Skip to main content
CVE-2025-69115 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX LuxMed Medicine & Healthcare Doctor WordPress theme versions 1.2.2 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server. The flaw is CWE-98 (improper control of filename for include/require) and carries CVSS 8.1 (high), though attack complexity is high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

PHP WordPress Information Disclosure LFI Luxmed Medicine Healthcare Doctor Wordpress Theme
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69106 HIGH This Week

Local File Inclusion in the Imba WordPress theme versions 1.5.0 and earlier allows remote unauthenticated attackers to read arbitrary files from the underlying server. The flaw is rooted in PHP file-inclusion handling (CWE-98) and has no public exploit identified at time of analysis, but its unauthenticated network reachability makes it a notable risk for sites still running the affected ThemeREX product.

PHP Information Disclosure LFI Imba
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-40753 HIGH This Week

Unauthenticated PHP Object Injection affects the Mikado-Themes EasyMeals WordPress theme through version 1.5.1, allowing remote attackers to inject crafted serialized objects that are deserialized by vulnerable PHP code paths. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability on the underlying WordPress site, though no public exploit identified at time of analysis. The CVSS 8.1 score reflects high attack complexity, consistent with the typical need for a usable gadget chain in the host WordPress environment.

PHP Deserialization Easymeals
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-40735 HIGH This Week

Unauthenticated PHP object injection in the Reina WordPress theme (versions 2.1 and earlier) by Edge Themes allows remote attackers to trigger insecure deserialization, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present in the WordPress instance. The flaw carries a CVSS 3.1 score of 8.1 (High) with no public exploit identified at time of analysis. The reference from Patchstack confirms the issue but no KEV listing or EPSS data is provided.

PHP Deserialization Reina
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-40731 HIGH This Week

Unauthenticated local file inclusion in the Mikado-Themes ChapterOne WordPress theme (versions 1.7 and earlier) allows remote attackers to coerce the PHP application into including arbitrary local files via crafted requests. Successful exploitation can disclose sensitive files such as wp-config.php and, depending on server configuration, lead to PHP code execution by including attacker-influenced content. No public exploit identified at time of analysis, but the vulnerability is publicly cataloged by Patchstack.

PHP Information Disclosure LFI Chapterone
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39582 HIGH PATCH This Week

Unauthenticated local file inclusion in the Xtemos Hitek WordPress theme versions prior to 1.8.3 allows remote attackers to include and execute arbitrary local files on the server via crafted requests, mapped to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP). With a CVSS 3.1 score of 8.1 and high attack complexity but no authentication required, successful exploitation can lead to source code disclosure, sensitive configuration exposure, and potential remote code execution. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI Hitek
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39573 HIGH This Week

Unauthenticated PHP Object Injection affects the Select Themes Mildhill WordPress theme in versions 1.5 and earlier, allowing remote attackers to inject crafted serialized PHP objects that the application deserializes without validation. Successful exploitation can yield high confidentiality, integrity, and availability impact on the underlying WordPress site, typically by chaining the injected object with a POP gadget present in the theme, WordPress core, or another installed plugin. No public exploit identified at time of analysis, and the issue is reported via Patchstack rather than the CISA KEV catalog.

PHP Deserialization Mildhill
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39558 HIGH This Week

Unauthenticated local file inclusion in the Malmö WordPress theme versions 2.2 and earlier allows remote attackers to include arbitrary local files via crafted requests, enabling disclosure of sensitive server-side content and potentially remote code execution. The flaw is reported by Patchstack and classified as CWE-98 (improper control of filename for include/require), with no public exploit identified at time of analysis. Affected sites are WordPress installations using the elated-themes Malmö theme.

PHP Information Disclosure LFI Malm
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39545 HIGH This Week

Unauthenticated PHP Object Injection in the Zermatt WordPress theme versions 1.6.1 and earlier allows remote attackers to deliver malicious serialized PHP objects to a vulnerable unserialize() sink without prior authentication. Successful exploitation can lead to high impact on confidentiality, integrity, and availability when a suitable POP gadget chain is reachable in the WordPress installation. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Zermatt
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-39537 HIGH This Week

Unauthenticated local file inclusion in the Mikado Core WordPress plugin versions 1.6 and earlier allows remote attackers to include arbitrary local files via crafted HTTP requests, potentially exposing sensitive server contents and enabling code execution. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Information Disclosure LFI Mikado Core
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-25439 HIGH This Week

Account takeover in Booknetic WordPress appointment booking plugin versions 4.8.5 and earlier allows remote unauthenticated attackers to bypass authentication controls and gain access to arbitrary user accounts. The Patchstack advisory characterizes this as a broken authentication weakness (CWE-288) with high impact across confidentiality, integrity, and availability. No public exploit is identified at time of analysis, and exploitation requires high attack complexity per the CVSS vector.

Information Disclosure Booknetic
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-22338 HIGH This Week

Unauthenticated Local File Inclusion in ThemeREX EcoBlue WordPress theme versions 1.15 and earlier enables remote attackers to include arbitrary local files on the server without credentials, potentially leading to source code disclosure and remote code execution via PHP file inclusion (CWE-98). No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with WordPress's broad deployment surface makes this notable. EPSS data was not provided, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Ecoblue
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-22331 HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX AutoParts WordPress theme versions 1.5.8 and earlier allows remote attackers to include and execute arbitrary local files on the server. No public exploit identified at time of analysis, but the CWE-98 classification and PR:N CVSS vector make this a meaningful pre-authentication risk for any WordPress site running the theme. Successful exploitation typically leads to sensitive file disclosure (wp-config.php) and, when combined with log poisoning or uploaded content, full remote code execution.

PHP Information Disclosure LFI Autoparts
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-22330 HIGH This Week

Unauthenticated local file inclusion in the Themeum Right Way WordPress theme versions 4.0 and earlier allows remote attackers to include arbitrary local files and likely achieve code execution through PHP file inclusion (CWE-98). The flaw is network-reachable without credentials, though CVSS records high attack complexity (AC:H), and no public exploit has been identified at time of analysis. The advisory is sourced from Patchstack's WordPress vulnerability database.

PHP Information Disclosure LFI Right Way
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-22326 HIGH This Week

Unauthenticated local file inclusion in the Reprizo WordPress theme by AxiomThemes (versions 1.0.8 and earlier) allows remote attackers to coerce the PHP include/require chain into loading arbitrary server-side files, leading to disclosure of sensitive configuration data and potential code execution if uploaded or log files can be referenced. No public exploit identified at time of analysis, but the issue is tracked by Patchstack as a high-severity flaw against a commercial WordPress theme.

PHP Information Disclosure LFI Reprizo
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-22325 HIGH This Week

Unauthenticated local file inclusion in the Promo WordPress theme through version 1.3.0 allows remote attackers to coerce the application into including arbitrary PHP files from the server, potentially leading to source code disclosure, sensitive file reads, or remote code execution where attacker-controlled files are reachable. The vulnerability is reported by Patchstack and affects axiomthemes' Promo theme; no public exploit identified at time of analysis and EPSS data was not provided. The CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability despite high attack complexity.

PHP Information Disclosure LFI Promo
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69173 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Tipsy WordPress theme versions 1.1 and earlier allows remote attackers to coerce the PHP interpreter into including arbitrary files via attacker-controlled path parameters. Successful exploitation can disclose sensitive server-side files, leak configuration secrets such as wp-config.php database credentials, and - depending on environment - escalate to code execution by including log files, session files, or other writable artifacts. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI Tipsy
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69172 HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Resurs WordPress theme versions 1.3 and below allows remote attackers to include and execute arbitrary local files on the server. The flaw, tracked under CWE-98 (Improper Control of Filename for Include/Require), enables disclosure of sensitive files and potential code execution depending on server configuration. No public exploit identified at time of analysis, though Patchstack has confirmed the issue against the affected theme.

PHP Information Disclosure LFI Resurs
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69171 HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Orpheus WordPress theme (versions <= 1.3) allows remote attackers to read arbitrary files on the server and potentially achieve code execution via PHP file inclusion. The flaw stems from improper control of filenames in an include/require statement (CWE-98), and while no public exploit has been identified at time of analysis, the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability. Risk is somewhat tempered by the high attack complexity metric in the CVSS vector.

PHP Information Disclosure LFI Orpheus
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69161 HIGH This Week

Unauthenticated local file inclusion in the Snowy WordPress theme (ThemeREX) versions up to and including 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files from the server filesystem. The flaw is tracked as CWE-98 (Improper Control of Filename for Include/Require), reported by Patchstack, and carries a CVSS 3.1 score of 8.1 (High) reflecting high-complexity but unauthenticated network exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Snowy
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69148 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Quirky WordPress theme versions 1.23 and earlier allows remote attackers to include and disclose arbitrary local files on the server. The flaw stems from improper control of filename for include/require statements (CWE-98), which can escalate to remote code execution if attackers can plant or reach an includable PHP payload. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Quirky
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69145 HIGH This Week

Unauthenticated local file inclusion in the Gat WordPress theme (versions 1.16 and earlier) allows remote attackers to include arbitrary local files on the server, potentially leading to disclosure of sensitive configuration data, credentials, or remote code execution if combined with uploadable content. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact. The vulnerability is reported by Patchstack and affects the ThemeRex Gat theme.

PHP Information Disclosure LFI Gat
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-69117 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Ingenioso WordPress theme through version 1.14.0 allows remote attackers to coerce the PHP application into including arbitrary server-side files, leading to disclosure of sensitive content and potential remote code execution where uploaded or log-poisoned files can be reached. The flaw is classified under CWE-98 (improper control of filename for include/require) and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 (High) with high attack complexity, reflecting that successful exploitation depends on identifying a reachable include path.

PHP Information Disclosure LFI Ingenioso
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69110 HIGH This Week

Unauthenticated local file inclusion in the AirSupply WordPress theme versions up to and including 2.0.0 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive data and potentially leading to code execution. Reported by Patchstack and tracked under CWE-98 (improper PHP file inclusion), with no public exploit identified at time of analysis and no EPSS or KEV signal supplied in the input. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable, unauthenticated exploitation that nevertheless requires meeting non-trivial conditions to succeed.

PHP Information Disclosure LFI Airsupply
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-58954 HIGH This Week

Unauthenticated local file inclusion in the ThemeRex HomeRoofer WordPress theme through version 2.11.0 allows remote attackers to include and read arbitrary local files on the server, potentially leading to source code disclosure, credential theft from wp-config.php, and in some PHP configurations remote code execution. The flaw is reachable without authentication over HTTP, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue in their WordPress vulnerability database. No CISA KEV listing or EPSS data was supplied in the source intelligence.

PHP Information Disclosure LFI Homeroofer
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-58953 HIGH This Week

Unauthenticated Local File Inclusion affects the Joly WordPress theme by ThemeREX in versions up to and including 1.22.0, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Successful exploitation can disclose sensitive configuration (such as wp-config.php containing database credentials and auth keys) and, depending on server configuration, escalate to remote code execution via log poisoning or session file inclusion. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

PHP Information Disclosure LFI Joly
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-58952 HIGH PATCH This Week

Unauthenticated local file inclusion in the ThemeREX Neuronet WordPress theme before version 1.14.0 allows remote attackers to coerce the PHP runtime into including arbitrary files via untrusted input reaching an include/require statement. The flaw is reachable without authentication or user interaction, but CVSS marks attack complexity as High, suggesting non-trivial preconditions for full exploitation. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

PHP Information Disclosure LFI Neuronet
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-35069 HIGH This Week

SQL injection in Dell PowerFlex Manager allows a low-privileged attacker with adjacent-network access to inject SQL commands that the application processes against its backend database, leading to script injection and potential compromise of confidentiality, integrity, and availability. The flaw is reported by Dell with no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.19%, 9th percentile).

Dell SQLi Powerflex
NVD VulDB
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-35067 HIGH This Week

Privilege escalation in Dell PowerFlex Manager allows a low-privileged attacker on an adjacent network segment to bypass access controls and gain unauthorized elevated access to the management plane. The CVSS 8.0 (High) score reflects significant confidentiality, integrity, and availability impact, though there is no public exploit identified at time of analysis and EPSS rates exploitation probability at only 0.13% (3rd percentile). CISA SSVC classifies exploitation as 'none' with non-automatable attack characteristics, indicating no observed real-world abuse despite the meaningful technical severity.

Dell Authentication Bypass Powerflex
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-48640 HIGH This Week

In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Authentication Bypass
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-12449 HIGH PATCH This Week

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)

Google Microsoft Use After Free Privilege Escalation Memory Corruption +3
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2025-48643 HIGH This Week

Local privilege escalation in Google Android 17 stems from improper input validation across multiple code paths that allows a low-privileged app or local user to bypass provisioning controls and gain elevated privileges without user interaction. No public exploit identified at time of analysis, and the EPSS score of 0.13% (3rd percentile) reflects no observed exploitation activity, though the CVSS 7.8 reflects the high impact once preconditions are met.

Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-48617 HIGH This Week

In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation Authentication Bypass
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0019 HIGH This Week

In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-32652 HIGH This Week

Local privilege escalation in Dell AIOps Collector versions prior to 1.18.3 allows a low-privileged attacker with console access to obtain filesystem-level access by abusing default credentials shipped with fresh installations. The flaw only affects systems freshly installed at an earlier version; upgraded hosts are not impacted. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Dell Information Disclosure Aiops
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-54017 HIGH PATCH GHSA This Week

Authenticated path traversal and SSRF in Open WebUI's terminal-server reverse proxy (versions <= 0.9.5) allows non-admin users with granted terminal access to escape the intended path or policy scope using double-encoded traversal sequences (%252e%252e). The flaw bypasses the project's own _sanitize_proxy_path mitigation, which performs only a single URL-decode pass before the '..' check, letting attackers reach unintended endpoints, files, and internal services routed by the terminal server. No public exploit identified at time of analysis, though the vendor advisory includes working proof-of-concept request strings.

Path Traversal Python SSRF
NVD GitHub
CVSS 3.1
7.7
EPSS
0.4%
CVE-2026-54018 HIGH PATCH GHSA This Week

SSRF protection bypass in Open WebUI's SafePlaywrightURLLoader (versions <= 0.9.5) allows authenticated users to access internal network resources by supplying an externally-hosted URL that returns an HTTP 301/302 redirect to a private address. Because Playwright's page.goto() automatically follows redirects without re-validating the destination, attackers can reach localhost, container-network peers, or cloud metadata endpoints (169.254.169.254) even when ENABLE_RAG_LOCAL_WEB_FETCH=False. A working PoC is published in the GHSA advisory; there is no public exploit identified at time of analysis being actively used, and no CISA KEV listing.

Python SSRF Docker
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-54193 HIGH This Week

Arbitrary file deletion in the Fusion Builder WordPress plugin (versions <= 3.15.4) allows authenticated users with Contributor-level privileges to delete arbitrary files on the underlying server via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal Fusion Builder
NVD VulDB
CVSS 3.1
7.7
EPSS
0.3%
CVE-2025-60223 HIGH This Week

Arbitrary file deletion in QuantumCloud WPBot Pro WordPress Chatbot plugin versions 13.6.5 and earlier allows authenticated subscriber-level users to delete arbitrary files on the WordPress host via a path traversal flaw. With no public exploit identified at time of analysis, the issue still carries elevated risk because exploitation requires only the lowest-privilege WordPress role, which is auto-grantable on sites that allow open registration. Deleting files such as wp-config.php can trigger the WordPress install routine and lead to full site takeover.

Path Traversal WordPress Wpbot Pro Wordpress Chatbot
NVD
CVSS 3.1
7.7
EPSS
0.4%
CVE-2026-55405 HIGH PATCH GHSA This Week

SQL injection in LangChain4j's langchain4j-mariadb and langchain4j-pgvector embedding stores allows authenticated attackers who can influence metadata filter keys to execute arbitrary SQL via EmbeddingSearchRequest.filter(), enabling blind data exfiltration, denial of service through sleep functions, and deletion of arbitrary rows via removeAll(Filter). The flaw stems from string-concatenated filter keys (and MariaDB string values) being placed into SQL without escaping, and is particularly relevant where filter keys originate from LLM-generated output or untrusted user input. No public exploit identified at time of analysis, though the vendor advisory documents working proof-of-concept payloads such as pg_sleep(1) injection.

PostgreSQL SQLi Denial Of Service
NVD GitHub
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-55409 HIGH PATCH GHSA This Week

Stored XSS in Filament v3 PHP admin panel framework occurs when a RichEditor form field is rendered in disabled mode, because the disabled view binds raw state via Alpine's x-html directive without HTML sanitization. Authenticated attackers who can write into the underlying field state can plant HTML or JavaScript that executes in the browser of any user later viewing the form, with no public exploit identified at time of analysis and no KEV listing.

XSS
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-54013 HIGH PATCH GHSA This Week

Stored cross-site scripting in Open WebUI versions up to and including 0.9.5 allows any authenticated user holding the default workspace.models permission to embed an SVG payload in a model's profile_image_url and hijack the session of anyone who opens that image URL as a top-level document. The flaw is an incomplete-patch bypass of GHSA-3wgj-c2hg-vm6q and GHSA-3856-3vxq-m6fc - the input validator and the MIME allowlist plus X-Content-Type-Options:nosniff added to the user and webhook endpoints were never applied to ModelMeta or the model image serving endpoint. No public exploit identified at time of analysis beyond the working PoC included in the advisory, and CVSS 7.6 reflects the cross-origin scope change leading to JWT theft and account takeover.

Python XSS
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-47774 HIGH PATCH This Week

Denial of service in Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 allows unauthenticated remote clients to trigger excessive memory consumption via crafted HTTP/2 requests, potentially causing OOM termination of the Envoy process. The flaw stems from cookie header bytes bypassing request header size validation combined with HPACK limits being enforced only on encoded bytes. No public exploit identified at time of analysis, but the network-reachable, no-auth attack profile makes it a credible availability threat for edge proxies.

Denial Of Service Envoy
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-54804 HIGH This Week

Authentication bypass in the Melhor Envio WordPress plugin (versions 2.16.3 and earlier) allows low-privileged subscriber accounts to perform actions they should not be authorized for. With CVSS 7.6 (high) and a CWE-288 classification, the flaw lets any registered WordPress user escalate access against the plugin's restricted endpoints, with no public exploit identified at time of analysis. The Patchstack-reported issue primarily threatens shipping/quotation workflows on WordPress e-commerce sites that integrate the Brazilian Melhor Envio shipping service.

Information Disclosure Melhor Envio
NVD VulDB
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-39546 HIGH This Week

Privilege escalation in TechSpawn MultiLoca (WooCommerce Multi Locations Inventory Management) plugin versions 4.2.15 and earlier allows authenticated subscriber-level users to elevate their privileges within affected WordPress sites. The flaw, classified under CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.6 score with no public exploit identified at time of analysis. The vulnerability was disclosed via Patchstack and affects WordPress installations running the plugin for WooCommerce multi-location inventory management.

Privilege Escalation Multiloca
NVD
CVSS 3.1
7.6
EPSS
0.3%
CVE-2026-12199 HIGH This Week

Unauthenticated remote denial of service in NLTK's WordNet Browser HTTP server (nltk.app.wordnet_app) through version 3.9.3 allows any network-reachable attacker to terminate the server process by sending a single GET request to /SHUTDOWN%20THE%20SERVER. The server binds to all interfaces by default and invokes os._exit(0) on receipt, with no public exploit identified at time of analysis but exploitation is trivial given the documented endpoint.

Authentication Bypass Denial Of Service Nltk Nltk Red Hat
NVD VulDB
CVSS 3.0
7.5
EPSS
0.5%
CVE-2024-32729 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in QuantumCloud Conversational Forms for ChatBot allows Path Traversal.1.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Conversational Forms For Chatbot
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55760 HIGH POC PATCH GHSA This Week

Arbitrary file read in jknack handlebars.java versions prior to 4.5.2 allows remote unauthenticated attackers to retrieve files outside the intended template directory when applications pass user-controlled input to Handlebars.compile() with a FileTemplateLoader or ClassPathTemplateLoader. The flaw stems from missing path canonicalization in the template loaders, enabling classic ../ traversal sequences to escape the configured template prefix. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-r4gv-qr8j-p3pg documents the issue and the fix is available in 4.5.2.

Path Traversal Java
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-20190 HIGH NEWS This Week

Information disclosure in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows unauthenticated remote attackers to retrieve sensitive data - including hashed credentials - by sending crafted traffic to an affected device. The root cause is missing authorization checks on a protected resource (CWE-285), making this an authentication-bypass-style information leak. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Cisco Authentication Bypass Cisco Identity Services Engine Software Cisco Ise Passive Identity Connector
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-12462 HIGH PATCH This Week

Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Google Use After Free RCE Memory Corruption Denial Of Service +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy