Skip to main content
CVE-2026-57518 HIGH POC This Week

Privilege escalation to remote code execution in Pagekit CMS 1.0.18 lets an authenticated user holding the 'user: manage users' permission grant themselves arbitrary custom roles via an unprotected UserApiController::saveAction(), then assign a role carrying 'system: manage packages' to upload a malicious PHP package through the admin installer and run arbitrary code. Publicly available exploit code exists (gist by sermikr0, reported by VulnCheck), and the chain converts a limited management permission into full server compromise. No public evidence of active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass RCE Privilege Escalation PHP Pagekit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-48801 HIGH POC PATCH GHSA This Week

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation.

Apple Node.js Mattermost Denial Of Service Gitlab
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-48778 HIGH POC PATCH This Week

Local code execution in Notepad++ before 8.9.6.1 occurs because the <GUIConfig name="commandLineInterpreter"> value in config.xml is loaded into _nppGUI._commandLineInterpreter with no validation, whitelist, or signature check, then passed directly to ShellExecute when a user invokes File → Open Containing Folder → cmd. An attacker who can plant or modify config.xml runs an arbitrary executable in the victim's session the next time they use this menu action. Publicly available exploit code exists (Exploit-DB 52606), but there is no public exploit identified as actively exploited; the issue is not in CISA KEV.

Command Injection Notepad Plus Plus
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.8
EPSS
1.4%
CVE-2026-10835 HIGH POC PATCH This Week

SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.

WordPress SQLi Salesmanago Leadoo
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-38639 HIGH POC This Week

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.

Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-38641 HIGH POC This Week

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by getting it to load a maliciously crafted shared library, which mishandles resources in the DSO::mmap_and_copy dynamic-linking routine (CWE-404). Publicly available exploit code exists, but the flaw is not in CISA KEV and EPSS is very low (0.17%, 6th percentile), indicating no observed in-the-wild exploitation. Impact is confined to availability - no confidentiality or integrity loss.

Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-10823 HIGH POC PATCH This Week

Information disclosure in the YMC Filter WordPress plugin before 3.11.3 lets unauthenticated remote attackers read the titles and content of private, draft, and other non-public posts by abusing a REST API endpoint that lacks proper authorization and fails to validate a user-supplied query parameter. WPScan reported the flaw, a public exploit exists, and a vendor patch is available; the CVSS 3.1 score is 7.5 reflecting high confidentiality impact with no integrity or availability effect.

WordPress Information Disclosure Ymc Filter
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28701 CRITICAL CISA Emergency

Path traversal in Daktronics Controller Firmware for the VFC-DMP-5000, DMP-5000, and DMP-8000 display media players lets remote users break out of the intended directory and enumerate arbitrary file system paths, exposing the device's internal layout to attackers. Both authenticated and unauthenticated requests are accepted, and the flaw is reachable over the network with no user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, though the issue was reported through ICS-CERT and carries a CVSS 4.0 base score of 9.3.

Path Traversal Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-31928 CRITICAL CISA Emergency

Default administrative web credentials in Daktronics DMP-5000, VFC-DMP-5000, and DMP-8000 digital media players grant full system access to anyone who knows the shipped account, because the devices do not force a credential change during setup or operation. Tracked as CWE-798 (use of hard-coded/default credentials) and rated CVSS 4.0 9.3 by ICS-CERT, this lets a network-positioned attacker log into the management interface and seize complete control of the device. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but default-credential weaknesses are trivially abused once the device is reachable.

Authentication Bypass Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-55975 HIGH CISA Act Now

Authenticated command injection in H.View HV-500S6 IP cameras allows a logged-in user to inject unsanitized XML field values into the device's certificate generation interface, which are passed into a backend certificate-creation shell command and executed with elevated privileges. Because exploitation requires valid credentials (CVSS 4.0 PR:H) but is reachable over the network with low complexity, an attacker who obtains any account on the device can run arbitrary OS commands and take full control of the camera. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV.

Command Injection Hv 500S6 Ip Camera
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.7%
CVE-2026-56414 HIGH CISA Act Now

Arbitrary file upload in H.View HV-500S6 IP cameras lets an authenticated, high-privilege user (per CVSS PR:H) write unvalidated content to fixed, persistent filesystem paths reserved for trusted TLS certificate material, with no checks on file type, structure, or size. Because the planted data survives reboot, an attacker can corrupt or replace certificate stores to undermine device integrity, availability, and trust. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but it is the subject of a CISA ICS advisory (ICSA-26-176-05).

File Upload Hv 500S6 Ip Camera
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-8380 MEDIUM POC This Month

Permanent deletion of arbitrary WordPress posts and pages is possible via the Frontend File Manager Plugin (all versions through 23.6), which omits ownership verification before executing delete operations. Any authenticated user holding author-level access or higher can permanently destroy content they do not own; when an administrator enables the 'Allow guest uploads' setting, the same endpoint becomes reachable by completely unauthenticated users. A public proof-of-concept exists via WPScan; no confirmed actively exploited status (KEV), and EPSS sits at just 0.18% (8th percentile), but the unauthenticated attack path under a non-default configuration is the highest-severity scenario.

WordPress Information Disclosure Frontend File Manager Plugin
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-33560 HIGH CISA Act Now

Arbitrary file upload in the Daktronics DMP-5000 (and related VFC-DMP-5000 and DMP-8000) media player file service lets authenticated users write files of any type - including executable binaries and scripts - directly to the server with no extension filtering or content inspection. This unrestricted upload (CWE-434) gives a low-privileged operator a path to plant and potentially execute malicious code on these OT digital-media/scoreboard controllers. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.3%
CVE-2026-49869 CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Kestra OSS (the open-source event-driven orchestration platform) prior to versions 1.0.45 and 1.3.21, where a flawed authentication whitelist lets attackers reach protected API endpoints without credentials. The AuthenticationFilter exempts the public config endpoint using a suffix match (request.getPath().endsWith("/configs")) instead of an exact path match, so any API path ending in 'configs' bypasses Basic Auth, allowing an attacker to create and run arbitrary workflows. Because the default-enabled script-execution plugins (shell, Python) run inside the worker container as root, this escalates directly to unauthenticated RCE. Carries a maximal CVSS of 10.0; there is no public exploit identified at time of analysis.

Command Injection Python RCE Kestra
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.7%
CVE-2026-53576 CRITICAL PATCH Act Now

Unauthenticated remote code execution in Kestra orchestration platform before 1.0.45 and 1.3.21 lets anonymous attackers fully compromise the host. The REST API authentication filter treats any request path ending in /configs as the public instance-config endpoint, so an attacker appending the literal segment configs (e.g. to flow-create or execution-trigger routes) bypasses Basic-Auth, creates a flow with a Shell/Process task, and executes commands as root inside the container; with the default docker-compose mounting /var/run/docker.sock, this pivots to the host Docker daemon. No public exploit identified at time of analysis, but the technique is fully described in the vendor advisory and is trivially reproducible.

Code Injection Docker RCE Kestra
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-2053 CRITICAL PATCH Act Now

Server-side request forgery in WSO2 API Manager lets unauthenticated remote attackers coerce the gateway into making server-initiated requests to attacker-chosen destinations by injecting crafted WS-Addressing headers into the message flow. Because the API Manager typically sits at the network edge with reachability into internal systems, this allows pivoting to otherwise unreachable internal resources and services. The vendor rates it CVSS 10.0; it is not in CISA KEV and no public exploit identified at time of analysis, with a low EPSS of 0.20% (10th percentile).

Authentication Bypass SSRF Wso2 Api Manager
NVD
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-44024 CRITICAL PATCH GHSA Act Now

{tag}` placeholder used to dynamically build output file paths. When an instance ingests logs from untrusted sources and references `${tag}` in a path parameter (e.g., the `out_file` plugin), an attacker can inject `../` traversal sequences to write or overwrite arbitrary files with attacker-controlled content, which the vendor states is directly escalatable to full RCE. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N) and a vendor patch (v1.19.3) is available; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal RCE
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.1%
CVE-2026-54636 CRITICAL PATCH Act Now

Container-to-host command execution in Dokku's cron plugin (versions prior to 0.38.7) lets an actor who can control an application's app.json schedule break out of the Docker container and run arbitrary commands on the host as the privileged Dokku user. Because the cron command was interpolated into a shell-evaluated line, special characters such as ';' or '>' were interpreted on the host rather than confined to the container, yielding a scope-changing escape (CVSS 9.9). No public exploit has been identified at time of analysis, but the root cause and fix are fully documented in the vendor advisory and patch.

Command Injection Docker Dokku
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-46386 CRITICAL PATCH Act Now

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardcoded Rails secret (ENV SECRET_KEY_BASE=OVERWRITE_ME). Because the application uses cookies_serializer = :marshal, any logged-in user who knows this deterministic key can forge a signed cookie containing a malicious Marshal payload that is deserialized when reaching the /my/two_factor_devices cookie reader, yielding code execution on the server (CVSS 9.9, scope-changed). At the time of analysis there is no public exploit identified and the issue is not in CISA KEV, but the predictability of the default key makes exploitation straightforward for anyone running an unmodified image.

Deserialization Docker Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-52782 CRITICAL PATCH Act Now

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct object reference (CWE-639) to take over another project's managed Nextcloud or OneDrive storage folder. By PATCHing the storages_project_storage[project_folder_id] parameter on /projects/<id>/settings/project_storages/<ps_id>, an attacker writes a victim project's folder ID into their own ProjectStorage row, and the next managed-folder sync rewrites the target folder's ACL to the attacker's project member list. CVSS is 9.9 and the issue carries a scope change, but there is no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Nextcloud Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-52785 CRITICAL PATCH Act Now

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user inject SQL through the timestamps parameter used to request historic work-package attributes, affecting all versions prior to 17.3.3 and 17.4.1. Rated CVSS 9.9 with a changed scope, it can expose or alter database contents beyond the user's normal authorization. No public exploit identified at time of analysis; the issue is fixed in 17.3.3 and 17.4.1.

SQLi Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-57878 CRITICAL Act Now

Remote code execution in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the embedded thttpd web server, where overly long parameters in a specific request path overrun a fixed-size stack buffer. An unauthenticated remote attacker (per CVSS PR:N) can send a single crafted HTTP request to corrupt memory and cause denial of service or potentially execute arbitrary code on the device. No public exploit has been identified at time of analysis, but the CVSS 9.8 rating and lack of authentication make this a high-priority embedded-device exposure.

Buffer Overflow Denial Of Service Stack Overflow RCE Gv Lpclpc2011 2211
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57880 CRITICAL Act Now

Unauthenticated remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate camera devices (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the ssvr streaming component's RTSP Digest authentication parser. A remote attacker reachable on the RTSP service can send overly long authentication field data to corrupt the stack, crashing the device or potentially executing arbitrary code with no credentials or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.8 rating and unauthenticated network vector make it a high-priority patching target.

Buffer Overflow Denial Of Service Stack Overflow RCE Gv Lpclpc2011 2211
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57879 CRITICAL Act Now

Remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (V1.12 and earlier) arise from a stack-based buffer overflow in the ssvr component's RTSP custom authentication handling. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates an unauthenticated remote attacker can trigger memory corruption with a single crafted RTSP request, yielding crash-level DoS and potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow RCE Gv Lpclpc2011 2211
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-48769 CRITICAL POC PATCH GHSA Act Now

Arbitrary file write in the Incus daemon (incusd) via path traversal in the `Incus-Image-Hash` header allows a low-privileged attacker controlling a malicious image server to write attacker-controlled content to any path on the host filesystem as root, leading to arbitrary command execution. Affected versions are all Incus releases prior to 7.2.0; the vulnerability exists in the `source.type=url` image import code path. A full public proof-of-concept exploit exists demonstrating cron-based root command execution; no confirmed active exploitation in CISA KEV at time of analysis.

Path Traversal
NVD GitHub
CVSS 3.1
9.9
CVE-2026-48755 CRITICAL POC PATCH GHSA Act Now

Argument injection in the Incus daemon (incusd) backup feature lets an authenticated remote API client (PR:L) write arbitrary files on the host as root and likely escalate to code execution, affecting all versions before 7.2.0. The backup compression_algorithm field is split into tokens but only the first token is allowlist-validated, so trailing flags are passed straight to compressors like zstd. Publicly available exploit code exists (a full Python PoC is published in the GHSA advisory); rated CVSS 9.9 and tagged RCE, though it is not listed in CISA KEV.

RCE
NVD GitHub
CVSS 3.1
9.9
CVE-2026-48753 CRITICAL POC PATCH GHSA Act Now

Arbitrary host file write in Incus before 7.1.0 lets a holder of S3 bucket credentials escape the storage volume via a path-traversal-laden multipart upload ID and plant files anywhere the daemon (typically root) can write, escalating to remote code execution. The flaw lives in the local S3 storage backend's multipart upload handling, where the attacker-supplied uploadId is concatenated onto the uploads directory without sanitization. A complete working PoC exists that drops a /etc/cron.d job for root command execution; no CISA KEV listing or EPSS score is provided, so this is publicly available exploit code rather than confirmed active exploitation.

Path Traversal Canonical OpenSSL
NVD GitHub
CVSS 3.1
9.9
CVE-2026-48752 CRITICAL POC PATCH GHSA Act Now

Arbitrary host file read and write in Incus (the LXC/LXD container and VM manager) before version 7.2.0 allows a user who can import a crafted container image or instance backup to escape into the host filesystem via an unsanitized top-level `templates` symlink, possibly escalating to root command execution. The flaw stems from tar/rsync extraction routines that exclude device nodes but fail to reject symlinks pointing outside the target directory. No KEV listing or EPSS score is provided, but a detailed working PoC is published in the GHSA advisory.

RCE
NVD GitHub
CVSS 3.1
9.9
CVE-2026-48751 CRITICAL POC PATCH GHSA Act Now

Privilege escalation and project-restriction bypass in Incus before 7.2.0 lets a low-privileged user with access to an unrestricted project craft an instance whose snapshot carries malicious low-level hooks (raw.lxc/raw.qemu), then move and restore it into a project protected by restricted.containers.lowlevel=block, executing arbitrary commands on the host as root. The snapshot-restore path fails to re-enforce the lowlevel restriction, so the security control is silently bypassed. Publicly available exploit code exists (full PoC published in the vendor GHSA advisory); there is no public evidence of active exploitation.

Authentication Bypass Debian
NVD GitHub
CVSS 3.1
9.9
CVE-2026-48750 CRITICAL POC PATCH GHSA Act Now

Host-side arbitrary file write in Incus (the LXD-fork container and VM manager) before 7.2.0 lets an attacker who can supply a crafted image and call the instance exec endpoint write attacker-controlled content to any path on the host, leading to root-level command execution. A top-level `exec-output` symlink packed into an image survives image unpacking, and when `record-output:true` is passed to `/instances/$name/exec` the daemon follows that symlink to write `exec_UUID.stdout`/`.stderr` outside the instance - for example into `/etc/cron.d`. A working proof-of-concept exists in the GHSA advisory, but there is no public exploit identified as used in active attacks.

Information Disclosure
NVD GitHub
CVSS 3.1
9.9
CVE-2026-48749 CRITICAL POC PATCH GHSA Act Now

Container-to-host filesystem escape in Incus before 7.2.0 lets a user who can import images and create instances read and write arbitrary files on the host as root. A malicious image carrying a duplicate top-level 'rootfs' symlink (rootfs -> /) passes image validation, and the stopped-container file API later chroots into that symlinked path via forkfile, exposing the host root filesystem through 'incus file pull/push'. A working proof-of-concept is published in the GitHub Security Advisory (GHSA-2q3f-q5pq-g8wv); publicly available exploit code exists, but there is no public exploit identified beyond the PoC and the CVE is not in CISA KEV.

Code Injection
NVD GitHub
CVSS 3.1
9.9
CVE-2026-56059 CRITICAL Act Now

Arbitrary file upload in the Travel Booking WordPress theme (versions <= 2.2.5) lets an authenticated low-privileged Subscriber upload files of dangerous types, enabling web shell deployment and remote code execution. The CVSS 3.1 base score is 9.9 with a scope change (S:C), reflecting that a minimally-privileged account can fully compromise the underlying host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-56058 CRITICAL Act Now

Arbitrary file upload in the Quform WordPress plugin (versions <= 2.23.0) lets authenticated users with only Subscriber-level privileges upload files of attacker-controlled type, enabling web shell deployment and full site takeover. The CVSS:3.1 vector (PR:L, S:C) reflects a low privilege bar combined with a scope change, which drives the 9.9 score. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-56027 CRITICAL Act Now

Arbitrary file upload in Booster for WooCommerce (plugin slug woocommerce-jetpack) versions <= 8.0.1 lets an authenticated customer-level user upload arbitrary files to the WordPress server, enabling web shell deployment and remote code execution. The CVSS 3.1 score of 9.9 reflects a scope change (S:C) where a low-privilege shop customer can fully compromise the underlying host. No public exploit identified at time of analysis; the issue was reported by Patchstack's audit team.

WordPress File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-57881 CRITICAL Act Now

Remote unauthenticated stack-based buffer overflow in the vlsvr login service of GeoVision GV-LPC2011 and GV-LPC2211 license plate capture cameras (firmware V1.12 and earlier) lets a remote attacker corrupt memory by sending an over-length login field, enabling denial of service and potentially arbitrary code execution. The flaw requires no authentication and no user interaction (CVSS 9.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow RCE Gv Lpclpc2011 2211
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-56028 CRITICAL Act Now

Privilege escalation in the Easy Elements for Elementor - Addons & Website Templates WordPress plugin (versions <= 1.4.9) allows remote attackers to gain elevated privileges without authentication, per the CVSS:3.1 vector (PR:N). Classified as CWE-266 (Incorrect Privilege Assignment) and rated CVSS 9.8 with full confidentiality, integrity, and availability impact, the flaw was reported by the Patchstack security team. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-53309 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's OCFS2 cluster filesystem DLM (Distributed Lock Manager) stems from an off-by-one error in dlm_match_regions(), where the local-vs-remote region comparison loop uses '<=' instead of '<' and reads one entry past the valid range of the qr_regions array. It affects systems running the OCFS2 shared-disk cluster filesystem and is reachable when nodes negotiate heartbeat/region membership; the upstream tag classifies it as Information Disclosure rather than code execution. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 6th percentile), and it is not in CISA KEV - despite an inflated NVD CVSS of 9.8.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-0685 CRITICAL Act Now

Server-side template injection in Edgewall's Genshi template engine (versions 0 through 0.7.9) lets a remote attacker reach the expression-evaluation component and run arbitrary Python code on the host. Because Genshi evaluates template expressions as Python, any application that feeds attacker-controlled input into a Genshi expression can be driven to full remote code execution. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list; EPSS data was not provided.

RCE Genshi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-56057 CRITICAL Act Now

PHP Object Injection in the Uncanny Automator Pro WordPress plugin (versions <= 7.3.0.6) allows authenticated users holding only the low-privileged Subscriber role to inject crafted serialized PHP objects into an unsafe deserialization sink (CWE-502). Depending on the gadget chains present in the plugin or co-installed software, this can escalate to remote code execution, arbitrary file operations, or database tampering. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the input-supplied CVSS of 9.8 likely overstates privileges since the title explicitly scopes the flaw to the Subscriber role.

Deserialization PHP
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-56033 CRITICAL Act Now

Privilege escalation in Dokan Pro (the WordPress/WooCommerce multivendor marketplace plugin) versions 5.0.4 and earlier lets unauthenticated remote attackers gain elevated privileges, scoring CVSS:3.1 9.8 Critical via AV:N/AC:L/PR:N/UI:N with full confidentiality, integrity, and availability impact. The flaw is classed as CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants privileges it should not to an unauthenticated requester. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-56032 CRITICAL Act Now

PHP Object Injection in the BuddyBoss Platform WordPress plugin (versions 3.0.4 and earlier) allows attackers with low-privilege Subscriber access to inject crafted serialized objects that are deserialized unsafely, potentially leading to remote code execution, data tampering, or denial of service depending on available gadget chains. The flaw was reported by Patchstack and carries a CVSS base score of 9.8; however, the 'Subscriber' qualifier implies authenticated access is required, which conflicts with the PR:N in the published vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Deserialization PHP
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-56030 CRITICAL Act Now

Unauthenticated privilege escalation in the Paytium WordPress plugin (Mollie payment forms and donations) through version 5.0.2 allows remote attackers with no authentication to gain elevated privileges, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. The flaw stems from incorrect privilege assignment (CWE-266), meaning a low- or no-privilege actor can be granted rights they should not have. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12411 CRITICAL PATCH Act Now

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and overwrite the custom storage volumes owned by other guests on the same host, breaking tenant isolation. Exploitation requires the non-default security.devlxd.management.volumes option to be enabled, and is fixed in LXD 6.9. Rated CVSS 9.6 with a scope change and CISA SSVC 'total' technical impact; SSVC lists exploitation as proof-of-concept, but EPSS is very low (0.11%, 1st percentile) and it is not in CISA KEV.

Authentication Bypass Canonical Lxd
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-52780 CRITICAL PATCH Act Now

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker with adjacent-network access and no authentication (CVSS:3.1 AV:A/PR:N) to corrupt cached entries and ultimately execute arbitrary code on the server. The CVSS 9.6 score reflects a scope change (S:C) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

RCE Openproject
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2025-11919 CRITICAL Act Now

Code execution against the shared multi-tenant Java runtime in Wolfram Cloud 14.2 is possible because the default JVM resolves classpath artifacts from a world-accessible `/tmp/` location shared across tenants on the same cloud instance. A co-tenant attacker who can write to `/tmp/UserTemporaryFiles/` can plant a malicious `.jar` or directory referenced by the JVM's `-init` startup file so the victim JVM loads attacker-controlled classes ahead of the legitimate library, executing code in the victim's session. No public exploit identified at time of analysis, though CVSS rates the issue 9.6 with a scope change reflecting cross-user/cross-tenant impact.

Information Disclosure Cloud
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-56034 CRITICAL Act Now

SQL injection in the Library Management System WordPress plugin (versions 3.5.7 and earlier) lets remote, unauthenticated attackers inject arbitrary SQL through an unsanitized input parameter (CWE-89). The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms network-reachable, no-authentication, low-complexity exploitation with high confidentiality impact, enabling extraction of database contents such as WordPress user records and credential hashes. No public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-56068 CRITICAL Act Now

SQL injection in the Crocoblock JetEngine WordPress plugin (versions 3.8.10.2 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries (CWE-89), per the CVSS:3.1 vector with PR:N/UI:N. The flaw carries a 9.3 critical score driven by network reachability, no required privileges, and a changed scope exposing the underlying WordPress database. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated, low-complexity nature makes it a high-priority patching target for any site running this widely deployed dynamic-content plugin.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-10268 MEDIUM POC This Month

Path traversal in Printcart Web to Print Product Designer for WooCommerce (all versions through 2.4.8) exposes arbitrary server directory listings to unauthenticated remote attackers with no interaction required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network-based exploitation against any internet-facing WooCommerce store running this plugin. A publicly available exploit exists via WPScan, materially lowering the technical barrier despite the Medium CVSS score of 5.3; no confirmed patched version is available at time of analysis.

WordPress Path Traversal Printcart Web To Print Product Designer For Woocommerce
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56070 CRITICAL Act Now

Unauthenticated SQL injection in the WordPress "Advance Product Search" plugin (slug th-advance-product-search) through version 1.4.4 lets remote attackers inject crafted SQL via a search-facing parameter without any login. Because the CVSS vector marks privileges as none (PR:N) and a scope change (S:C), an attacker can reach and read backend database content reachable from the plugin's queries. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; the high 9.3 score is driven by the unauthenticated network vector and confidentiality impact rather than any confirmed in-the-wild activity.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-56067 CRITICAL Act Now

Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (Crocoblock) affects all versions up to and including 3.8.3, letting remote attackers with no authentication inject crafted SQL through plugin filter parameters and read sensitive database contents. The CVSS 9.3 rating reflects network reachability with no privileges or user interaction required; the issue was reported by Patchstack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
Page 1 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy