Skip to main content
CVE-2026-12530 HIGH PATCH GHSA This Week

Command injection in the AWS Bedrock AgentCore Python SDK (versions >= 1.1.3, < 1.6.1) allows remote authenticated users to execute arbitrary commands within the Code Interpreter sandbox by supplying crafted package name arguments to the install_packages() method. The flaw stems from improper neutralization of argument delimiters (CWE-88), letting attacker-controlled strings break out of the intended pip-install argument context. No public exploit identified at time of analysis, but a vendor patch and advisory are available from AWS.

Python RCE Bedrock Agentcore
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.3%
CVE-2026-11858 HIGH This Week

Local privilege escalation in Quanos SCHEMA ST4 on-premises allows low-privileged authenticated Windows users to obtain SYSTEM-level code execution by abusing the Client Update Service. The service exposes a .NET Remoting endpoint over a named pipe with missing authorization checks (CWE-862), letting any local user invoke privileged Update() methods that perform arbitrary file write/delete as NT AUTHORITY\SYSTEM. No public exploit identified at time of analysis, but technical details were disclosed by SEC Consult (SEC-VLab).

Privilege Escalation Authentication Bypass Schema St4
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-11857 HIGH This Week

Local privilege escalation in Quanos SCHEMA ST4 on-premises allows an authenticated local user to gain NT AUTHORITY\SYSTEM by abusing insecure .NET Remoting deserialization in the Client Update Service. The endpoint, reachable through a local named pipe with TypeFilterLevel.Full, accepts attacker-controlled serialized objects and yields arbitrary code execution in the update process context. No public exploit identified at time of analysis, though a SEC-Consult/SEC-VLab advisory documents the issue.

Privilege Escalation Deserialization RCE Schema St4
NVD
CVSS 4.0
8.4
EPSS
0.3%
CVE-2026-12437 HIGH PATCH This Week

Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Google Use After Free Microsoft Memory Corruption Denial Of Service +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12465 HIGH PATCH This Week

Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2024-32949 HIGH This Week

Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels.3.8. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Authentication Bypass Integrate Google Drive
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12438 HIGH PATCH This Week

Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Google Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12467 HIGH PATCH This Week

Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Denial Of Service Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12451 HIGH PATCH This Week

Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Denial Of Service Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12468 HIGH PATCH This Week

Race in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Race Condition Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12464 HIGH PATCH This Week

Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Denial Of Service Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-12454 HIGH PATCH This Week

Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Race Condition Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-54010 HIGH PATCH GHSA This Week

Cross-user file read and deletion in Open WebUI <=0.9.5 allows authenticated users to access or destroy other users' files by attaching arbitrary file_id values to their own chat messages and sharing the chat. The flaw stems from missing ownership checks in Chats.insert_chat_files() combined with a shared-chat authorization branch that ignores access_type, so a read grant also satisfies write/delete checks. No public exploit identified at time of analysis, though a detailed PoC is included in the GitHub Security Advisory.

Authentication Bypass Python
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-55199 HIGH PATCH This Week

Pre-authentication denial of service in libssh2 through 1.11.1 allows a malicious SSH server to pin a connecting client's CPU at 100% for over 60 seconds by advertising an attacker-controlled SSH_MSG_EXT_INFO extension count of 0xFFFFFFFF during key exchange. The flaw is reachable before authentication completes, so any client that initiates an SSH session to a hostile or compromised server endpoint is exposed, and no public exploit identified at time of analysis though VulnCheck has published an advisory and the upstream PR diff is public.

Microsoft Denial Of Service Libssh2
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-48764 HIGH This Week

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to bypass SSRF protections via DNS rebinding, reaching internal services and cloud metadata endpoints. The validator resolves a hostname once for allowlist checks, but the subsequent HTTP request performs a fresh DNS resolution without IP pinning, creating a time-of-check to time-of-use (TOCTOU) gap. No public exploit identified at time of analysis, though the fix commit and detailed advisory are publicly available on GitHub.

SSRF Typebot Io
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-50194 HIGH PATCH GHSA This Week

Improper authentication in Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 allows remote unauthenticated attackers to reach actuator endpoints intended to be isolated on a separate management port by spoofing the HTTP Host header. The middleware trusted the client-supplied Host header port instead of the actual TCP socket port, defeating port-based access restrictions and enabling information disclosure from sensitive actuator endpoints. No public exploit identified at time of analysis, though the fix commit and a regression test demonstrating Host-header spoofing are publicly available on GitHub.

Information Disclosure Steeltoe Management Endpoint Steeltoe Management Endpointcore
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-54184 HIGH This Week

Insecure direct object reference in the Clean Login WordPress plugin versions 1.15 and earlier allows remote unauthenticated attackers to manipulate object identifiers to modify data they should not control and to disrupt plugin-managed functionality. The flaw is reported by Patchstack and tagged as an authentication bypass affecting Alberto Hornero's Clean Login plugin, with no public exploit identified at time of analysis. CVSS 3.1 rates it 8.2 due to the network-reachable, no-privileges, no-interaction vector with limited integrity impact and high availability impact.

Authentication Bypass Clean Login
NVD VulDB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-49081 HIGH This Week

Broken access control in the WordPress plugin User Registration Stripe (versions <= 1.3.12) allows unauthenticated remote attackers to invoke protected functionality without proper authorization checks. The flaw stems from missing capability validation (CWE-862) and carries a CVSS 3.1 score of 8.2 with high integrity impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass User Registration Stripe
NVD
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-40726 HIGH This Week

Broken access control in the User Registration Stripe WordPress plugin (versions 1.3.14 and earlier) allows remote unauthenticated attackers to access functionality that should require authorization, leading to high confidentiality exposure and limited integrity tampering. The flaw is reported by Patchstack and tagged as an authentication bypass, but no public exploit code has been identified at time of analysis. EPSS data was not provided, and the issue is not listed in CISA KEV.

Authentication Bypass User Registration Stripe
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-22555 HIGH PATCH GHSA This Week

Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the organization namespace via the API fork endpoint, despite a team configuration that denies repository creation (can_create_org_repo=false). Because the fork creator receives admin rights on the resulting repo, the attacker can enable Actions and push a workflow that exfiltrates all organization-level CI/CD secrets (deploy keys, cloud credentials, API tokens). Publicly available exploit code exists in the GHSA advisory with a full step-by-step PoC; no public exploit identified at time of analysis beyond the reporter's reproduction.

Docker RCE Authentication Bypass Ubuntu Gitea
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-32804 HIGH This Week

Authentication bypass in Dell PowerFlex Manager allows an unauthenticated attacker with adjacent-network access to gain unauthorized access to the management plane, with high impact to integrity and availability of the software-defined storage fabric. Dell's DSA-2026-066 advisory addresses this and other PowerFlex flaws; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Affected version range is not enumerated in the public record, which constrains accurate exposure scoping.

Dell Authentication Bypass Powerflex
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-49502 HIGH This Week

Improper authentication in Dell PowerFlex Manager allows unauthenticated attackers with adjacent network access to bypass authentication controls, resulting in information disclosure, data tampering, and unauthorized access to managed storage infrastructure. The vulnerability carries a CVSS 8.1 rating reflecting high confidentiality and integrity impact, though no public exploit identified at time of analysis and EPSS scores it at 0.19% probability. SSVC scoring from CISA indicates no observed exploitation and partial technical impact.

Dell Authentication Bypass Information Disclosure Powerflex
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-24791 HIGH PATCH GHSA This Week

Authorization bypass in Gitea versions 1.22.3 through 1.26.1 allows holders of `public-only` access tokens or OAuth grants to read and modify private account resources via `/api/v1/user/...` self routes, despite the public-only flag being designed to restrict tokens to public data. The flaw is a systemic scope-boundary failure across many self routes (SSH keys, emails, OAuth apps, Actions secrets/variables/runners, private repos, webhooks), publicly available exploit code exists in the form of reproducible Go PoCs in the advisory, and the issue represents an incomplete fix of CVE-2025-68941 in a different route family.

Gitea Canonical Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
CVE-2026-54415 HIGH PATCH This Week

{id} endpoints, the attacker can mint AzLink server tokens and rewrite victims' credentials. No public exploit has been identified at the time of analysis.

Authentication Bypass PHP Azuriom Cms
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-54814 HIGH This Week

Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attackers to include arbitrary PHP files from the server filesystem. The flaw is classified as CWE-98 (PHP Remote File Inclusion) but is exploitable only as LFI per the vendor description, enabling source code disclosure, sensitive file read, and potential code execution if a writable PHP file can be reached. No public exploit identified at time of analysis and the vulnerability is not present in CISA KEV.

PHP Information Disclosure LFI Motors
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-52707 HIGH This Week

Unauthenticated local file inclusion in the Mikado-Themes Kastell WordPress theme (versions ≤ 2.0) allows remote attackers to traverse directories and read or include arbitrary server-side files, potentially leading to disclosure of sensitive configuration data such as wp-config.php and, depending on PHP configuration, code execution. The flaw is reported via Patchstack with CVSS 8.1 (high) and no public exploit identified at time of analysis. The CWE-35 classification (Path Traversal: '.../...//') points to relative-path manipulation as the root cause.

Information Disclosure Kastell
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-40757 HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes 'Château' WordPress theme (versions ≤ 1.2.1) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack with CVSS 8.1 (high) due to network-reachable, unauthenticated impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) reflects the dependency on a usable gadget chain. No public exploit identified at time of analysis.

PHP Deserialization Ch Teau
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-40756 HIGH This Week

Unauthenticated PHP Object Injection in the Mikado-Themes Zoya WordPress theme versions 1.4 and earlier allows remote attackers to inject crafted serialized objects that are deserialized by the application. Successful exploitation can lead to arbitrary code execution, data tampering, or denial of service depending on the gadget chains present in WordPress core, plugins, or other themes loaded on the site. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Zoya
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-40752 HIGH This Week

Unauthenticated PHP object injection in the Manufaktur Solutions WordPress theme (versions 1.1.1 and earlier) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, tempered by AC:H due to dependency on exploitable gadget chains in the WordPress runtime. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Deserialization Manufaktur Solutions
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40738 HIGH This Week

Unauthenticated PHP Object Injection in the Eldon WordPress theme (versions <= 1.4.1) by Edge-Themes allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution, data theft, or site compromise when a suitable POP gadget chain is present in the WordPress environment. No public exploit identified at time of analysis, and Patchstack rates this CVSS 8.1 (High) with high attack complexity reflecting the need for a usable gadget chain.

PHP Deserialization Eldon
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40733 HIGH This Week

Unauthenticated PHP object injection in the Mikado Themes ShiftUp WordPress theme (versions ≤ 1.3) allows remote attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, potentially triggering gadget chains that can lead to remote code execution, data tampering, or site takeover. CVSS is rated 8.1 with high attack complexity but no privileges or user interaction required, and no public exploit identified at time of analysis. The issue was disclosed via Patchstack.

PHP Deserialization Shiftup
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39590 HIGH This Week

Local file inclusion in the Atomlab WordPress theme versions 2.4.5 and earlier allows remote unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to sensitive information disclosure and remote code execution. The flaw is tracked under CWE-98 (improper control of filename for include/require) and carries a CVSS 3.1 base score of 8.1 (high). No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI Atomlab
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39576 HIGH This Week

Unauthenticated PHP Object Injection in the SingleMalt WordPress theme (versions up to and including 1.5) allows remote attackers to deserialize attacker-controlled data, which can lead to compromise of confidentiality, integrity, and availability of affected WordPress sites. The flaw is exploitable without authentication or user interaction but has high attack complexity per its CVSS vector, and no public exploit identified at time of analysis.

PHP Deserialization Singlemalt
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39560 HIGH This Week

Unauthenticated PHP object injection in the Select Themes 'Hiroshi' WordPress theme through version 1.5.1 allows remote attackers to supply crafted serialized payloads that are deserialized by the theme, potentially leading to code execution, file manipulation, or data compromise when a suitable PHP magic-method gadget chain is present in the WordPress stack. The flaw is reachable without authentication per the CVSS vector, and no public exploit has been identified at time of analysis.

PHP Deserialization Hiroshi
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39559 HIGH This Week

Local File Inclusion in the CodeSupply Co. 'Uppercase' WordPress theme versions prior to 1.2.2 allows remote unauthenticated attackers to include and disclose arbitrary local files from the web server, potentially leading to source code disclosure, credential theft, or remote code execution where log/upload poisoning is feasible. The flaw is tagged as LFI/PHP/Information Disclosure by Patchstack and carries a CVSS 8.1 (High) rating; no public exploit identified at time of analysis.

PHP Information Disclosure LFI Uppercase
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39556 HIGH This Week

Unauthenticated PHP Object Injection affects the Konsept WordPress theme (by elated-themes) in versions 1.9 and earlier, allowing remote attackers to inject crafted serialized PHP objects without authentication. Successful exploitation can lead to a full compromise of the WordPress site - high impact on confidentiality, integrity, and availability - though CVSS rates attack complexity as high, indicating non-trivial conditions are required. No public exploit identified at time of analysis.

PHP Deserialization Konsept
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39523 HIGH This Week

Unauthenticated Local File Inclusion in the Solene Core WordPress plugin (versions <= 2.3.2) by elated-themes allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The CVSS 8.1 rating reflects full confidentiality, integrity, and availability impact, though high attack complexity suggests non-trivial exploitation prerequisites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Solene Core
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39445 HIGH This Week

Unauthenticated PHP Object Injection in the Alukas WordPress theme (versions prior to 3.0.0) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is tracked by Patchstack as a deserialization flaw affecting the presslayouts:alukas product line. Real-world impact depends on the gadget chains available in WordPress core or co-installed plugins.

PHP Deserialization Alukas
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39442 HIGH This Week

Unauthenticated PHP Object Injection in the PressMart WordPress theme versions 1.2.26 and earlier allows remote attackers to deliver malicious serialized payloads that are deserialized by the theme, potentially leading to property-oriented gadget chain abuse and full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis, and the high attack complexity reflects the need for a usable gadget chain to escalate from deserialization to concrete impact.

PHP Deserialization Pressmart
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69175 HIGH This Week

Unauthenticated local file inclusion in the Line Agency WordPress theme versions 1.3.1 and earlier allows remote attackers to include and disclose arbitrary local files on the underlying server, potentially leading to sensitive data exposure and, depending on PHP configuration, remote code execution. The flaw is reported by Patchstack and is mapped to CWE-98 (PHP Remote File Inclusion), with no public exploit identified at time of analysis and no listing in the CISA KEV catalog.

PHP Information Disclosure LFI Line Agency
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69174 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Etude WordPress theme versions 1.6 and earlier allows remote attackers to coerce the application into including arbitrary PHP files, potentially leading to source disclosure, sensitive data exposure, and possible remote code execution depending on writable locations on the host. The high CVSS score of 8.1 reflects significant confidentiality, integrity, and availability impact, though the high attack complexity (AC:H) suggests non-trivial preconditions; no public exploit identified at time of analysis.

PHP Information Disclosure LFI Etude
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69170 HIGH This Week

Local File Inclusion in the ThemeRex Eventicity WordPress theme versions 1.5 and earlier allows remote unauthenticated attackers to include and execute arbitrary local files on the server. The flaw is reported by Patchstack and tagged as PHP information disclosure; no public exploit identified at time of analysis, though the unauthenticated network vector makes this a meaningful priority for affected WordPress sites. Successful exploitation can expose sensitive files such as wp-config.php and may enable code execution depending on what files can be reached.

PHP Information Disclosure LFI Eventicity
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69166 HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Gunslinger WordPress theme through version 1.7 allows remote attackers to coerce PHP into including arbitrary files from the server filesystem, leading to disclosure of sensitive files and potential remote code execution where attacker-influenced content can be staged. No public exploit identified at time of analysis, but the flaw is reachable without authentication and affects all installations running version 1.7 or earlier of the theme.

PHP Information Disclosure LFI Gunslinger
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69164 HIGH This Week

Unauthenticated local file inclusion in ThemeRex Skyward WordPress theme versions 1.10 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server, enabling sensitive file disclosure and potential remote code execution. The flaw is reachable without authentication over the network and no public exploit has been identified at time of analysis, though Patchstack has catalogued the issue in their vulnerability database. CVSS rates the impact as 8.1 (High) reflecting full confidentiality, integrity, and availability compromise despite high attack complexity.

PHP Information Disclosure LFI Skyward
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69158 HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Granola WordPress theme through version 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files via attacker-controlled path input. The flaw is reachable over the network without credentials or user interaction and can expose sensitive site files such as wp-config.php, potentially escalating to code execution if log-poisoning or session-file techniques are viable. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Granola
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69157 HIGH This Week

Local file inclusion in the ThemeRex Gamic WordPress theme versions 1.15 and earlier allows unauthenticated remote attackers to coerce the PHP application into including arbitrary files via crafted parameters. Successful exploitation can expose sensitive configuration data (including wp-config.php) and, depending on server configuration, may escalate to remote code execution through log poisoning or session-file inclusion. No public exploit identified at time of analysis, and the issue has not been listed in CISA KEV.

PHP Information Disclosure LFI Gamic
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69144 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Preservation WordPress theme versions 1.10 and earlier allows remote attackers to read arbitrary files from the underlying web server, with high complexity (AC:H) but no authentication required (PR:N). The flaw, reported by Patchstack and classified as CWE-98 (improper filename control for PHP include/require statements), can lead to disclosure of sensitive files such as wp-config.php and, depending on the inclusion path, potentially full code execution. No public exploit identified at time of analysis and no KEV listing.

PHP Information Disclosure LFI Preservation
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69126 HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Fortius WordPress theme (versions 2.3.0 and earlier) allows remote attackers to include and disclose arbitrary local files on the server via a vulnerable PHP file/path parameter. The flaw maps to CWE-98 (improper control of filename for include/require) and can lead to source code disclosure, leakage of WordPress secrets in wp-config.php, and in some PHP setups remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Fortius
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69123 HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Snow Club WordPress theme versions 1.1 and earlier allows remote attackers to include and execute arbitrary local files on the host, leading to sensitive file disclosure and potential remote code execution. The flaw is reported by Patchstack and maps to CWE-98 (PHP file inclusion); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Snow Club
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69120 HIGH This Week

Unauthenticated Local File Inclusion affects the Dazzle WordPress theme (by ThemeRex) in versions up to and including 1.0.0, allowing remote attackers to read or potentially include arbitrary local files on the server. The flaw stems from improper control of filename parameters used in PHP include/require statements (CWE-98), and no public exploit has been identified at time of analysis. With a CVSS 8.1 reflecting high attack complexity but no authentication, the vulnerability is reachable by anonymous attackers but requires specific conditions to weaponize fully.

PHP Information Disclosure LFI Dazzle
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy