths reside in its GraphQL and WebSocket transport handlers. A public exploit has been disclosed via GitHub, and the vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.

Python SSRF Python Utcp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12207 LOW POC Monitor

Patient record exposure in medkey EHR (up to commit fc09b7ba9441ff590b72d428d5380834216b09ed) allows authenticated remote users to retrieve arbitrary patient records by manipulating the `id` parameter of the `actionGetPatientById` REST API endpoint - a textbook Insecure Direct Object Reference (BOLA/IDOR) flaw classified under CWE-99. A publicly available proof-of-concept exploit is hosted on GitHub (onyxglitch/Medkey-EHR-IDOR-PoC), materially lowering the exploitation barrier. The vendor did not respond to coordinated disclosure, leaving no confirmed patch and no official advisory for this rolling-release EHR system.

PHP Information Disclosure Medkey
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12206 LOW POC Monitor

SQL injection in Grit42 Grit through version 0.11.0 allows remote low-privileged attackers to manipulate database queries via the DataTableEntity function in the assays module backend. The CVSS 4.0 vector (AV:N/PR:L/E:P) indicates network-exploitable, low-complexity exploitation by authenticated users with a publicly available proof-of-concept. The vendor was notified but did not respond, leaving no official patch available at time of analysis.

SQLi Grit
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-49294 MEDIUM This Month

Reflected XSS in Valhalla's JSONP endpoint allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious URL containing payload in the callback parameter. All versions through 3.6.3 are affected, and the CVSS scope change (S:C) reflects that execution occurs in the serving origin's context rather than a sandboxed one, enabling session theft and unauthorized actions on authenticated victims. No patch was available at time of publication, and no public exploit code has been identified at time of analysis.

XSS Valhalla
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-36521 MEDIUM This Month

PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.

XSS N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-37216 MEDIUM This Month

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.

XSS N A
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-12211 LOW POC PATCH Monitor

Path traversal in the Intelbras iNVU 7016 FT NVR web interface allows authenticated high-privilege remote users to read arbitrary files outside the intended syslog directory via the /RPC2_Loadfile/syslog/ endpoint. Affected firmware is version 3.004.00IB000.0.T Build 2025-09-26; the vendor has since released a patched firmware build (2026-05-29). No public exploit identified at time of analysis as KEV-confirmed active exploitation, but a public proof-of-concept writeup exists, elevating practical risk above baseline.

Path Traversal Invu 7016 Ft
NVD VulDB
CVSS 4.0
2.0
EPSS
0.4%
CVE-2026-12202 LOW POC Monitor

Cross-site scripting in Intelliants Subrion CMS up to version 4.0.3 allows an authenticated high-privilege attacker to inject malicious JavaScript via the CSS class name argument in the Blocks Endpoint, executing in a victim user's browser upon viewing the manipulated block. Publicly available exploit code exists (disclosed on HackMD), and the vendor did not respond to responsible disclosure, leaving no patch available at time of analysis. Exploitation is constrained by a high-privilege authentication requirement and mandatory user interaction, limiting opportunistic mass exploitation but posing meaningful insider-threat and compromised-credential risk.

XSS Subrion Cms
NVD VulDB
CVSS 4.0
1.9
EPSS
0.2%
CVE-2026-12201 LOW POC Monitor

Permission misconfiguration in IObit Malware Fighter's DLL Handler component (versions up to 13.2.0) allows a local low-privileged attacker to exploit insecure resource permissions, resulting in low-severity confidentiality, integrity, and availability impacts. The vulnerability stems from CWE-275 (Improper Permission Assignment for a Resource), and a public proof-of-concept exploit is available via GitHub and a researcher blog post. The vendor was notified prior to disclosure but did not respond, meaning no official patch or mitigation guidance has been issued.

Information Disclosure Malware Fighter
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-42655 MEDIUM This Month

Payment bypass in Best Payments Plugin for WP (versions ≤ 4.6.19) allows unauthenticated remote attackers to circumvent payment verification by manipulating HTTP parameters the plugin incorrectly treats as immutable, enabling completion of purchases without actual payment. Rooted in CWE-472 (External Control of Assumed-Immutable Web Parameter), the flaw directly threatens the financial integrity of any WordPress e-commerce site relying on this plugin for order processing. No public exploit is identified and CVSS AC:H indicates exploitation requires deliberate parameter manipulation during an active payment flow, limiting mass-exploitation risk despite the unauthenticated attack vector.

Authentication Bypass Best Payments Plugin For Wp
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2025-15658 MEDIUM This Month

Stored Cross-Site Scripting in the WP Emmet WordPress plugin (by rewish) versions 0.3.4 and earlier allows an administrator-level user to inject persistent malicious scripts through the plugin interface, which then execute in the browsers of other users who visit affected pages. The CVSS scope-change metric (S:C) confirms the injected payload crosses trust boundaries beyond the attacker's own session, enabling session hijacking, credential theft, or unauthorized actions against victims. No public exploit has been identified at time of analysis, and the vulnerability has not appeared in CISA KEV.

XSS Wp Emmet
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-50169 MEDIUM PATCH GHSA This Month

Redirect-policy stripping in @angular/service-worker allows the Angular Service Worker to silently follow HTTP 3xx redirects that client code explicitly prohibited via `redirect: 'error'`, turning the SW into an unintended Confused Deputy proxy. When a public asset route matched by an `assetGroups` pattern issues a same-origin redirect to a session-restricted private endpoint, the SW reconstructs the intercepted Request object without preserving the caller's redirect policy, causing the browser to transparently fetch and return credentialed private data that should have triggered a network error. No public exploit has been identified at time of analysis, but the vulnerability class (same-origin credential leakage via service-worker policy bypass) carries meaningful real-world risk for Angular SPAs with mixed public/private routing.

Information Disclosure
NVD GitHub HeroDevs VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-50184 MEDIUM PATCH GHSA This Month

Request credential and cache policy stripping in @angular/service-worker (versions 19.x through 22.x pre-release) causes the service worker's internal request reconstruction logic to silently discard explicit developer-defined safety parameters, replacing `credentials: 'omit'` with the browser default `credentials: 'same-origin'` and overriding `cache: 'no-store'` with default cache behavior. This results in two distinct failure modes: session cookies and Authorization headers are transmitted to same-origin endpoints that were explicitly designed to receive anonymous requests, and private or sensitive HTTP responses are stored in the browser's Cache Storage under `ngsw:` prefixed keys where they persist after user logout. No public exploit identified at time of analysis and no CISA KEV listing; vendor-released patches are available across all active major branches.

Information Disclosure
NVD GitHub HeroDevs VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-53632 MEDIUM PATCH GHSA This Month

NTLMv2 hash disclosure in the `launch-editor` NPM package (v2.14.0 and earlier) exposes developer credentials on Windows systems when an attacker-controlled UNC path is passed to the package's file-opening HTTP middleware. The attack is achievable by tricking a developer running a local development server such as Vite into visiting an attacker-controlled webpage that issues a cross-origin request to the local `__open-in-editor` endpoint with a crafted `\\attacker-host\share` UNC path, whereupon Windows automatically initiates NTLM authentication without any user prompt, transmitting the victim's NTLMv2 hash to the attacker's SMB server. Publicly available exploit code confirmed via the advisory PoC using Impacket smbserver.py and Responder lowers the barrier significantly; no active exploitation has been confirmed via CISA KEV at time of analysis.

RCE Microsoft Node.js
NVD GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2025-55652 MEDIUM This Month

Heap buffer overflow in GPAC MP4Box v2.4 crashes the application when parsing a maliciously crafted MP4 file containing an invalid VP codec configuration. The vulnerable function, gf_isom_vp_config_new in isomedia/avc_ext.c, fails to safely handle attacker-controlled input during ISO Base Media File Format parsing, resulting in a Denial of Service condition. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, placing this in a low-urgency remediation tier per SSVC signals.

Denial Of Service Heap Overflow Buffer Overflow N A
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55645 MEDIUM This Month

Heap buffer overflow in GPAC MP4Box v2.4 crashes the application when processing a maliciously crafted MP4 file, triggering a DoS condition in the CENC DRM sample handler. The vulnerable code path resides in gf_cenc_set_pssh (isomedia/drm_sample.c), which processes Protection System Specific Header data embedded in MP4 containers. SSVC confirms no active exploitation, no public exploit exists, and the CVSS local-vector/user-interaction requirement significantly constrains real-world attack surface.

Denial Of Service Heap Overflow Buffer Overflow N A
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-55643 MEDIUM This Month

NULL pointer dereference in GPAC MP4Box v2.4 crashes the application when processing a specially crafted MP4 file, delivering a denial of service against any user or automated pipeline invoking the tool. The flaw is isolated to the TrackWriter handling component in filters/mux_isom.c, triggered by malformed MP4 input that causes an unvalidated pointer dereference. No public exploit code has been identified and this CVE does not appear in CISA KEV; SSVC rates exploitation status as none with no automation potential, consistent with a limited, file-delivery-dependent attack surface.

Denial Of Service Null Pointer Dereference N A
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-12162 MEDIUM This Month

Credential disclosure in Devolutions Remote Desktop Manager versions 2026.2.0 through 2026.2.8 allows a low-privileged attacker to capture stored social login credentials by creating a crafted web entry targeting a provider lookalike domain. The social login autofill feature fails to properly validate the target host against the legitimate OAuth or social identity provider domain, causing stored credentials to be submitted to an attacker-controlled site when the victim user opens the malicious entry. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

Information Disclosure Remote Desktop Manager
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-50876 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in Deck9 Input v2.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

XSS N A
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-8357 MEDIUM PATCH This Month

Heap buffer overflow in LibreOffice Calc's formula compiler allows an attacker to trigger an out-of-bounds write by crafting a spreadsheet containing a formula with extreme nesting depth composed of many consecutive opening tokens. The vulnerability stems from an off-by-one allocation error in the nesting-depth tracking array, causing a single-element write past the buffer's end during file parsing. The CVSS 4.0 vector carries an E:P modifier indicating a proof-of-concept exists; no public exploit identified at time of analysis beyond the POC, and the vulnerability is not listed in CISA KEV.

Memory Corruption Buffer Overflow Libreoffice
NVD VulDB
CVSS 4.0
5.4
EPSS
0.1%
CVE-2026-6040 MEDIUM PATCH This Month

Heap use-after-free in LibreOffice's ODF number format parser allows memory corruption when a user opens a crafted document containing a malformed number format string. The flaw arises because a position value embedded in the document is consumed without validation against the actual length of the format-code string, causing the parser to reference stale or out-of-bounds heap memory. Publicly available exploit code exists (CVSS 4.0 E:P), and while no active exploitation is confirmed via CISA KEV, the low attack complexity and document-phishing delivery model make this a realistic targeted threat.

Use After Free Memory Corruption Information Disclosure Libreoffice
NVD VulDB
CVSS 4.0
5.4
EPSS
0.1%
CVE-2026-39527 MEDIUM PATCH This Month

Unrestricted file upload in the WpStream WordPress plugin (versions before 4.11.2) permits subscriber-level authenticated users to upload arbitrary files to the server, resulting in integrity and availability impacts. The vulnerability, tracked under CWE-434 and reported by Patchstack, targets sites where user registration is enabled, making any subscriber account a viable attack surface. No public exploit code or active exploitation has been identified at time of analysis, and a vendor-released patch is available at version 4.11.2.

File Upload Wpstream
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-8358 MEDIUM PATCH This Month

Heap buffer overflow in LibreOffice Calc's tracked-changes importer allows an attacker who delivers a maliciously crafted spreadsheet to corrupt heap memory, causing high-impact availability loss and potentially enabling arbitrary code execution at the victim's privilege level. The vulnerability is triggered when a document reuses the same change identifier for two structurally different change types, causing the importer to misidentify object size and write past the allocation boundary. A proof-of-concept exists (CVSS 4.0 E:P modifier); no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

Memory Corruption Buffer Overflow Libreoffice Red Hat Suse
NVD VulDB
CVSS 4.0
5.4
EPSS
0.1%
CVE-2026-8356 MEDIUM PATCH This Month

Stack buffer overflow in LibreOffice's legacy binary PPT importer allows a crafted presentation file to corrupt stack memory, causing application crash or potential arbitrary code execution under the victim's user context. The flaw affects all LibreOffice versions when importing PPT files containing a colour-replacement record whose combined colour counts across two parsing passes exceed the fixed-size stack-allocated colour tables. No public exploit has been confirmed actively exploited (not in CISA KEV), though the CVSS 4.0 supplemental E:P metric indicates proof-of-concept code exists, elevating this above a purely theoretical risk.

Memory Corruption Buffer Overflow Libreoffice Red Hat Suse
NVD VulDB
CVSS 4.0
5.4
EPSS
0.1%
CVE-2026-6047 MEDIUM PATCH This Month

Heap buffer overflow in LibreOffice's OOXML (DOCX) import component allows a specially crafted document to corrupt memory when processing text box elements, with high availability impact and limited confidentiality and integrity exposure. The flaw stems from a type confusion during deferred parser event replay: a handler object assumed to be a larger type is written to at that type's field layout, but the actual object may be smaller, causing the write to land past the end of the heap allocation. A proof-of-concept exploit exists (CVSS 4.0 E:P); no confirmed active exploitation is recorded in CISA KEV at time of analysis.

Memory Corruption Buffer Overflow Libreoffice Red Hat Suse
NVD VulDB
CVSS 4.0
5.4
EPSS
0.1%
CVE-2026-6045 MEDIUM PATCH This Month

Heap buffer overflow in LibreOffice's EMF+ graphics importer enables memory corruption when a user opens a specially crafted document containing a malicious gradient brush. The root cause is an integer overflow in the multiplication used to compute a heap allocation size from an attacker-controlled gradient blend point count - resulting in an undersized buffer that is subsequently written as if it were full-sized. A proof of concept exists (CVSS 4.0 E:P supplemental metric), no confirmed active exploitation is recorded, and impact spans process crash to potential arbitrary code execution within the LibreOffice session.

Memory Corruption Buffer Overflow Libreoffice Red Hat Suse
NVD VulDB
CVSS 4.0
5.4
EPSS
0.1%
Prev Page 8 of 9 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy