Server takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (Console component) allows a remote unauthenticated attacker who can lure an authenticated user into interacting with a crafted HTTP request to fully compromise the server with a scope change to other products. CVSS 8.3 reflects high impact tempered by high attack complexity and required user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Adjacent-network takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible via the Siebel Cloud Manager component, where an unauthenticated attacker on the same physical communication segment can fully compromise the application and pivot to other products through a scope change. The flaw carries a CVSS 3.1 base score of 8.3 with full confidentiality, integrity, and availability impact, but high attack complexity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authorization bypass in Rockwell Automation FactoryTalk Analytics PavilionX allows unauthenticated remote attackers to invoke privileged API endpoints, including user and role management functions, enabling full administrative takeover of the analytics platform. The CVSS 4.0 base score of 8.3 reflects high confidentiality impact with limited integrity and availability effects, and at the time of analysis there is no public exploit identified.
Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenticated remote attackers to compromise the Deployment Package component over HTTP. The flaw yields complete read access to PeopleTools-accessible data and partial write (insert/update/delete) capability without any user interaction or credentials. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and network reachability make it a high-priority patching target.
Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated network attackers to crash or hang the management console and to perform unauthorized modifications to a subset of accessible data via the Agent Next Gen component over HTTPS. Oracle rates the issue CVSS 8.2 and notes the flaw is easily exploitable; no public exploit identified at time of analysis, and it is not listed on the CISA KEV catalog.
Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. No public exploit identified at time of analysis; fixed in 1.16.0.
Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.
Cross-context compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker over HTTPS to gain high-impact read access and limited write access to managed content, with effects that cross trust boundaries into additional Oracle Fusion Middleware products (scope change). Exploitation requires a victim to interact with attacker-controlled input (UI:R), and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Authentication bypass in Forem (prior to commit a2ab6d4) allows remote attackers to circumvent email domain allowlist/denylist controls by submitting RFC 2047 encoded-word email addresses, enabling unauthorized registration on invite-only deployments. The flaw arises because the raw email string passes domain checks while downstream mail decoding resolves it to an attacker-controlled address, with no public exploit identified at time of analysis.
Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.
OAuth2 scope enforcement bypass in Gitea <= 1.26.1 allows any OAuth2 access token to perform write actions far beyond its granted scope when submitted via HTTP Basic authentication instead of as a Bearer token. A token issued with only `read:user` can modify user settings, add attacker-controlled emails, and create or delete the user's repositories, effectively nullifying the entire OAuth2 scope model for Basic-auth requests. No public exploit identified at time of analysis, but the advisory itself contains a full working PoC.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Server component, where an unauthenticated attacker with HTTP network access can compromise confidentiality, integrity, and availability. Oracle rates the flaw CVSS 8.1 with high attack complexity, and no public exploit identified at time of analysis. The vulnerability is addressed in Oracle's June 2026 Critical Patch Update (CPU).
Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, allowing an unauthenticated network attacker to fully compromise confidentiality, integrity, and availability of the application. Oracle rates this as difficult to exploit (AC:H) but assigns a CVSS 3.1 score of 8.1 due to the complete takeover impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Unauthorized data access and modification in Oracle PeopleSoft Enterprise CS Student Financials 9.2.38 allows low-privileged attackers with HTTP network access to read, create, delete, or modify all data accessible to the Student Financials module. Oracle rates this CVSS 8.1 due to high confidentiality and integrity impact with no availability effect. No public exploit identified at time of analysis, but the 'easily exploitable' vendor characterization and minimal privilege requirement make this a priority for institutions running affected campus financial systems.
Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Monitor component, where an unauthenticated network attacker can compromise the application over HTTP. Although Oracle classifies the issue as difficult to exploit (AC:H), successful attacks yield full confidentiality, integrity, and availability impact with a CVSS 3.1 base score of 8.1. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows unauthenticated remote attackers to gain full read/write access to all framework-accessible data after tricking a user into interacting with a malicious request. The flaw is reachable over HTTPS with low attack complexity but requires user interaction, and no public exploit identified at time of analysis. Oracle published a vendor advisory in the June 2026 Critical Patch Update.
Remote takeover of Oracle Receivables in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by unauthenticated attackers reaching the SOAP interface of the Internal Operations component. Oracle's CVSS 3.1 score of 8.1 reflects full confidentiality, integrity, and availability impact, though high attack complexity (AC:H) tempers the practical risk. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0-26.5) is possible by unauthenticated remote attackers reaching the Siebel Cloud Manager component over HTTP, though Oracle classifies exploitation as difficult (AC:H). Successful attacks yield high impact across confidentiality, integrity, and availability - effectively complete compromise of the CRM tenant. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Authenticated data tampering and disclosure in Oracle Configure to Order (Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged attacker with network access via HTTP to fully read, modify, create, or delete all data accessible to the Supply to Order Workbench component. Oracle rates the issue CVSS 8.1 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. The bug threatens financial data integrity, making it directly relevant to SOX, audit, and fraud-control programs.
Authorization scope bypass in Gitea v1.26.1 and earlier allows authenticated users to use OAuth2/PAT Bearer tokens to perform Git Smart HTTP clone, fetch, and push operations on private repositories without holding the required read:repository or write:repository token scopes. The flaw stems from CheckRepoScopedToken() short-circuiting unless ctx.IsBasicAuth is true, while the same route accepts Bearer authentication. No public exploit identified at time of analysis beyond the reporter's PoC test in the GHSA advisory.
Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching.
Command injection in Deno's `node:child_process` on Windows allows attackers who control any portion of an argument passed to `spawn`/`spawnSync`/`exec` with `shell: true` to execute arbitrary commands via unescaped `cmd.exe` metacharacters. The flaw affects Deno versions prior to 2.7.10 and is the Windows counterpart to the previously fixed CVE-2026-27190. Publicly available exploit code exists (the advisory itself includes a working PoC launching `calc.exe`), but there is no public exploit identified in the wild and no CISA KEV listing at time of analysis.
Memory corruption in Mozilla Firefox 151 and Thunderbird 151 may allow remote attackers to achieve arbitrary code execution when a victim renders malicious web content, per Mozilla advisory MFSA2026-60. The flaw stems from multiple memory safety bugs that Mozilla assessed as potentially exploitable, though no public exploit identified at time of analysis and EPSS exploitation probability is low (0.22%, 13th percentile). It is fixed in Firefox 152, with no special privileges required but high attack complexity per the CVSS vector.
Authentication header injection in Caddy versions prior to 2.11.4 allows remote attackers with low privileges to bypass forward_auth identity protections and inject or override trusted HTTP_REMOTE_* CGI variables in downstream PHP/FastCGI applications. The flaw arises because forward_auth's copy_headers directive performs exact-name deletion of client-supplied headers (e.g., Remote-Groups), while the php_fastcgi module later normalizes hyphens to underscores when exporting CGI variables, allowing an underscore alias like Remote_Groups to survive and collide with the trusted variable. Publicly available exploit code exists via the vendor GHSA advisory PoC, though no public exploit identified at time of analysis indicates active exploitation in the wild.
Heap buffer overflow in GNOME localsearch (formerly tracker-miners) tracker-extract-mp3 component on Red Hat Enterprise Linux 8/9/10, Ubuntu, Debian, and SUSE allows remote attackers to trigger an out-of-bounds heap read by delivering a malformed MP3 file with crafted ID3 performer tags, leading to crashes (DoS) or disclosure of process memory contents. No public exploit identified at time of analysis, and the EPSS score of 0.19% (9th percentile) plus CISA SSVC 'Exploitation: none' indicate low real-world exploitation activity despite the 8.1 CVSS rating. Vendor patches are available across Red Hat (RHSA), Ubuntu USN-8019-1, Debian, and SUSE-SU-2026:0780/21854.
Memory corruption in Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity via a crafted web page that triggers a buffer-related memory safety flaw. The issue also affects Firefox ESR before 140.12 and 115.37 and requires user interaction (e.g., visiting a malicious site). No public exploit identified at time of analysis and EPSS is low (0.16%), but SSVC rates technical impact as total.
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Unauthenticated PHP object injection in Edge-Themes Valeska WordPress theme versions 1.2.2 and earlier allows remote attackers to trigger insecure deserialization, potentially leading to code execution, file manipulation, or full site compromise when suitable PHP magic-method gadgets are present in the WordPress stack. No public exploit identified at time of analysis, but Patchstack has catalogued the flaw and the high CVSS (8.1) reflects the serious confidentiality, integrity, and availability impact possible against affected installations.
Unauthenticated PHP Object Injection in the Behold WordPress theme (versions ≤1.5) by edge-themes allows remote attackers to deliver crafted serialized payloads that are deserialized by the theme without validation. Successful exploitation can lead to full compromise of the affected WordPress site through gadget-chain abuse, with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP object injection in the Mikado Themes 'Esmée' WordPress theme (versions through 1.4) allows remote attackers to inject crafted serialized objects that are processed by unsafe deserialization. Exploitation depends on the presence of usable PHP gadget chains (often from WordPress core or co-installed plugins/themes), and no public exploit identified at time of analysis, but successful attacks can lead to file write, SQL manipulation, or remote code execution on the underlying site. The CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the gadget-chain dependency rather than the network-reachable, unauthenticated entry point itself.
Unauthenticated PHP Object Injection in the Léonie WordPress theme (versions ≤ 1.2.1) by Elated Themes allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain exists in the WordPress stack. Reported by Patchstack and tracked as EUVD-2026-37490, with no public exploit identified at time of analysis but a high CVSS score of 8.1 reflecting the severity of unauthenticated deserialization. No KEV listing is present.
Unauthenticated PHP Object Injection in the Mikado-Themes TechLink WordPress theme (versions up to and including 1.3) allows remote attackers to trigger insecure deserialization of attacker-controlled data. Successful exploitation can lead to full compromise of the underlying WordPress site, including arbitrary code execution, data theft, and site defacement, though the CVSS vector flags high attack complexity (AC:H). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the Roisin WordPress theme (versions up to and including 1.4) by elated-themes allows remote attackers to deliver crafted serialized payloads to vulnerable deserialization sinks, potentially leading to high-impact compromise of confidentiality, integrity, and availability. The CVSS 8.1 score reflects high attack complexity offset by the lack of any authentication or user interaction. No public exploit was identified at time of analysis, and the issue is tracked by Patchstack and ENISA (EUVD-2026-37488).
Unauthenticated PHP Object Injection in the Mikado-Themes Ashtanga WordPress theme (versions ≤ 1.2) allows remote attackers to deliver malicious serialized PHP objects to the application. When combined with a suitable POP (property-oriented programming) gadget chain present in WordPress core, other plugins, or themes, exploitation can lead to remote code execution, arbitrary file operations, or full site compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP object injection in the Mikado-Themes LuxeDrive WordPress theme through version 1.4 allows remote attackers to deliver crafted serialized payloads that, when combined with a suitable POP gadget chain, can lead to remote code execution, data tampering, or service disruption on the underlying WordPress site. No public exploit identified at time of analysis, and the CVSS attack complexity is High because successful exploitation typically depends on the presence of a usable gadget chain in WordPress core, other plugins, or themes installed alongside LuxeDrive. The flaw is tracked by Patchstack and EUVD as EUVD-2026-37486.
Unauthenticated PHP object injection in the Laurits WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data, potentially leading to code execution, data tampering, or denial of service when a suitable gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack and tracked as EUVD-2026-37485; no public exploit identified at time of analysis, though the high CVSS of 8.1 and CWE-502 classification mark it as a serious supply-chain risk for sites running this commercial Edge-Themes product.
PHP Object Injection in the Micdrop WordPress theme versions 1.3.1 and earlier allows remote unauthenticated attackers to trigger insecure deserialization, potentially leading to high impact on confidentiality, integrity, and availability of the underlying site. No public exploit identified at time of analysis, and the CVSS vector reflects high attack complexity, meaning successful exploitation likely depends on the presence of a usable PHP gadget chain in the site's installed plugins or core. The flaw is tracked as CWE-502 (Deserialization of Untrusted Data) and was reported by Patchstack.
PHP Object Injection in the Valiance WordPress theme (versions up to and including 1.2) by elated-themes allows attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, enabling object injection that - when paired with a suitable gadget chain from WordPress core or another installed plugin - can lead to remote code execution, file manipulation, or data tampering. The Patchstack advisory labels the issue as unauthenticated, although the published CVSS vector lists PR:H, so the precise authentication boundary should be verified against the vendor advisory. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
PHP Object Injection in the Playroom WordPress theme (versions ≤ 1.4.1) by elated-themes allows remote attackers to inject crafted serialized objects that are deserialized by the application, potentially triggering POP-chain gadgets. The vulnerability is described as unauthenticated by Patchstack despite the CVSS vector listing PR:H, and no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the Mr. SEO WordPress theme versions 2.0 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The flaw, reported by Patchstack and tracked as CWE-98 (PHP Remote File Inclusion), enables information disclosure and potential remote code execution depending on what files are reachable on the host. No public exploit identified at time of analysis, though the theme's WordPress deployment context broadens the attack surface across affected sites.
Unauthenticated PHP object injection in the Santé WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data and potentially achieve remote code execution, data tampering, or denial of service when a suitable POP gadget chain is present. The flaw is reported by Patchstack and tracked as EUVD-2026-37480; no public exploit identified at time of analysis, and the CVSS 8.1 score reflects high attack complexity offset by network reach and no authentication. The Santé theme is a commercial Select Themes product, so exposure is limited to sites that have installed and activated this specific theme.
Unauthenticated PHP Object Injection in the NeoBeat WordPress theme (versions ≤1.7) allows remote attackers to inject crafted serialized objects that, when deserialized by the application, can be chained with available gadgets to compromise the site. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity and availability if a usable gadget chain is present in the WordPress core or installed plugins.
Unauthenticated PHP Object Injection in the Fidalgo WordPress theme (versions ≤1.2.2) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the theme, potentially leading to arbitrary code execution, data tampering, or service disruption depending on available gadget chains. No public exploit identified at time of analysis, but the unauthenticated network vector and CWE-502 classification make this a meaningful risk for WordPress sites running this commercial theme.
Unauthenticated local file inclusion in the Aperitif WordPress theme (versions up to and including 1.5) by elated-themes allows remote attackers to coerce the PHP include/require chain into loading attacker-controlled paths without credentials or user interaction. No public exploit identified at time of analysis, but the high CIA impact and unauthenticated network reach make it a meaningful supply-chain risk for sites using this commercial theme. The CVSS:3.1 score of 8.1 reflects high attack complexity, indicating the trigger likely requires a specific request pattern rather than a single trivial payload.
Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Unauthenticated PHP Object Injection in the Alloggio - Hotel Booking WordPress theme through version 2.1.2 allows remote attackers to inject crafted serialized objects that, when combined with a suitable gadget chain, can lead to high-impact compromise of the hosting WordPress site. The flaw was reported by Patchstack and is tracked as EUVD-2026-37474; no public exploit identified at time of analysis, and there is no evidence of active exploitation. CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the need for a usable gadget chain in the WordPress environment.
Unauthenticated Local File Inclusion in the Solene WordPress theme versions 3.4 and earlier allows remote attackers to read arbitrary server-side files and potentially execute PHP code via improperly controlled filename inclusion (CWE-98). The flaw is reachable over the network without credentials, and while CVSS:3.1 rates it 8.1 (High) with high attack complexity, no public exploit identified at time of analysis. Wide impact is plausible because Solene is a commercial WordPress theme distributed by Elated Themes and exposed on internet-facing sites.