Skip to main content
CVE-2026-48979 HIGH PATCH GHSA This Week

HTTP/2 request smuggling in PHP Standard Library (PSL) versions 6.1.0, 6.1.1, and 6.2.0 lets remote unauthenticated clients desynchronize stream boundaries in Psl\H2\ServerConnection by sending DATA frame totals that disagree with the declared content-length header. Only applications that consume the low-level H2 server connection directly to accept untrusted traffic are exposed; high-level PSL APIs are unaffected. No public exploit identified at time of analysis, and the maintainers state the issue was found during internal review prior to public exploitation.

PHP Request Smuggling Information Disclosure Php Standard Library Php Standard Library H2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-22283 HIGH This Week

Information disclosure in Dell PowerFlex Manager versions prior to 4.8 stems from inclusion of functionality from an untrusted control sphere (CWE-829), allowing remote attackers to obtain sensitive data when a user is enticed into interacting with attacker-controlled content. Dell rates the issue at CVSS 7.5 with high attack complexity and required user interaction, and no public exploit identified at time of analysis.

Dell Information Disclosure Powerflex
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-32966 CRITICAL PATCH GHSA Act Now

Missing authorization check in the Apache DolphinScheduler DataSource API exposes arbitrary data source metadata to users who lack permission to view it, affecting all versions before 3.4.2. Authenticated users with low-privilege access can query the DataSource API and retrieve connection metadata - such as hostnames, ports, database names, and usernames - belonging to data sources they are not authorized to access. No public exploit or active exploitation has been identified at time of analysis, and the Apache Software Foundation has rated this moderate severity, consistent with a confidentiality-only impact against an internal platform.

Apache Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-12445 HIGH PATCH This Week

Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service Red Hat +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-50200 HIGH PATCH GHSA This Week

Sensitive credential disclosure in Steeltoe.Management.Endpoint before 4.2.0 and Steeltoe.Management.EndpointCore before 3.4.0 allows remote attackers to retrieve plaintext database connection strings, embedded passwords, and URI userinfo segments via the `/actuator/env` endpoint. The Sanitizer's default key-suffix list omits the standard .NET `ConnectionStrings:<name>` pattern and the Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString` pattern, and performs no value-based scrubbing. No public exploit identified at time of analysis, but the fix and test cases are committed in public GitHub history, making the vulnerable behavior easy to reproduce.

Information Disclosure Steeltoe Management Endpoint Steeltoe Management Endpointcore
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-8050 HIGH PATCH This Week

Local denial-of-service in the SignalRGB kernel driver (versions prior to 1.3.7.0) allows any process able to open a handle to the driver to crash the Windows kernel by sending an IOCTL with an empty input buffer. Seven of thirteen IOCTL handlers dereference the SystemBuffer pointer without a NULL check, producing a bugcheck (BSOD). No public exploit identified at time of analysis, EPSS is 0.14%, and a vendor patch is available.

Denial Of Service Signalrgb Kernel Driver
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-54810 HIGH This Week

Missing authorization in the Nexi XPay WordPress plugin (versions up to and including 8.3.1) allows remote unauthenticated attackers to exploit incorrectly configured access control security levels, resulting in high impact to availability. Reported by Patchstack with no public exploit identified at time of analysis, the issue stems from broken access control on plugin endpoints used by Italian e-commerce sites integrating Nexi/CartaSi payment processing.

Authentication Bypass Nexi Xpay
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54816 HIGH This Week

Remote code execution in the Monetizemore Advanced Ads WordPress plugin through version 2.0.21 allows authenticated attackers with low privileges to inject and execute arbitrary code via a code injection flaw (CWE-94). The issue was disclosed by Patchstack and carries a CVSS 3.1 base score of 7.5 (high) with high attack complexity. No public exploit identified at time of analysis.

Code Injection RCE Advanced Ads
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54417 HIGH This Week

Denial of service in rxi microtar 0.1.0 allows remote attackers to hang any consumer of the library at 100% CPU by supplying a crafted tar archive whose header size field triggers a 32-bit integer overflow in mtar_next(). The flaw affects every application that parses untrusted tar streams with this lightweight C library, and no public exploit is identified at time of analysis, though the trigger is trivial to construct from the description alone.

Integer Overflow Denial Of Service Microtar
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-54802 HIGH This Week

Authentication bypass in the WordPress plugin SMS Alert Order Notifications (versions <= 3.9.3) allows remote unauthenticated attackers to access functionality or data that should be restricted to authenticated users. The flaw, reported by Patchstack and tracked under CWE-862 (Missing Authorization), carries a CVSS 7.5 with high confidentiality impact only. There is no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass Sms Alert Order Notifications
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-52696 HIGH This Week

Sensitive data exposure in the JetBlog WordPress plugin (versions 2.4.8 and earlier) allows remote unauthenticated attackers to retrieve confidential information from affected sites over the network with no user interaction. The flaw is reported by Patchstack with a CVSS 3.1 base score of 7.5 (high confidentiality impact only). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided in the input.

Information Disclosure Jetblog
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-40721 HIGH This Week

Local file inclusion in the Element Pack Pro WordPress plugin (versions 9.0.6 and earlier) allows authenticated contributors to read or include arbitrary server-side files via insufficient validation of a file path parameter, mapped to CWE-98 (improper control of filename for include/require). The flaw was reported through Patchstack and affects bdthemes' Element Pack Pro, a widely deployed Elementor add-on; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Element Pack Pro
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-34888 HIGH This Week

Unauthenticated sensitive data exposure in the Bricksforge WordPress plugin versions 3.1.8.4 and earlier allows remote attackers to retrieve confidential information without any credentials. The flaw, tracked under CWE-201 (Insertion of Sensitive Information Into Sent Data), carries a CVSS 3.1 score of 7.5 driven entirely by confidentiality impact, and no public exploit has been identified at time of analysis.

Information Disclosure Bricksforge
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-22334 HIGH This Week

Arbitrary file download in the WooCommerce Book Price WordPress plugin (versions 1.3 and earlier) allows remote attackers to retrieve arbitrary files from the underlying server filesystem via path traversal. The CVSS vector indicates network-reachable exploitation without authentication or user interaction, yielding high confidentiality impact with no integrity or availability effects. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal WordPress Woocommerce Book Price
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-9690 HIGH This Week

Unauthenticated arbitrary file download in JoomUnited's WP Media Folder Addon WordPress plugin versions 4.0.1 and below allows remote attackers to retrieve arbitrary files from the underlying server via a path traversal weakness (CWE-22). The flaw is exploitable over the network without authentication or user interaction, exposing sensitive WordPress and server files such as wp-config.php. No public exploit identified at time of analysis, and the issue is not currently tracked in CISA KEV.

Path Traversal Wp Media Folder Addon
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-49403 HIGH This Week

Unauthenticated arbitrary file download in the Premium Age Verification / Restriction for WordPress plugin (versions ≤ 3.0.2) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials or user interaction. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability impact, consistent with file disclosure rather than code execution. There is no public exploit identified at time of analysis and the issue is not present in CISA KEV, but Patchstack has confirmed the flaw against a default plugin installation.

PHP WordPress Information Disclosure LFI Premium Age Verification Restriction For Wordpress
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12360 HIGH This Week

Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extract database contents via the listing_load_more AJAX handler. The filtered_query parameter is deliberately excluded from the HMAC signature check to enable front-end filter integration, but meta_query row values are merged into SQL without sanitization, enabling time-based or boolean blind injection. No public exploit identified at time of analysis, though the bug was reported by Wordfence and source code locations are publicly referenced.

WordPress SQLi Jetengine
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55201 HIGH PATCH This Week

Path traversal in Evil-WinRM through 3.9 lets a malicious or compromised remote Windows server overwrite arbitrary files on the operator's client machine when the user invokes the download_dir() function. Because Evil-WinRM is the offensive operator's tool, this inverts the trust model - the 'target' Windows host becomes the attacker and the red teamer or admin running Evil-WinRM becomes the victim, with realistic outcomes including persistent SSH access via overwritten authorized_keys. No public exploit identified at time of analysis, but a public upstream patch (commit 6ecd570) discloses the exact unsanitized File.join() sink.

Path Traversal Privilege Escalation Microsoft Evil Winrm
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-9697 HIGH PATCH GHSA This Week

TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform man-in-the-middle attacks on HTTPS traffic routed through SOCKS5 proxies. The ProxyAgent silently drops the requestTls option (including ca, cert, key, rejectUnauthorized, and servername) when the proxy URI uses socks5:// or socks://, causing connections to fall back to Node.js's default Mozilla CA bundle instead of the application-configured trust anchor. No public exploit identified at time of analysis, but the CWE-295 improper certificate validation flaw directly defeats corporate CA pinning controls.

Microsoft Mozilla Authentication Bypass Undici
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-52698 HIGH This Week

Sensitive data exposure in the PushEngage WordPress plugin (versions <= 4.2.3) allows authenticated low-privileged users to access subscriber information that should remain protected. The flaw, reported by Patchstack and tracked as CWE-201 (Insertion of Sensitive Information Into Sent Data), affects WordPress sites running the Web Push Notifications, eCommerce Automation & Chat Widget plugin and carries a CVSS 3.1 score of 7.4 with a scope change. No public exploit identified at time of analysis.

Information Disclosure Pushengage Web Push Notifications Ecommerce Automation Amp Chat Widget
NVD
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-54328 HIGH PATCH GHSA This Week

Local privilege escalation in the Pi coding agent (npm packages @earendil-works/pi-coding-agent 0.74.0-0.78.0 and @mariozechner/pi-coding-agent 0.50.0-0.73.1) allows a co-resident attacker on a shared Linux host to pre-stage attacker-controlled extension code in a predictable `os.tmpdir()/pi-extensions` path that pi later loads as the victim user. No public exploit identified at time of analysis, but the issue was reported by CrowdStrike researchers and patched in 0.78.1 of the renamed package. Affects shared dev boxes, CI runners, and HPC login nodes; Windows/macOS default per-user temp directories typically avoid exposure.

Microsoft Apple Crowdstrike Privilege Escalation RCE +2
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-69189 HIGH This Week

Broken access control in EMV's JobBank WordPress plugin (versions up to and including 1.2.3) allows remote unauthenticated attackers to invoke functionality that should be restricted by authorization checks. The flaw stems from incorrectly configured access control levels on plugin endpoints, enabling attackers to interact with protected operations without proper privileges. No public exploit identified at time of analysis, but the network-reachable, low-complexity nature makes opportunistic scanning likely against WordPress sites running this plugin.

Authentication Bypass Jobbank
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-40768 HIGH This Week

Unauthenticated Insecure Direct Object Reference in the Salon Booking System WordPress plugin (versions <= 10.30.24) allows remote attackers to access or manipulate booking objects belonging to other users by tampering with object identifiers in requests. The flaw was reported by Patchstack and affects the dimitri_grassi salon_booking_system plugin per the provided CPE, with no public exploit identified at time of analysis.

Authentication Bypass Salon Booking System
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2026-48997 HIGH This Week

Command injection in e107 CMS versions 2.3.5 and earlier allows authenticated low-privilege users to execute arbitrary shell commands as the web server user via the news submission upload flow. The flaw lives in resize_image() where the ImageMagick convert destination path embeds a 6-character slice of the user-controlled news title without shell escaping, letting tab characters and $(...) / backtick expansions reach /bin/sh -c. No public exploit identified at time of analysis, and exploitation requires a specific non-default configuration combination.

Command Injection E107
NVD GitHub
CVSS 3.1
7.1
EPSS
0.7%
CVE-2026-5667 HIGH This Week

Unauthenticated adjacent-network access to a wide range of Mitsubishi Electric Wi-Fi-enabled appliances - including room air conditioners (for Japan and abroad), wireless LAN adapters for room/packaged air conditioners, refrigerators, heat-pump water heaters, bathroom dryer/heater/ventilation units, Lossnay ventilation systems, IH cooking heaters, and rice cookers - is possible via a hard-coded SSID and password embedded in the products' Wi-Fi access-point mode. An attacker within Wi-Fi radio range can read device telemetry (operation status, set/room temperature), alter air-conditioner or Wi-Fi settings, or push the Wi-Fi interface into a denial-of-service state. No public exploit is identified at time of analysis (EPSS 0.15%, percentile 5%; CISA SSVC Exploitation: none) and the issue is not in CISA KEV, but the credentials are static across the product line, making opportunistic abuse trivial once they are leaked or recovered from firmware.

Room Air Conditioners For Japan Msz Bkr2223 W Room Air Conditioners For Japan Msz Bkr2224 W Room Air Conditioners For Japan Msz Bkr2523 W Room Air Conditioners For Japan Msz Bkr2524 W Room Air Conditioners For Japan Msz Bkr2823 W +2476
NVD VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-49133 HIGH PATCH This Week

Arbitrary file read in Typemill before 2.24.0 allows authenticated Author-level users to traverse outside the content directory by injecting traversal sequences in the path query parameter when the folder argument is empty, defeating sanitization in Storage::getFolderPath(). Reported by VulnCheck with a vendor patch shipped in 2.24.0/2.24.2; no public exploit identified at time of analysis, and the CVSS 4.0 base score of 7.1 reflects high confidentiality impact with low-privilege network access.

Path Traversal Typemill
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-32682 HIGH This Week

Denial-of-service in F5 NGINX Gateway Fabric allows an authenticated Kubernetes user with rights to create or modify GRPCRoute resources to crash the control plane by submitting GRPCRoute objects containing malformed backendRef filters. The flaw, tracked under CWE-129 (Improper Validation of Array Index), carries a CVSS 4.0 score of 7.1 with pure availability impact and no public exploit identified at time of analysis.

Nginx Information Disclosure Nginx Gateway Fabric
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2024-49269 HIGH This Week

Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS My Flatonica
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48759 HIGH This Week

Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete theme templates belonging to other workspaces by supplying a foreign themeTemplateId to the handleSaveThemeTemplate and handleDeleteThemeTemplate handlers. The handlers verify only that the caller is a non-guest member of the workspaceId argument but execute Prisma queries that omit workspaceId from the WHERE clause, producing an Insecure Direct Object Reference (CWE-639). No public exploit identified at time of analysis, and the issue was remediated in Typebot 3.16.0.

Authentication Bypass Typebot Io
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-54012 HIGH PATCH GHSA This Week

{id} content and delete endpoints. The flaw is a missing ownership check on model metadata that is later trusted as an authorization source by has_access_to_file(). A working proof-of-concept exercising the real insert sink and view_file branch is published in the GitHub Security Advisory, but no public exploit identified at time of analysis in CISA KEV.

Python Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-54007 HIGH PATCH GHSA This Week

Cross-origin postMessage abuse in Open WebUI versions <= 0.9.5 allows an attacker-controlled web page to inject and auto-submit prompts into an authenticated victim's chat session without the normal 'Confirm Prompt from Embed' dialog. By chaining the `input:prompt` and `action:submit` window message types, a remote site triggers backend calls to `/api/v1/chats/new` and `/api/chat/completions` under the victim's credentials. Publicly available exploit code exists in the GitHub Security Advisory, though it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-35066 HIGH This Week

Improper access control in Dell PowerFlex Manager allows a low-privileged remote attacker to trigger a denial-of-service condition and tamper with integrity-sensitive operations against the software-defined storage management plane. Dell disclosed the issue in advisory DSA-2026-066, and at the time of analysis no public exploit has been identified and the CVE is not on the CISA KEV list.

Dell Authentication Bypass Denial Of Service Powerflex
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-10641 HIGH PATCH This Week

Out-of-bounds write in Zephyr RTOS Bluetooth Classic Hands-Free Profile (HFP) parser allows an adjacent Bluetooth peer acting as an Audio Gateway to corrupt heap/static memory on devices with CONFIG_BT_HFP_HF enabled. A single malformed +CIND response sent during Service Level Connection setup can crash the Bluetooth host or corrupt adjacent connection state with no user interaction. No public exploit identified at time of analysis, and the upstream fix is available via commit cf7693a in the zephyrproject-rtos repository.

Denial Of Service Memory Corruption Buffer Overflow Zephyr
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-12566 LOW POC PATCH GHSA Monitor

Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM attackers who can substitute the realm parameter in a forged WWW-Authenticate Bearer challenge. When bbot contacts a Docker registry and receives a 401 response, the vulnerable module blindly trusts the attacker-supplied realm URL and forwards authentication material to an arbitrary endpoint outside the legitimate registry domain. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but an upstream patch commit is available on GitHub.

SSRF Docker Bbot
NVD GitHub
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-55198 HIGH PATCH This Week

Cross-profile session data exfiltration in Hermes WebUI before 0.51.443 lets any authenticated user retrieve session transcripts belonging to other profiles by calling the session export endpoint with a guessed or known session ID. The flaw is a classic IDOR (CWE-639) in the _handle_session_export handler, which omits active-profile ownership checks before serializing the requested session. No public exploit identified at time of analysis, but VulnCheck published a coordinated advisory and the upstream fix is shipped in v0.51.443.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55197 HIGH PATCH This Week

Cross-profile session disclosure in Hermes WebUI before 0.51.443 lets any authenticated user retrieve conversation transcripts and metadata belonging to other profiles by passing a foreign session_id to the /api/session endpoint. The flaw is a classic IDOR (CWE-639) where profile boundary checks are missing on by-id reads. No public exploit identified at time of analysis, but the trigger is a single trivial GET request and the upstream patch openly describes the fix as 'scope session by-id reads + exports to active profile,' which discloses the bypass.

Authentication Bypass Hermes Webui
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-53875 HIGH PATCH This Week

Scanner evasion in picklescan versions prior to 1.0.3 lets an attacker smuggle malicious PyTorch pickle payloads past the scan_pytorch detection routine and gain arbitrary code execution when the model is later loaded with torch.load(). The bypass exploits a parser-differential between picklescan's pickletools.genops()-based magic-number extraction and PyTorch's pickle_module.load(), allowing a __reduce__(eval, ('MAGIC_NUMBER',)) trick to produce files that scan as clean but still deserialize correctly. A detailed proof-of-concept is published in the GHSA advisory and the VulnCheck writeup; no CISA KEV listing or EPSS score was supplied in the input.

Code Injection RCE Picklescan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-40720 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in Royal Elementor Addons Pro WordPress plugin versions prior to 1.7.1041 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with the popularity of Elementor-ecosystem plugins makes this a credible threat to WordPress sites running the Pro variant. Patchstack disclosure indicates a fixed version is available.

XSS Royal Elementor Addons Pro Elementor
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69140 HIGH This Week

Reflected cross-site scripting in the SweetDate Core WordPress plugin versions prior to 1.1.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. The CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C) reflects unauthenticated network reach with required user interaction and a scope change typical of stored/reflected XSS in browser contexts. No public exploit identified at time of analysis and no EPSS or KEV signal was provided.

XSS Sweetdate Core
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-68524 HIGH This Week

Reflected cross-site scripting in the Avante WordPress theme versions prior to 3.0.5 allows unauthenticated remote attackers to inject script that executes in a victim's browser when the victim clicks a crafted link. Reported by Patchstack with CVSS 7.1 (scope-changed), no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress themes makes this a practical phishing/account-takeover lure against site visitors and logged-in administrators.

XSS Avante
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-31013 HIGH This Week

Reflected cross-site scripting in the Themify Folo WordPress theme (versions up to and including 1.9.6) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw is reported by Patchstack with a CVSS 3.1 base score of 7.1 driven by scope change and user interaction; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Themify Folo
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-54195 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the JetFormBuilder WordPress plugin versions 3.6.0.1 and earlier allows remote attackers to inject script into pages rendered to victims. Exploitation requires a victim to interact with a crafted link or form (UI:R), and successful payload execution can hijack sessions or perform actions in the victim's browser context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Jetformbuilder
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-54192 HIGH This Week

Reflected cross-site scripting in the Ays Pro Popup Box WordPress plugin versions 6.2.9 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The CVSS 7.1 score reflects scope change (S:C) typical of XSS escaping the plugin context into the broader WordPress session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Popup Box
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-54189 HIGH This Week

Reflected or stored cross-site scripting in the JetEngine WordPress plugin (versions 3.8.10 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the user is lured to a crafted link or page. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting impact on the WordPress session context beyond the vulnerable component. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Jetengine
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-54188 HIGH This Week

Unauthenticated cross-site scripting in the JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject malicious scripts that execute in the browser of any user who interacts with a crafted link or page. The CVSS 7.1 score reflects the scope change inherent to XSS (attacker-supplied JavaScript runs in the victim's site origin), and no public exploit has been identified at time of analysis. Successful exploitation can lead to session hijacking, credential theft, or administrative account takeover on affected WordPress sites.

XSS Jetengine
NVD VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-49778 HIGH This Week

Stored or reflected cross-site scripting in WPFunnels Pro WordPress plugin versions 2.9.4 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with crafted content. The CVSS 3.1 score of 7.1 reflects the scope-changed impact (S:C) on the WordPress site, including potential session hijacking of administrators. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Wpfunnels Pro
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-49074 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the JetEngine WordPress plugin (versions <= 3.8.9.1) allows remote attackers to inject malicious script into pages rendered by the plugin, which then executes in the browser of any visitor who interacts with the crafted content. Successful exploitation enables session hijacking, credential theft, or administrative actions performed against logged-in WordPress users including site administrators. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Jetengine
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42385 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Cozmoslabs Profile Builder Pro WordPress plugin (versions 3.15.0 and earlier) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw carries a CVSS 3.1 score of 7.1 with scope change, meaning the injected script can affect resources beyond the vulnerable component (typically the WordPress admin session). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Profile Builder Pro
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-41557 HIGH PATCH This Week

Reflected/stored cross-site scripting in the Kapee WordPress theme versions prior to 1.7.1 allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after user interaction, with a scope change that can impact other components beyond the vulnerable theme. No public exploit identified at time of analysis, but the vulnerability was disclosed via Patchstack with a CVSS of 7.1, reflecting the unauthenticated nature combined with required user interaction.

XSS Kapee
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40765 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Collectchat WordPress plugin versions 2.4.9 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with scope change (S:C) makes this attractive for opportunistic attacks against WordPress sites running the plugin.

XSS Collectchat
NVD
CVSS 3.1
7.1
EPSS
0.2%
Prev Page 6 of 9 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy