Skip to main content
CVE-2026-35302 HIGH This Week

Server takeover in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (Console component) allows a remote unauthenticated attacker who can lure an authenticated user into interacting with a crafted HTTP request to fully compromise the server with a scope change to other products. CVSS 8.3 reflects high impact tempered by high attack complexity and required user interaction; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Weblogic Server Open Redirect
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-46925 HIGH This Week

Adjacent-network takeover of Oracle Siebel CRM Cloud Applications (versions 17.0 through 26.5) is possible via the Siebel Cloud Manager component, where an unauthenticated attacker on the same physical communication segment can fully compromise the application and pivot to other products through a scope change. The flaw carries a CVSS 3.1 base score of 8.3 with full confidentiality, integrity, and availability impact, but high attack complexity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2025-14272 HIGH CISA This Week

Authorization bypass in Rockwell Automation FactoryTalk Analytics PavilionX allows unauthenticated remote attackers to invoke privileged API endpoints, including user and role management functions, enabling full administrative takeover of the analytics platform. The CVSS 4.0 base score of 8.3 reflects high confidentiality impact with limited integrity and availability effects, and at the time of analysis there is no public exploit identified.

Authentication Bypass Factorytalk Analytics Pavilionx
NVD
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-35274 HIGH This Week

Unauthorized data access and modification in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 allows unauthenticated remote attackers to compromise the Deployment Package component over HTTP. The flaw yields complete read access to PeopleTools-accessible data and partial write (insert/update/delete) capability without any user interaction or credentials. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the low attack complexity and network reachability make it a high-priority patching target.

Authentication Bypass Oracle Peoplesoft Enterprise Pt Peopletools
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-46866 HIGH This Week

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated network attackers to crash or hang the management console and to perform unauthorized modifications to a subset of accessible data via the Agent Next Gen component over HTTPS. Oracle rates the issue CVSS 8.2 and notes the flaw is easily exploitable; no public exploit identified at time of analysis, and it is not listed on the CISA KEV catalog.

Denial Of Service Oracle Oracle Enterprise Manager Base Platform
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-48788 HIGH POC PATCH GHSA This Week

Stored/reflected XSS in Remark42 self-hosted comment engine versions 1.6.0 through 1.15.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a Remark42 origin by abusing a Content-Type inconsistency in the image proxy. The proxy trusts the upstream Content-Type header during the download check but re-sniffs bytes when serving, letting an HTML/JS payload advertised as image/png be re-served as text/html from the victim instance's own origin. No public exploit identified at time of analysis; fixed in 1.16.0.

XSS Remark42
NVD GitHub
CVSS 3.0
8.2
EPSS
0.3%
CVE-2026-8442 HIGH This Week

Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.

Path Traversal WordPress RCE Wpreviewslider Com
NVD VulDB
CVSS 3.1
8.1
EPSS
0.8%
CVE-2026-46806 HIGH This Week

Cross-context compromise of Oracle WebCenter Content 14.1.2.0.0 (Content Server component) allows a remote unauthenticated attacker over HTTPS to gain high-impact read access and limited write access to managed content, with effects that cross trust boundaries into additional Oracle Fusion Middleware products (scope change). Exploitation requires a victim to interact with attacker-controlled input (UI:R), and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Webcenter Content Open Redirect
NVD
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-48780 HIGH This Week

Authentication bypass in Forem (prior to commit a2ab6d4) allows remote attackers to circumvent email domain allowlist/denylist controls by submitting RFC 2047 encoded-word email addresses, enabling unauthorized registration on invite-only deployments. The flaw arises because the raw email string passes domain checks while downstream mail decoding resolves it to an attacker-controlled address, with no public exploit identified at time of analysis.

Authentication Bypass Forem
NVD GitHub
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-35288 HIGH This Week

Privilege escalation and full takeover in Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 (Deployment Package component) allows a high-privileged attacker with logon access to the underlying infrastructure to fully compromise PeopleTools with a scope change that impacts additional products. Oracle rates this CVSS 8.2 and confirms it is easily exploitable once the attacker has the required local privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Privilege Escalation
NVD VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-46865 HIGH This Week

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.

Oracle Oracle Enterprise Manager Base Platform Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-28699 HIGH PATCH GHSA This Week

OAuth2 scope enforcement bypass in Gitea <= 1.26.1 allows any OAuth2 access token to perform write actions far beyond its granted scope when submitted via HTTP Basic authentication instead of as a Bearer token. A token issued with only `read:user` can modify user settings, add attacker-controlled emails, and create or delete the user's repositories, effectively nullifying the entire OAuth2 scope model for Basic-auth requests. No public exploit identified at time of analysis, but the advisory itself contains a full working PoC.

Gitea Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-35276 HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Application Server component, where an unauthenticated attacker with HTTP network access can compromise confidentiality, integrity, and availability. Oracle rates the flaw CVSS 8.1 with high attack complexity, and no public exploit identified at time of analysis. The vulnerability is addressed in Oracle's June 2026 Critical Patch Update (CPU).

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46851 HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise CS Campus Community 9.2.38 is possible via the Security component, where an unauthenticated attacker reaching the application over HTTP can fully compromise confidentiality, integrity, and availability. Oracle scores this 8.1 with high attack complexity, indicating non-trivial preconditions rather than a trivial mass-exploit primitive. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Cs Campus Community RCE Code Injection
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-35289 HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools 8.61 and 8.62 is possible via the Deployment Package component, allowing an unauthenticated network attacker to fully compromise confidentiality, integrity, and availability of the application. Oracle rates this as difficult to exploit (AC:H) but assigns a CVSS 3.1 score of 8.1 due to the complete takeover impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46849 HIGH This Week

Unauthorized data access and modification in Oracle PeopleSoft Enterprise CS Student Financials 9.2.38 allows low-privileged attackers with HTTP network access to read, create, delete, or modify all data accessible to the Student Financials module. Oracle rates this CVSS 8.1 due to high confidentiality and integrity impact with no availability effect. No public exploit identified at time of analysis, but the 'easily exploitable' vendor characterization and minimal privilege requirement make this a priority for institutions running affected campus financial systems.

Oracle Authentication Bypass Peoplesoft Enterprise Cs Student Financials
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-35279 HIGH This Week

Remote takeover of Oracle PeopleSoft Enterprise PT PeopleTools versions 8.61 and 8.62 is possible via the Performance Monitor component, where an unauthenticated network attacker can compromise the application over HTTP. Although Oracle classifies the issue as difficult to exploit (AC:H), successful attacks yield full confidentiality, integrity, and availability impact with a CVSS 3.1 base score of 8.1. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Oracle Peoplesoft Enterprise Pt Peopletools Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46898 HIGH This Week

High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows unauthenticated remote attackers to gain full read/write access to all framework-accessible data after tricking a user into interacting with a malicious request. The flaw is reachable over HTTPS with low attack complexity but requires user interaction, and no public exploit identified at time of analysis. Oracle published a vendor advisory in the June 2026 Critical Patch Update.

Authentication Bypass Oracle Oracle Enterprise Command Center Framework
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46927 HIGH This Week

Remote takeover of Oracle Receivables in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by unauthenticated attackers reaching the SOAP interface of the Internal Operations component. Oracle's CVSS 3.1 score of 8.1 reflects full confidentiality, integrity, and availability impact, though high attack complexity (AC:H) tempers the practical risk. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Oracle Oracle Receivables Authentication Bypass
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46920 HIGH This Week

Full takeover of Oracle Siebel CRM Cloud Applications (versions 17.0-26.5) is possible by unauthenticated remote attackers reaching the Siebel Cloud Manager component over HTTP, though Oracle classifies exploitation as difficult (AC:H). Successful attacks yield high impact across confidentiality, integrity, and availability - effectively complete compromise of the CRM tenant. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Oracle Siebel Crm Cloud Applications Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46939 HIGH This Week

Authenticated data tampering and disclosure in Oracle Configure to Order (Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged attacker with network access via HTTP to fully read, modify, create, or delete all data accessible to the Supply to Order Workbench component. Oracle rates the issue CVSS 8.1 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Oracle Oracle Configure To Order
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-46891 HIGH This Week

High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. The bug threatens financial data integrity, making it directly relevant to SOX, audit, and fraud-control programs.

Authentication Bypass Oracle Jd Edwards Enterpriseone Accounts Payable
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-28744 HIGH PATCH GHSA This Week

Authorization scope bypass in Gitea v1.26.1 and earlier allows authenticated users to use OAuth2/PAT Bearer tokens to perform Git Smart HTTP clone, fetch, and push operations on private repositories without holding the required read:repository or write:repository token scopes. The flaw stems from CheckRepoScopedToken() short-circuiting unless ctx.IsBasicAuth is true, while the same route accepts Bearer authentication. No public exploit identified at time of analysis beyond the reporter's PoC test in the GHSA advisory.

Gitea Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-12328 HIGH PATCH This Week

Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching.

RCE Mozilla Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-49402 HIGH PATCH GHSA This Week

Command injection in Deno's `node:child_process` on Windows allows attackers who control any portion of an argument passed to `spawn`/`spawnSync`/`exec` with `shell: true` to execute arbitrary commands via unescaped `cmd.exe` metacharacters. The flaw affects Deno versions prior to 2.7.10 and is the Windows counterpart to the previously fixed CVE-2026-27190. Publicly available exploit code exists (the advisory itself includes a working PoC launching `calc.exe`), but there is no public exploit identified in the wild and no CISA KEV listing at time of analysis.

Command Injection Microsoft
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-12326 HIGH PATCH This Week

Memory corruption in Mozilla Firefox 151 and Thunderbird 151 may allow remote attackers to achieve arbitrary code execution when a victim renders malicious web content, per Mozilla advisory MFSA2026-60. The flaw stems from multiple memory safety bugs that Mozilla assessed as potentially exploitable, though no public exploit identified at time of analysis and EPSS exploitation probability is low (0.22%, 13th percentile). It is fixed in Firefox 152, with no special privileges required but high attack complexity per the CVSS vector.

Mozilla Buffer Overflow RCE
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-52845 HIGH PATCH GHSA This Week

Authentication header injection in Caddy versions prior to 2.11.4 allows remote attackers with low privileges to bypass forward_auth identity protections and inject or override trusted HTTP_REMOTE_* CGI variables in downstream PHP/FastCGI applications. The flaw arises because forward_auth's copy_headers directive performs exact-name deletion of client-supplied headers (e.g., Remote-Groups), while the php_fastcgi module later normalizes hyphens to underscores when exporting CGI variables, allowing an underscore alias like Remote_Groups to survive and collide with the trusted variable. Publicly available exploit code exists via the vendor GHSA advisory PoC, though no public exploit identified at time of analysis indicates active exploitation in the wild.

Authentication Bypass PHP
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-1767 HIGH PATCH This Week

Heap buffer overflow in GNOME localsearch (formerly tracker-miners) tracker-extract-mp3 component on Red Hat Enterprise Linux 8/9/10, Ubuntu, Debian, and SUSE allows remote attackers to trigger an out-of-bounds heap read by delivering a malformed MP3 file with crafted ID3 performer tags, leading to crashes (DoS) or disclosure of process memory contents. No public exploit identified at time of analysis, and the EPSS score of 0.19% (9th percentile) plus CISA SSVC 'Exploitation: none' indicate low real-world exploitation activity despite the 8.1 CVSS rating. Vendor patches are available across Red Hat (RHSA), Ubuntu USN-8019-1, Debian, and SUSE-SU-2026:0780/21854.

Denial Of Service Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-12290 HIGH PATCH This Week

Memory corruption in Mozilla Firefox prior to version 152 allows remote attackers to compromise confidentiality and integrity via a crafted web page that triggers a buffer-related memory safety flaw. The issue also affects Firefox ESR before 140.12 and 115.37 and requires user interaction (e.g., visiting a malicious site). No public exploit identified at time of analysis and EPSS is low (0.16%), but SSVC rates technical impact as total.

Mozilla Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-12292 HIGH PATCH This Week

Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.

Mozilla Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-40761 HIGH This Week

Unauthenticated PHP object injection in Edge-Themes Valeska WordPress theme versions 1.2.2 and earlier allows remote attackers to trigger insecure deserialization, potentially leading to code execution, file manipulation, or full site compromise when suitable PHP magic-method gadgets are present in the WordPress stack. No public exploit identified at time of analysis, but Patchstack has catalogued the flaw and the high CVSS (8.1) reflects the serious confidentiality, integrity, and availability impact possible against affected installations.

PHP Deserialization Valeska
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40760 HIGH This Week

Unauthenticated PHP Object Injection in the Behold WordPress theme (versions ≤1.5) by edge-themes allows remote attackers to deliver crafted serialized payloads that are deserialized by the theme without validation. Successful exploitation can lead to full compromise of the affected WordPress site through gadget-chain abuse, with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Behold
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40759 HIGH This Week

Unauthenticated PHP object injection in the Mikado Themes 'Esmée' WordPress theme (versions through 1.4) allows remote attackers to inject crafted serialized objects that are processed by unsafe deserialization. Exploitation depends on the presence of usable PHP gadget chains (often from WordPress core or co-installed plugins/themes), and no public exploit identified at time of analysis, but successful attacks can lead to file write, SQL manipulation, or remote code execution on the underlying site. The CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the gadget-chain dependency rather than the network-reachable, unauthenticated entry point itself.

PHP Deserialization Esm E
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40758 HIGH This Week

Unauthenticated PHP Object Injection in the Léonie WordPress theme (versions ≤ 1.2.1) by Elated Themes allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain exists in the WordPress stack. Reported by Patchstack and tracked as EUVD-2026-37490, with no public exploit identified at time of analysis but a high CVSS score of 8.1 reflecting the severity of unauthenticated deserialization. No KEV listing is present.

PHP Deserialization L Onie
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40755 HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes TechLink WordPress theme (versions up to and including 1.3) allows remote attackers to trigger insecure deserialization of attacker-controlled data. Successful exploitation can lead to full compromise of the underlying WordPress site, including arbitrary code execution, data theft, and site defacement, though the CVSS vector flags high attack complexity (AC:H). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Techlink
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40754 HIGH This Week

Unauthenticated PHP object injection in the Roisin WordPress theme (versions up to and including 1.4) by elated-themes allows remote attackers to deliver crafted serialized payloads to vulnerable deserialization sinks, potentially leading to high-impact compromise of confidentiality, integrity, and availability. The CVSS 8.1 score reflects high attack complexity offset by the lack of any authentication or user interaction. No public exploit was identified at time of analysis, and the issue is tracked by Patchstack and ENISA (EUVD-2026-37488).

PHP Deserialization Roisin
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40751 HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes Ashtanga WordPress theme (versions ≤ 1.2) allows remote attackers to deliver malicious serialized PHP objects to the application. When combined with a suitable POP (property-oriented programming) gadget chain present in WordPress core, other plugins, or themes, exploitation can lead to remote code execution, arbitrary file operations, or full site compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Ashtanga
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40739 HIGH This Week

Unauthenticated PHP object injection in the Mikado-Themes LuxeDrive WordPress theme through version 1.4 allows remote attackers to deliver crafted serialized payloads that, when combined with a suitable POP gadget chain, can lead to remote code execution, data tampering, or service disruption on the underlying WordPress site. No public exploit identified at time of analysis, and the CVSS attack complexity is High because successful exploitation typically depends on the presence of a usable gadget chain in WordPress core, other plugins, or themes installed alongside LuxeDrive. The flaw is tracked by Patchstack and EUVD as EUVD-2026-37486.

PHP Deserialization Luxedrive
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40736 HIGH This Week

Unauthenticated PHP object injection in the Laurits WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data, potentially leading to code execution, data tampering, or denial of service when a suitable gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack and tracked as EUVD-2026-37485; no public exploit identified at time of analysis, though the high CVSS of 8.1 and CWE-502 classification mark it as a serious supply-chain risk for sites running this commercial Edge-Themes product.

PHP Deserialization Laurits
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39580 HIGH This Week

PHP Object Injection in the Micdrop WordPress theme versions 1.3.1 and earlier allows remote unauthenticated attackers to trigger insecure deserialization, potentially leading to high impact on confidentiality, integrity, and availability of the underlying site. No public exploit identified at time of analysis, and the CVSS vector reflects high attack complexity, meaning successful exploitation likely depends on the presence of a usable PHP gadget chain in the site's installed plugins or core. The flaw is tracked as CWE-502 (Deserialization of Untrusted Data) and was reported by Patchstack.

PHP Deserialization Micdrop
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39578 HIGH This Week

PHP Object Injection in the Valiance WordPress theme (versions up to and including 1.2) by elated-themes allows attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, enabling object injection that - when paired with a suitable gadget chain from WordPress core or another installed plugin - can lead to remote code execution, file manipulation, or data tampering. The Patchstack advisory labels the issue as unauthenticated, although the published CVSS vector lists PR:H, so the precise authentication boundary should be verified against the vendor advisory. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

PHP Deserialization Valiance
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39577 HIGH This Week

PHP Object Injection in the Playroom WordPress theme (versions ≤ 1.4.1) by elated-themes allows remote attackers to inject crafted serialized objects that are deserialized by the application, potentially triggering POP-chain gadgets. The vulnerability is described as unauthenticated by Patchstack despite the CVSS vector listing PR:H, and no public exploit identified at time of analysis.

PHP Deserialization Playroom
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39568 HIGH This Week

Unauthenticated local file inclusion in the Mr. SEO WordPress theme versions 2.0 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The flaw, reported by Patchstack and tracked as CWE-98 (PHP Remote File Inclusion), enables information disclosure and potential remote code execution depending on what files are reachable on the host. No public exploit identified at time of analysis, though the theme's WordPress deployment context broadens the attack surface across affected sites.

PHP Information Disclosure LFI Mr Seo
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39567 HIGH This Week

Unauthenticated PHP object injection in the Santé WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data and potentially achieve remote code execution, data tampering, or denial of service when a suitable POP gadget chain is present. The flaw is reported by Patchstack and tracked as EUVD-2026-37480; no public exploit identified at time of analysis, and the CVSS 8.1 score reflects high attack complexity offset by network reach and no authentication. The Santé theme is a commercial Select Themes product, so exposure is limited to sites that have installed and activated this specific theme.

PHP Deserialization Sant
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39557 HIGH This Week

Unauthenticated PHP Object Injection in the NeoBeat WordPress theme (versions ≤1.7) allows remote attackers to inject crafted serialized objects that, when deserialized by the application, can be chained with available gadgets to compromise the site. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity and availability if a usable gadget chain is present in the WordPress core or installed plugins.

PHP Deserialization Neobeat
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39554 HIGH This Week

Unauthenticated PHP Object Injection in the Fidalgo WordPress theme (versions ≤1.2.2) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the theme, potentially leading to arbitrary code execution, data tampering, or service disruption depending on available gadget chains. No public exploit identified at time of analysis, but the unauthenticated network vector and CWE-502 classification make this a meaningful risk for WordPress sites running this commercial theme.

PHP Deserialization Fidalgo
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39549 HIGH This Week

Unauthenticated local file inclusion in the Aperitif WordPress theme (versions up to and including 1.5) by elated-themes allows remote attackers to coerce the PHP include/require chain into loading attacker-controlled paths without credentials or user interaction. No public exploit identified at time of analysis, but the high CIA impact and unauthenticated network reach make it a meaningful supply-chain risk for sites using this commercial theme. The CVSS:3.1 score of 8.1 reflects high attack complexity, indicating the trigger likely requires a specific request pattern rather than a single trivial payload.

PHP Information Disclosure LFI Aperitif
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39547 HIGH PATCH This Week

Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

PHP Information Disclosure LFI Getaway
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39539 HIGH This Week

Unauthenticated PHP Object Injection in the Alloggio - Hotel Booking WordPress theme through version 2.1.2 allows remote attackers to inject crafted serialized objects that, when combined with a suitable gadget chain, can lead to high-impact compromise of the hosting WordPress site. The flaw was reported by Patchstack and is tracked as EUVD-2026-37474; no public exploit identified at time of analysis, and there is no evidence of active exploitation. CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the need for a usable gadget chain in the WordPress environment.

PHP Deserialization Alloggio Hotel Booking
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39522 HIGH This Week

Unauthenticated Local File Inclusion in the Solene WordPress theme versions 3.4 and earlier allows remote attackers to read arbitrary server-side files and potentially execute PHP code via improperly controlled filename inclusion (CWE-98). The flaw is reachable over the network without credentials, and while CVSS:3.1 rates it 8.1 (High) with high attack complexity, no public exploit identified at time of analysis. Wide impact is plausible because Solene is a commercial WordPress theme distributed by Elated Themes and exposed on internet-facing sites.

PHP Information Disclosure LFI Solene
NVD
CVSS 3.1
8.1
EPSS
0.4%
Prev Page 6 of 13 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy