Skip to main content
CVE-2026-57285 MEDIUM This Month

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration.

Jenkins Jenkins Github Branch Source Plugin Authentication Bypass Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-6292 MEDIUM This Month

Cross-Site Request Forgery in the MP Customize Login Page WordPress plugin (all versions ≤ 1.0) enables unauthenticated remote attackers to overwrite login page settings - background, logo URL, image dimensions, button colors, and login message - by tricking a logged-in administrator into submitting a crafted request. The root cause is a doubly defective nonce implementation in enter_mpclp_login_options(): the check is logically inverted (blocking valid nonces while passing invalid ones) and the required action parameter is omitted from wp_verify_nonce(), rendering the entire check dead code. Compounding this, the settings handler is registered on the init hook without any capability gate, so no privilege level is required from the attacker. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

WordPress CSRF Mp Customize Login Page
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57302 MEDIUM This Month

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Jenkins Information Disclosure Jenkins Fitnesse Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57300 MEDIUM This Month

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access.

Jenkins Jenkins Mcp Server Plugin Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-52795 MEDIUM This Month

Private repository metadata in Gogs 0.14.3 and earlier leaks to any authenticated user due to a boolean inversion in the Watch API access control check. An authenticated attacker who watches a private repository they are not authorized to view will receive commit messages, branch names, issue titles, and PR details via their dashboard activity feed - and full issue and comment content via email if notifications are enabled. No public exploit has been identified at time of analysis, though the single-line boolean fix published in the upstream commit makes the flaw trivial to reproduce by any authenticated user who reads the commit diff.

Authentication Bypass Gogs
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57299 MEDIUM This Month

Missing authorization checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow any authenticated Jenkins user with the low-privilege Overall/Read permission to enumerate the names of configured Contrast metadata via a network-accessible endpoint. The vulnerability is classified CWE-862 (Missing Authorization) and has an EPSS score of 0.15% (4th percentile), indicating negligible real-world exploitation activity. No public exploit code and no CISA KEV listing have been identified, making this a low-urgency but real information-disclosure concern for multi-tenant Jenkins environments with untrusted users.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57297 MEDIUM This Month

Missing authorization in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier permits any authenticated Jenkins user holding the minimal Overall/Read permission to invoke a connection test endpoint with fully attacker-controlled URL, username, API key, and service key. This enables the Jenkins server to make arbitrary outbound HTTP connections - a Server-Side Request Forgery (SSRF)-class impact - without the elevated privileges that should guard such functionality. No public exploit has been identified at time of analysis and EPSS sits at the 4th percentile, indicating low current exploitation probability despite network reachability.

Authentication Bypass Jenkins Jenkins Contrast Continuous Application Security Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-10552 MEDIUM This Month

Cross-Site Request Forgery in the Blue Captcha WordPress plugin (versions ≤ 2.0.1) allows unauthenticated attackers to trigger destructive administrative operations - including plugin uninstall, audit log deletion, Hall of Shame wipe, and arbitrary IP blocklist manipulation - by tricking a logged-in administrator into clicking a crafted link. The root cause is a complete absence of nonce validation (`wp_verify_nonce`, `check_admin_referer`, `check_ajax_referer`) across all admin handler entry points, confirmed by Wordfence with direct source code references. No public exploit has been identified at time of analysis, and no patched version has been confirmed.

WordPress CSRF Blue Captcha
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-9724 MEDIUM This Month

Cross-Site Request Forgery in the MotorDesk WordPress plugin (all versions ≤ 1.1.2) allows unauthenticated remote attackers to overwrite critical plugin configuration settings by tricking a logged-in administrator into clicking a crafted link. The vulnerable function motordesk_admin_home in motordesk_admin.php lacks proper WordPress nonce validation, meaning the server accepts state-changing POST requests without confirming the administrator intentionally submitted them. No public exploit code has been identified at time of analysis; the CVSS 4.3 Medium score accurately reflects the social-engineering dependency, though the custom template directory path setting warrants secondary scrutiny for potential path traversal chaining.

WordPress CSRF Motordesk
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-11997 MEDIUM This Month

Cross-Site Request Forgery in the Bulk SEO Image WordPress plugin (versions ≤ 1.1) enables unauthenticated attackers to bulk-overwrite every image ALT-text attribute across all published posts and pages on a target site by tricking an authenticated administrator into visiting a malicious page. The plugin's core handler BulkSeoImage() dispatches to launchbulk() and BulkSeoImageGo() whenever a POST request includes the 'bulkseoimage' parameter, with no wp_nonce_field() emitted in the form and no check_admin_referer() or wp_verify_nonce() call gating execution - confirmed by direct source code review at the plugin's Trac repository. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF Bulk Seo Image
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57287 MEDIUM This Month

Jenkins Job Configuration History Plugin version 1356.ve360da_6c523a_ and earlier exposes encrypted secret values to any Jenkins user holding Extended Read permission by failing to apply Jenkins' standard secret redaction when rendering historical job and agent configurations. Encrypted credential values that Jenkins would normally mask are displayed in full within the plugin's history view, potentially enabling offline analysis of those values. No public exploit or active exploitation has been identified; SSVC rates this as non-automatable with partial technical impact.

Jenkins Information Disclosure Jenkins Job Configuration History Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57283 MEDIUM This Month

Cross-site request forgery in the Jenkins Pipeline: Groovy Plugin (versions up to and including 4331.v9d06ed4658ff) enables authenticated low-privilege users to instantiate arbitrary Java types related to job or system configuration by exploiting the unprotected Pipeline Snippet Generator endpoint. The attacker can reach types outside the normally permitted set of Pipeline steps, potentially influencing configuration objects that should be off-limits at their privilege level. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation as none with non-automatable delivery.

CSRF Jenkins Jenkins Pipeline Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-13021 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's DeviceBoundSessionCredentials (DBSC) feature affects all Chrome versions prior to 149.0.7827.197, allowing a remote attacker to read limited cross-origin data via a crafted HTML page. The flaw stems from incorrect origin validation (CWE-346) in the DBSC implementation, a relatively new anti-session-hijacking subsystem. SSVC assessment confirms no exploitation at time of analysis, and no public exploit code has been identified; the CVSS score of 4.3 Medium reflects meaningful but bounded confidentiality impact contingent on user interaction.

Authentication Bypass Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57290 MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b_84449 and earlier allows attackers to overwrite the global job priority configuration.

CSRF Jenkins Jenkins Priority Sorter Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-9721 MEDIUM This Month

Cross-Site Request Forgery in the Book a Room Event Calendar WordPress plugin (all versions through 1.9) allows unauthenticated remote attackers to overwrite sensitive plugin configuration - including external database host, credentials, encryption key, and registration URL - by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of WordPress nonce mechanisms (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce()) in both the settings form and its handler, meaning any browser-submitted POST during an active admin session is honored unconditionally. No public exploit has been identified at time of analysis, and the plugin is a niche product, limiting real-world blast radius despite the sensitive nature of the overwriteable fields.

WordPress CSRF Book A Room Event Calendar
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-56269 MEDIUM PATCH This Month

Flowise versions 3.0.13 and earlier silently fall back to a hardcoded AES-256-CBC encryption key derived from the publicly known literal 'Secre$t' when TOKEN_HASH_SECRET is not configured, exposing the user and workspace IDs encoded in the 'meta' field of every JWT token issued by an unconfigured deployment. An authenticated user or network-positioned attacker who obtains any valid JWT can decrypt this metadata using the default key - now disclosed in the GHSA advisory and source code - and re-encrypt manipulated identifiers to probe downstream access controls. JWT signature validation is handled independently, so this does not constitute standalone token forgery, but identifier disclosure and metadata manipulation create a realistic stepping stone toward privilege escalation or unauthorized workspace access in multi-tenant deployments. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; vendor-released patch Flowise 3.1.0 is available.

Authentication Bypass Privilege Escalation Node.js Flowise
NVD GitHub
CVSS 4.0
4.3
EPSS
0.1%
CVE-2026-53541 MEDIUM POC PATCH GHSA This Month

Unvalidated `ot_`-prefixed argument injection in OliveTin allows any authenticated user with action-trigger access to bypass input filtering, inject arbitrary environment variables into action execution contexts, and pollute Go template rendering data. All OliveTin versions prior to commit `ebffd9f040f7` (Go pseudo-version `< 0.0.0-20260531214440-ebffd9f040f7`) are affected. While direct standalone RCE is not confirmed, a public proof-of-concept exists in GHSA-prj9-97mp-mwh2 and secondary command injection is achievable wherever triggered action scripts consume `OT_`-prefixed environment variables in shell-unsafe ways.

RCE
NVD GitHub
CVSS 3.1
4.3
CVE-2026-57293 MEDIUM This Month

Credential ID enumeration in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows authenticated attackers holding only global Item/Configure permission to bypass the intended per-job permission boundary and list credential IDs stored in Jenkins. The root cause is an incorrect permission check (CWE-862) that conflates global and job-scoped authorization, leaking credential identifiers without requiring job-level rights. No public exploit code exists and SSVC rates exploitation status as none; however, enumerated credential IDs can serve as reconnaissance for chained attacks targeting those credentials.

Authentication Bypass Jenkins Jenkins Gitee Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13024 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Navigation component allows an attacker who has already compromised the renderer process to escape Chrome's cross-origin containment boundary via a crafted HTML page, affecting all Chrome versions prior to 149.0.7827.197. The vulnerability stems from insufficient input validation (CWE-20) in the Navigation subsystem, which fails to properly enforce site isolation when navigations are initiated from a compromised renderer. No public exploit code has been identified and CISA SSVC confirms no known active exploitation at time of analysis, though the prerequisite of renderer compromise makes this a meaningful second-stage escalation primitive.

Authentication Bypass Google Red Hat
NVD VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-57307 MEDIUM This Month

A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Jenkins Jenkins Zowe Zdevops Plugin Authentication Bypass
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-57306 MEDIUM This Month

A cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CSRF Jenkins Jenkins Zowe Zdevops Plugin
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-53945 MEDIUM PATCH This Month

DNS rebinding bypasses Ghost CMS's private-IP validation for outbound HTTP requests, enabling server-side request forgery (SSRF) against internal network resources. Versions 6.0.9 through 6.21.0 are affected; the root cause is a TOCTOU race (CWE-367) between Ghost's allowlist check and the actual TCP connection, which a DNS-rebinding attacker exploits by switching DNS records between check-time and connect-time. No public exploit code identified and not listed in CISA KEV, but the scope-changed CVSS rating (S:C) reflects that successful exploitation escapes Ghost's network boundary into adjacent internal infrastructure.

Node.js Authentication Bypass Ghost
NVD GitHub
CVSS 3.1
4.0
EPSS
0.1%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy