Skip to main content
CVE-2026-57291 MEDIUM This Month

Missing permission checks in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allow any authenticated user holding the minimal Overall/Read Jenkins role to trigger outbound connections from the Jenkins controller to an attacker-specified URL using credential IDs sourced through a secondary method. This creates an SSRF-like primitive enabling internal network probing and credential ID validation without administrative access. No public exploit code has been identified at time of analysis, and SSVC confirms current exploitation status as none.

Jenkins Jenkins Gitee Plugin Authentication Bypass
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-9175 MEDIUM This Month

Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.

Information Disclosure Authentication Bypass WordPress Devs Accounting Simple Accounting And Invoicing Solution
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-13163 MEDIUM PATCH This Month

Open redirect in Mailerup's click-tracking endpoint allows remote unauthenticated attackers to redirect victims to arbitrary external domains by supplying a crafted `u` query parameter to `/c/<token>/`. The `_safe_redirect` function blocks only `javascript:` and `data:` schemes without restricting the destination host, and silently swallows `signing.BadSignature` exceptions - making token validation entirely bypassable. No CISA KEV listing or public exploit code has been identified; exploitation requires victim interaction but no attacker authentication against the Mailerup instance.

Open Redirect Mailerup
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-9612 MEDIUM This Month

Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure PHP WordPress Whatsorder Instant Checkout For Woocommerce
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-7617 MEDIUM This Month

Unauthenticated remote attackers can disconnect any WordPress site running the Secufor_OAuth plugin from its linked Secufor identity account by triggering an unprotected action handler that clears the stored OAuth token and login configuration. All plugin versions through 1.0.7 are affected, confirmed by Wordfence and traceable to specific lines in the plugin source. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the trivially low attack complexity (AV:N/AC:L/PR:N) means exploitation requires only an HTTP request.

Authentication Bypass WordPress Secufor Oauth
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12094 MEDIUM This Month

Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the `wp_ajax_nopriv_cf7cdb_delete` hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking `$wpdb->delete()`. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is trivially automatable due to sequential integer primary keys and no authentication barrier.

Authentication Bypass WordPress Advanced Contact Form 7 Compact Db
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-8690 MEDIUM This Month

Authorization bypass in the RentMy Real-Time Rental Management Plugin for WordPress exposes full CRUD control over rental event records and location configuration to unauthenticated remote attackers, affecting all versions through 4.0.4.1. The root cause is missing authorization checks in the plugin's AJAX handler class (class-rentmy-ajax.php), allowing any unauthenticated visitor to invoke privileged actions via WordPress's standard AJAX endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the zero-barrier entry point - unauthenticated, network-accessible, low complexity - means any exposed deployment is immediately at risk without requiring attacker sophistication.

Authentication Bypass WordPress Rentmy Real Time Rental Management Plugin
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-8617 MEDIUM This Month

Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. No public exploit or active exploitation has been identified at time of analysis, and real-world impact is limited to disruption of the plugin's search functionality or substitution of attacker-controlled account tokens.

Authentication Bypass WordPress Searchplus
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-9172 MEDIUM This Month

{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.

Authentication Bypass WordPress Devs Accounting Simple Accounting And Invoicing Solution
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-55455 MEDIUM PATCH This Month

Server-side request forgery in Appsmith prior to version 2.1 allows authenticated users to reach loopback-bound services inside the deployment container by exploiting a split code path in host validation logic. The WebClientUtils component used by REST API and GraphQL datasource plugins enforces only an exact-match string denylist, while the comprehensive address-class check covering loopback, any-local, link-local, and fc00::/7 IPv6 ranges exists solely on the SMTP plugin code path - leaving the HTTP path bypassable. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

SSRF Appsmith
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53949 MEDIUM PATCH This Month

Filter validation bypass in Ghost CMS public API endpoints exposes private fields - including password hashes - to unauthenticated remote attackers via repeated brute-force probing. Instances running SQLite are most severely impacted: full password hashes are recoverable, enabling offline cracking. MySQL-backed instances leak structurally degraded hashes (case information lost), which the vendor assesses would render subsequent cracking attempts fruitless. No public exploit code exists and the vulnerability is not in CISA KEV at time of analysis, but the unauthenticated, network-accessible nature of the flaw lowers the bar for opportunistic discovery.

Node.js Information Disclosure Ghost
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56351 MEDIUM PATCH This Month

SQL injection in n8n's MySQL, PostgreSQL, and Microsoft SQL database integration nodes (all versions before 2.4.0) allows authenticated users with workflow creation permissions to execute arbitrary SQL commands against connected databases by supplying crafted identifier values - table or column names - in node configuration parameters. The nodes failed to escape SQL identifiers when constructing queries, bypassing the safety guarantees users expected from parameterized inputs and enabling injection that directly impacts downstream database confidentiality and integrity. Reported by the NATO Cyber Security Centre; vendor-released patch is confirmed in n8n 2.4.0, with no public exploit code or CISA KEV listing identified at time of analysis.

PostgreSQL SQLi Microsoft N8n
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53947 MEDIUM PATCH This Month

Ghost CMS versions 5.18.0 through 6.21.1 expose registered member email addresses to unauthenticated enumeration via observable discrepancies in the members signin endpoint responses. Any Ghost site with the members feature active is affected, allowing an attacker to silently probe whether arbitrary email addresses belong to site subscribers. No public exploit or active exploitation (CISA KEV) has been identified; vendor patch is available in 6.21.1.

Node.js Information Disclosure Ghost
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13030 MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome on Android before 149.0.7827.197 exposes process memory contents to remote attackers without requiring authentication. An attacker who induces a user to load a crafted HTML page can read potentially sensitive data from Chrome's GPU process memory, consistent with the High confidentiality impact assigned in the CVSS vector. No public exploit code exists at time of analysis, and CISA's SSVC framework classifies exploitation as none and not automatable with only partial technical impact - indicating this is a patch-cycle priority rather than an emergency response item.

Information Disclosure Google
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13023 MEDIUM PATCH This Month

Uninitialized GPU memory use in Google Chrome prior to 149.0.7827.197 enables a second-stage attacker who has already compromised the renderer process to read sensitive data from GPU process memory via a crafted HTML page. Classified as CWE-457 (Use of Uninitialized Variable), the flaw creates an information disclosure path within Chrome's multi-process architecture. No public exploit exists, CISA has not listed this in KEV, and SSVC rates exploitation as none - but the C:H confidentiality impact rating reflects meaningful data exposure if an attacker successfully chains this with a renderer exploit.

Information Disclosure Google Red Hat
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56310 MEDIUM PATCH This Month

Authorization bypass in Capgo (cap-go before 12.128.2) allows holders of org-limited API keys to read membership data from organizations outside their assigned scope by calling the GET /organization/members endpoint without proper enforcement of limited_to_orgs restrictions. Exposed fields include uid, email, image_url, role, and is_tmp - sufficient to enumerate organization membership and email addresses across tenants. No public exploit identified at time of analysis; CVSS 4.0 scores this at 5.3 reflecting a low-privilege, network-accessible attack with limited confidentiality impact.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56761 MEDIUM PATCH This Month

HTML injection in Hono's JSX server-side rendering engine (versions before 4.12.14) allows network-accessible attackers to corrupt rendered HTML output by supplying malformed attribute names containing characters such as quotes or angle brackets. Applications that pass untrusted external input - query parameters, form data, or other user-controlled values - directly as JSX attribute keys during SSR are affected. No active exploitation has been confirmed and no public exploit code has been identified at time of analysis; however, successful exploitation against vulnerable application patterns can escalate to cross-site scripting if the injected HTML includes event handlers processed by the victim's browser.

XSS Hono
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-46349 MEDIUM PATCH This Month

Linked-Data Signature normalization in Mastodon's ActivityPub federation layer permits activity spoofing against servers running versions prior to 4.5.10, 4.4.17, and 4.3.23. An attacker can take a legitimately signed JSON-LD activity from a real third-party actor, re-arrange its structure, and relay it to a target Mastodon instance where it passes signature validation but is interpreted with altered semantic meaning. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, though the integrity impact on federated social graph trust is meaningful for operators of public-facing instances.

Jwt Attack Information Disclosure Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-50128 MEDIUM PATCH This Month

Signature bypass in Mastodon's ActivityPub federation layer allows remote unauthenticated attackers to falsely attribute article authorship by manipulating the `toot:attributionDomains` property of signed Update activities. Affected are all Mastodon instances running versions 4.3.0 through 4.5.10 or 4.4.x through 4.4.17, where a JSON-LD definition error renders Linked Data Signatures on this specific property non-binding. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity (CVSS AV:N/AC:L/PR:N) and the federated, internet-exposed nature of the protocol make exploitation straightforward for any actor able to send ActivityPub messages.

Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-49979 MEDIUM This Month

Server-side request forgery and internal network enumeration in Appsmith (prior to 1.99) is enabled by the POST /api/v1/admin/send-test-email endpoint accepting attacker-controlled smtpHost and smtpPort values, which JavaMail uses to establish raw TCP connections without IP address validation - completely bypassing the application's existing WebClientUtils.IP_CHECK_FILTER. Verbatim MailException error messages are returned in API responses, enabling authenticated administrators (or attackers who have compromised admin credentials) to probe internal network topology, enumerate open ports, and harvest service banners. No public exploit identified at time of analysis; the vulnerability is fixed in version 1.99.

Java Information Disclosure Appsmith
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-56358 MEDIUM PATCH This Month

Stored XSS in n8n's Form Trigger node allows any authenticated low-privilege user with workflow creation rights to inject persistent malicious scripts that execute for every visitor of a published form. Affects n8n 1.x before 1.123.25 and 2.x from 2.0.0-rc.0 before 2.11.2. No public exploit or active exploitation identified at time of analysis; the CVSS 4.0 score of 5.1 reflects partial CSP mitigation blocking session cookie theft while still permitting form hijacking and phishing against unlimited downstream victims.

XSS N8n
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-50701 MEDIUM This Month

Reflected Cross-Site Scripting in Frappe Framework 17.0.0-dev's dashboard-view component allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) confirms no authentication is required from the attacker, though victim interaction is mandatory. Impact is confined to the subsequent system (victim browser session), with low integrity and confidentiality consequences; no active exploitation or public POC has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-57282 MEDIUM This Month

Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent.

Jenkins Jenkins Git Client Plugin Command Injection
NVD VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-56370 MEDIUM PATCH This Month

Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.

Denial Of Service RCE Buffer Overflow Information Disclosure Imagemagick +2
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-57289 MEDIUM This Month

Jenkins Bitbucket Push and Pull Request Plugin versions 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for all outbound Bearer token authenticated requests to configured Bitbucket Server endpoints, creating a man-in-the-middle exposure. Any attacker positioned to intercept network traffic on the path between the Jenkins controller and the Bitbucket Server can capture the Bearer token and subsequently authenticate directly to the Bitbucket Server API. No public exploit is identified at time of analysis, and SSVC rates exploitation as none with partial technical impact; however, the token capture risk is non-trivial for deployments routing Jenkins traffic over untrusted or shared network segments.

Jenkins Information Disclosure Jenkins Bitbucket Push And Pull Request Plugin
NVD VulDB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-50712 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows authenticated low-privileged users to inject persistent malicious scripts via the frappe.ui.Tree component, which then execute in the browsers of other users who load the affected tree view. Reported by Fluid Attacks, this vulnerability carries a CVSS 4.0 score of 4.8 reflecting cross-user scope change impact despite limited direct system compromise. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-50709 MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent JavaScript payloads via the Notifications > Events panel, which execute in the browser context of any user who subsequently views that panel. The CVSS 4.0 vector confirms subsequent-system scope impact (SC:L/SI:L), meaning the attack targets other users rather than the attacker's own session. No public exploit has been identified and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-50708 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev's MultiSelectDialog component allows authenticated low-privileged attackers to inject persistent malicious scripts that execute in other users' browsers when the compromised UI element is rendered. Per the CVSS 4.0 vector (PR:L/UI:A/SC:L/SI:L), exploitation requires a valid low-privilege account and active victim interaction, but the scope change to the subsequent system confirms cross-user impact on confidentiality and integrity. No public exploit code and no CISA KEV listing exist at time of analysis; the 17.0.0-dev designation suggests exposure may currently be limited to pre-release or development deployments.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-50703 MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated low-privileged user to inject persistent malicious scripts via the Desk desktop icon renderer, which then execute in the browsers of other users - including administrators - who subsequently view the affected Desk interface. The vulnerability was reported by Fluid Attacks and carries a CVSS 4.0 score of 4.8 (Medium), reflecting cross-user impact limited to the subsequent-system scope (SC:L/SI:L). No public exploit code or active exploitation has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-53008 MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel ICE (Intel Ethernet Controller) driver allows a local low-privileged attacker to trigger a kernel panic via a race condition during TX timestamp ring teardown. The flaw exists in systems using Intel ICE-series NICs with TX timestamping configured, where concurrent execution of ice_free_tx_tstamp_ring() and ice_tx_map() across CPU cores can cause CPU B to dereference a pointer that CPU A has already set to NULL. No public exploit or active exploitation has been identified; EPSS is 0.15% (5th percentile), consistent with its local, timing-dependent nature.

Denial Of Service Race Condition Linux
NVD VulDB
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-13034 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Passwords implementation allows a remote attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. Affected versions are all Chrome releases prior to 149.0.7827.197 on desktop platforms. Google has confirmed this as a High severity Chromium issue; no public exploit code or active exploitation has been identified at time of analysis, and CISA SSVC categorizes exploitation status as none.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-10642 MEDIUM PATCH This Month

Infinite-loop denial of service in the Zephyr RTOS PL011 UART driver (v4.1.0-v4.4.0) permanently stalls any thread that calls uart_irq_tx_enable() - including the Bluetooth HCI H4 send path - when CTS hardware flow control is enabled and the wired peer withholds CTS during transmission. The root cause is a software workaround loop (CWE-835) that compensates for the PL011 controller's level-transition TX interrupt behavior but never exits when pl011_fifo_fill() returns 0 due to a blocked CTS line. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; exploitation requires physical or hardware-adjacent control of the UART CTS pin, materially constraining real-world risk.

Denial Of Service Zephyr
NVD GitHub
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-50711 MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows a high-privileged authenticated user to inject persistent malicious scripts into the Number Card dashboard component, which then execute in the browsers of other users who view the affected dashboard. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation requires admin-level access to plant the payload and a victim's browser interaction to trigger it, limiting realistic blast radius despite the network delivery vector. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50710 MEDIUM This Month

Stored XSS in Frappe Framework version 17.0.0-dev allows a high-privileged authenticated user to inject malicious JavaScript through the Number Card dashboard component, which subsequently executes in other authenticated users' browser sessions when they view affected dashboards. The CVSS 4.0 score of 4.6 (Medium) reflects the dual constraint of requiring high-privilege credentials to plant the payload and active victim interaction to trigger it - both of which meaningfully limit real-world exploitability. No public exploit code or CISA KEV listing is identified at time of analysis; this was reported by Fluid Attacks.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50705 MEDIUM This Month

Cross-site scripting in Frappe Framework 17.0.0-dev allows a high-privileged attacker who can modify the Form Dashboard headline to inject malicious JavaScript that executes in the browsers of other users who subsequently view the affected form. The CVSS 4.0 vector (PR:H/UI:A) confirms exploitation is gated behind two significant barriers: attacker must hold high-privilege application credentials and a victim must actively navigate to the injected form. No public exploit code and no active exploitation (CISA KEV) have been identified at the time of analysis; this was reported by Fluid Attacks.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50704 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged attacker to inject persistent malicious scripts into the File View breadcrumb renderer, which then execute in the browsers of other users who navigate to the affected view. The CVSS 4.0 vector (PR:H, UI:A, SC:L/SI:L) confirms that while network delivery is possible, exploitation is constrained by the need for elevated access to inject the payload and victim interaction to trigger it, with impact limited to the subsequent system (victim browser). No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50700 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows high-privileged authenticated attackers to inject persistent malicious scripts via the `frappe.get_avatar` function, which execute in victims' browsers when the crafted content is rendered. The CVSS 4.0 score of 4.6 (Medium) reflects the PR:H requirement to store the payload and UI:A requirement for victim interaction, with impact limited to subsequent systems (other users' sessions). No public exploit or active exploitation has been identified at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50699 MEDIUM This Month

Stored Cross-Site Scripting in Frappe Framework 17.0.0-dev allows an authenticated attacker with write access to the Auto Repeat module to inject persistent HTML/JavaScript into the reference_document field via a whitelisted write path, bypassing server-side input controls. When any user opens the affected Auto Repeat form, the injected payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized UI manipulation on behalf of the victim. No public exploit code or confirmed active exploitation (CISA KEV) has been identified at time of analysis; however, the stored (persistent) nature of this XSS makes it more dangerous than reflected variants within shared Frappe deployments.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-50698 MEDIUM This Month

Stored XSS in Frappe Framework 17.0.0-dev allows a high-privileged authenticated attacker to inject persistent malicious scripts into the Audit Trail component, which then execute in the browsers of other privileged users who view that trail. The vulnerability arises from improper input neutralization (CWE-79) before HTML rendering in the audit logging subsystem, and is assigned a CVSS 4.0 score of 4.6 reflecting the high-privilege prerequisite and required victim interaction. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.

XSS Frappe Framework
NVD GitHub
CVSS 4.0
4.6
EPSS
0.3%
CVE-2026-47733 MEDIUM PATCH This Month

Stored XSS in Rocket.Chat's Gazzodown Markdown renderer allows authenticated users to inject javascript: protocol URIs into image elements that execute arbitrary JavaScript in a victim's browser session upon click. The ImageElement component in versions prior to 8.5.0 omits the sanitizeUrl() guard applied by the analogous LinkSpan component, creating an inconsistency that bypasses javascript:, data:, and vbscript: protocol blocking. No public exploit has been identified at time of analysis; exploitation is constrained to legacy browsers and requires victim interaction, reflected in the official CVSS score of 4.4 Medium.

XSS
NVD GitHub
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-9619 MEDIUM This Month

Authorization bypass in the Reviews and Rating - Docplanner WordPress plugin (versions ≤ 1.1.4) allows any authenticated subscriber-level user to invoke privileged plugin actions without proper capability checks. Exploitation enables two distinct abuse paths: triggering server-side outbound scraping of attacker-controlled or arbitrary external URLs with results written to the wp_dp_reviews database table, and dispatching feature-request emails impersonating the site administrator's address. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Reviews And Rating Docplanner
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-54686 MEDIUM PATCH This Month

Terminal lifecycle hook spoofing in Warp versions prior to 0.2026.05.06.15.42.stable_01 allows an attacker who controls terminal output viewed by a victim to inject unauthenticated shell integration hooks into the PTY stream, causing Warp to accept falsified session metadata - including spoofed current working directory and SSH session transport parameters. Exploitation requires user interaction (the victim must view attacker-controlled terminal content in Warp), and no public exploit code has been identified at time of analysis. The CVSS-assigned availability impact (A:L) and absence of integrity impact (I:N) appear inconsistent with the described spoofing behavior; session state falsification is the primary operational concern for affected users.

Command Injection Warp
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-57284 MEDIUM This Month

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.

Jenkins Information Disclosure Jenkins Pipeline
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9616 MEDIUM This Month

Authorization bypass in the Generate Security.txt WordPress plugin (all versions through 1.0.12) allows authenticated attackers with subscriber-level access to delete the site's security.txt file or create the .well-known directory by invoking unprotected AJAX actions directly. The root cause is a failure to verify user capabilities before executing the delete_securitytxt and create_wellknown_folder AJAX handlers, a classic CWE-862 (Missing Authorization) pattern reported by Wordfence. No public exploit or CISA KEV listing has been identified at time of analysis, and with a CVSS score of 4.3 and limited integrity impact, this is a low-urgency but straightforward-to-exploit flaw for any authenticated WordPress user.

Authentication Bypass WordPress Generate Security Txt
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-8614 MEDIUM This Month

Unauthorized settings deletion in the Assistio WordPress plugin (versions ≤ 1.1.2) allows any authenticated Subscriber-level user to invoke the assistio_plugin_delete_assistio_settings() function and wipe critical plugin options, including the 'assistiobot_oauth_settings' OAuth token, breaking the site's Assistio bot integration. The function lacks both WordPress capability verification and nonce validation - two standard WordPress security controls - meaning the authorization boundary is entirely absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS score of 4.3 accurately reflects the limited but real integrity impact against low-privilege authenticated attackers.

Authentication Bypass WordPress Assistio
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-48789 MEDIUM PATCH This Month

Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to enumerate directories outside the intended documents directory. The root cause is a platform-specific gap in the shared path containment helper: it correctly rejects POSIX-style '../' sequences but fails to reject Windows-style parent path segments produced by Node.js path.relative(), such as bare '..'. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, consistent with the Medium CVSS score of 4.3 and the authentication requirement.

Path Traversal Microsoft Anything Llm
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-8688 MEDIUM This Month

Authorization bypass in the Advance Nav Menu Manager WordPress plugin (all versions through 1.3) permits any authenticated subscriber-level user to manipulate site navigation menus without authorization. The plugin invokes wp_insert_post() for nav_menu_item operations - duplicate, copy, move, and publish - without enforcing capability checks, allowing low-privilege users to alter navigation structure at will. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the low barrier to exploitation (any registered subscriber account) makes it a meaningful risk on sites with open or compromised user registration.

Authentication Bypass WordPress Advance Nav Menu Manager
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9184 MEDIUM This Month

Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS rates this as medium-low (4.3), consistent with the authenticated-only, integrity-limited impact.

Authentication Bypass WordPress 24Liveblog Live Blog Tool
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9183 MEDIUM This Month

Authenticated information disclosure in the 24liveblog WordPress plugin (versions ≤ 2.2) exposes third-party API credentials - including OAuth access tokens, refresh tokens, account UIDs, and usernames - to any contributor-level WordPress user who opens the block editor. The plugin's lb24_block_enqueue_scripts() function, hooked to enqueue_block_editor_assets, retrieves administrator-configured integration secrets from the WordPress options table and renders them into the page as a JavaScript global object (lb24BlockData) for all non-administrator users, where they are readable via basic browser source inspection. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but exploitation is trivially simple for any user holding a WordPress contributor account.

Information Disclosure WordPress 24Liveblog Live Blog Tool
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57286 MEDIUM This Month

A missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used by a job, such as branch names, tag names, and revision metadata.

Jenkins Jenkins Git Parameter Plugin Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy