Skip to main content
CVE-2026-48804 HIGH PATCH GHSA This Week

Memory-exhaustion denial of service in the python-socketio server (Socket.IO for Python, versions <= 5.16.1) lets remote clients pin server memory by sending binary EVENT or ACK packets while deliberately withholding one or more of the declared binary attachments. Because the server buffers the partial message and its received attachments in memory until all attachments arrive, an attacker can repeatedly open such incomplete messages to grow memory consumption unbounded and exhaust server resources. No public exploit identified at time of analysis; not listed in CISA KEV.

Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
CVE-2026-48802 HIGH PATCH GHSA This Week

Denial of service in the python-engineio server (versions <= 4.13.1) allows remote unauthenticated attackers to exhaust server resources by abusing the heartbeat mechanism, which spawns a new background thread on each connection and on every PONG packet received. Synchronous servers are most at risk because each heartbeat is a physical OS thread; asynchronous deployments allocate lightweight tasks and are far less affected. No public exploit has been identified at the time of analysis, and the issue is not listed in CISA KEV; a vendor-released patch (version 4.13.2) is available.

Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
CVE-2026-48809 HIGH PATCH GHSA This Week

Uncontrolled memory allocation in python-engineio (versions <= 4.13.1) lets remote attackers exhaust server memory by sending oversized messages that are loaded before any size check, causing denial of service (availability-only impact). The flaw triggers in two specific transport configurations - ASGI with long-polling POST requests, and Aiohttp with the WebSocket transport - and is fixed in 4.13.2. No public exploit identified at time of analysis, and the issue is not in CISA KEV; no EPSS score was provided.

Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
CVE-2026-47193 HIGH PATCH This Week

Information disclosure in OpenProject before 17.3.3 and 17.4.1 lets remote attackers read hidden historical field values through the journal diff endpoint, which fails to enforce object- and field-level visibility checks. The flaw (CWE-200) carries a CVSS 7.5 driven entirely by high confidentiality impact, exposing prior values of work-package fields that should be restricted. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54341 HIGH PATCH This Week

Remote denial of service in DragonflyDB before 1.39.0 lets an unauthenticated attacker crash the entire server with a single ~24-byte RESTORE command carrying a malformed listpack payload, triggering an out-of-bounds read (SIGSEGV). Because Dragonfly ships with no authentication enabled by default and RESTORE is an ordinary keyspace command, any client that can reach the port can repeatedly kill the process. No CISA KEV listing exists, but the fixing pull request publishes the exact crash payloads as regression tests, so working trigger data is effectively public.

Denial Of Service Buffer Overflow Information Disclosure Dragonfly
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55677 HIGH PATCH This Week

Path-based access control bypass in the LabStack Echo Go web framework (versions prior to 4.15.3 and 5.2.0) lets remote attackers retrieve protected static files without authorization. The flaw stems from the router matching routes on the raw encoded path (keeping %2F literal) while StaticDirectoryHandler decodes %2F to '/' before filesystem resolution, so a crafted URL slips past route-level guards. There is no public exploit identified at time of analysis and no CISA KEV listing; CVSS is 7.5 (confidentiality-only).

Path Traversal Echo
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-0828 HIGH This Week

Local privilege/availability abuse in Safetica Endpoint Client (x64) versions 10.5.75.0 and 11.11.4.0 lets an unprivileged user send crafted IOCTLs to the bundled kernel driver ProcessMonitorDriver.sys to terminate protected system processes, including the DLP agent's own self-protection components. This effectively allows a low-privileged local user to disable endpoint security enforcement. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; CERT/CC (VU#818729) coordinated the disclosure.

Information Disclosure Endpoint Client
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57647 HIGH This Week

Local File Inclusion in the Panorama Viewer - 360 Degree Image + Video Viewer WordPress plugin (versions 1.6.1 and earlier) allows authenticated users with Contributor-level access to coerce the application into including arbitrary local files on the server. Cataloged under CWE-98 and reported by Patchstack, the flaw can expose sensitive files (e.g., wp-config.php credentials) and, depending on server conditions, escalate toward code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-56069 HIGH This Week

Availability-impacting Insecure Direct Object Reference in the WordPress Toolset Forms (CRED Frontend Editor) plugin version 2.6.24 and earlier lets unauthenticated remote attackers manipulate object identifiers to act on records they should not control. The flaw was reported by Patchstack and carries CVSS 7.5; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV. Because the CVSS vector scores only Availability (A:H), the practical impact is disruption or destruction of plugin-managed objects rather than data disclosure.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-56060 HIGH This Week

Unauthenticated information disclosure in the Print Invoice & Delivery Notes for WooCommerce plugin (versions 7.1.1 and earlier) lets remote attackers retrieve sensitive order data - such as invoices and delivery notes - without any credentials. The CVSS 3.1 score of 7.5 reflects a network-reachable, no-interaction confidentiality breach. No public exploit is identified at time of analysis and it is not listed in CISA KEV, so exploitation appears unproven but trivially feasible given the access profile.

WordPress Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-56029 HIGH This Week

Authentication bypass in the CorvusPay WooCommerce Payment Gateway plugin for WordPress (versions 2.7.4 and earlier) lets unauthenticated remote attackers manipulate the payment/integration workflow without valid credentials, per the CVSS 3.1 vector (AV:N/PR:N) and CWE-288. The flaw scores 7.5 with integrity impact only (I:H, C:N, A:N), meaning an attacker can tamper with trusted state - most plausibly forging payment confirmation/callback validation - rather than steal data or take a site down. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-56025 HIGH This Week

Broken access control in the Paymob for WooCommerce WordPress plugin (versions <= 4.1.2) allows remote unauthenticated attackers to invoke a protected function or action that lacks an authorization check, producing a high integrity impact (CVSS 7.5, CVSS:3.1/.../I:H). The flaw maps to CWE-862 (Missing Authorization), meaning a function reachable over the network performs no capability or ownership validation before acting. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass WordPress
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54847 HIGH This Week

Unauthorized data exposure in the Stylish Cost Calculator WordPress plugin (versions 8.3.9 and earlier) lets remote unauthenticated attackers reach functionality that should be access-controlled, exposing sensitive information. Reported through Patchstack and classified as a broken access control / missing authorization flaw (CWE-862), it carries a CVSS 7.5 with confidentiality-only impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54846 HIGH This Week

Sensitive data disclosure in the Syncee Premium Dropshipping & Wholesale WordPress plugin (versions <= 1.0.27) lets remote unauthenticated attackers reach functionality that should be access-restricted, exposing confidential information without any login. Reported by Patchstack and tagged as an authentication bypass, the flaw stems from missing authorization checks (CWE-862) on plugin endpoints. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the supplied data, but the CVSS 3.1 base score of 7.5 reflects easy network reach with a high confidentiality impact.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54839 HIGH This Week

Sensitive data exposure in the Trinity Backup WordPress plugin (versions 2.0.9 and earlier) allows remote unauthenticated attackers to retrieve confidential information without any credentials. Because the plugin manages full-site backups, the exposed data may include database dumps, configuration files, and credentials. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54837 HIGH This Week

Broken access control in the All-In-One Intranet WordPress plugin (versions ≤ 1.8.1) allows unauthenticated remote attackers to bypass the plugin's core 'force login / private site' restriction and read content that is supposed to be visible only to authenticated intranet members. The flaw is a missing authorization check (CWE-862) that undermines the single security feature the plugin exists to provide. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54834 HIGH This Week

Sensitive data exposure in the WordPress plugin Object Cache 4 everyone (versions 2.3.2 and earlier) lets remote unauthenticated attackers retrieve information the application intended to keep private, per the Patchstack advisory and a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N, confidentiality-only impact). The flaw, classed as CWE-201, stems from the caching layer inadvertently exposing sensitive cached content to unauthorized requestors. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54832 HIGH This Week

Unauthorized data modification in the Gutenverse Companion WordPress plugin (versions 2.5.0 and earlier) lets remote unauthenticated attackers invoke protected functionality due to a missing authorization check. The CVSS 3.1 vector (AV:N/PR:N/UI:N, I:H, C:N, A:N) indicates a network-reachable, no-login integrity compromise rather than data theft or outage. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54824 HIGH This Week

Unauthenticated information disclosure in the Ads by WPQuads (Quick AdSense Reloaded) WordPress plugin versions 3.0.3 and earlier lets remote attackers read sensitive data without any credentials or user interaction. The flaw, reported by Patchstack and classified as CWE-497, exposes information to an unauthorized control sphere over the network. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-68064 HIGH PATCH This Week

Local File Inclusion in the Goya Core WordPress plugin (versions before 1.0.9.4) lets authenticated Contributor-level users coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and PHP source. Reported by Patchstack and classified CWE-98, the flaw carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L), and no public exploit identified at time of analysis. Exploitation requires a valid low-privilege account and the high attack complexity reflects non-trivial preconditions.

LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-68063 HIGH This Week

Local File Inclusion in the Splash - Sport Club WordPress theme (versions 4.4.3 and earlier) lets an authenticated Contributor-level user supply a controlled filename to a PHP include/require sink, exposing local server files and potentially escalating to code execution. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis, and it is not listed in CISA KEV. Exploitation requires an existing low-privilege account and overcomes elevated attack complexity, narrowing realistic abuse to multi-author sites.

WordPress LFI Information Disclosure PHP
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57913 HIGH PATCH This Week

Unauthorized information disclosure in Johnson & Johnson's Audit Tracking Management System (ATMS) allowed remote attackers to view sensitive audit meeting minutes and transcripts without authentication in instances deployed before 2026-04-21. The flaw stems from client-side enforcement of access controls (CWE-602), meaning the server failed to verify authorization before returning confidential audit records. A public security research write-up by Eaton Works documents the issue, though no weaponized exploit or active exploitation (KEV) has been confirmed, and no public exploit code was identified at time of analysis.

Information Disclosure Audit Tracking Management System
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-57912 HIGH PATCH This Week

Information disclosure in Johnson & Johnson's Campus Recruiting web application (versions prior to the 2025-10-31 fix) allows remote unauthenticated attackers to view sensitive data submitted by recruited students as well as private notes interviewers entered about those candidates. The flaw stems from the server relying on client-side restrictions rather than enforcing authorization server-side (CWE-602). No CISA KEV listing or formal exploit code is published, though an independent security researcher (Eaton Works) documented the issue in a public write-up.

Information Disclosure Campus Recruiting
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-54833 HIGH This Week

Unauthenticated backdoor in the WordPress "Enable CORS" plugin (versions <= 2.0.3) lets remote attackers leverage a hard-coded cryptographic key (CWE-321) to bypass access controls and read or alter protected data without any credentials. Reported by Patchstack and tagged as Information Disclosure, the issue carries a CVSS 7.4; no public exploit and no CISA KEV listing exist at the time of analysis, and despite the network attack vector the CVSS marks high attack complexity, indicating exploitation is non-trivial.

Information Disclosure
NVD
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-57915 HIGH PATCH This Week

Authentication bypass in Apache Kerby before 2.1.2 lets remote attackers defeat Kerberos pre-authentication by submitting a PA-DATA element with an unrecognized or unsupported type, causing the KDC to skip the pre-auth check rather than reject the request. The flaw affects all Apache Kerby deployments below 2.1.2 acting as a Kerberos KDC/AS, and is fixed in version 2.1.2. There is no public exploit identified at time of analysis, no CISA KEV listing, and EPSS data was not provided; CVSS is rated 7.3 (High) with partial confidentiality, integrity, and availability impact.

Authentication Bypass Apache Apache Kerby
NVD VulDB
CVSS 3.1
7.3
EPSS
0.3%
CVE-2026-54840 HIGH This Week

Missing authorization in the Newsletters (newsletters-lite) WordPress plugin through version 4.13 lets unauthenticated remote attackers reach functionality that should be access-controlled, producing limited confidentiality, integrity, and availability impact (CVSS 7.3). Reported by Patchstack and tagged as an authentication bypass, the flaw requires no credentials or user interaction, though no public exploit code or CISA KEV listing exists at time of analysis. The partial (Low) impact across all three dimensions suggests scoped data exposure or unauthorized actions rather than full site compromise.

Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-44161 HIGH PATCH GHSA This Week

{tag}) whose value is derived from untrusted log data, an attacker who can influence that data forces the Fluentd node to call arbitrary internal services. There is no public exploit identified at time of analysis, but the upstream fix is shipped in v1.19.3 (PR #5394 adds strict host validation for dynamic endpoints).

Authentication Bypass SSRF
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-9640 HIGH PATCH This Week

Privilege escalation in Canonical LXD (versions 6.0-6.8, 5.21.0-5.21.4, and 5.0.0-5.0.6) allows an authenticated project operator in a restricted multi-tenant deployment to escape tenant confinement and obtain host root. Because project-restriction policies are not re-validated when an instance backup is imported and its snapshot restored, an operator can smuggle restricted configuration keys into a snapshot, restore them onto the live instance, and start it to gain unauthorized root on the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but a vendor patch and the fixing source code are available.

Authentication Bypass Privilege Escalation Lxd
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-13372 HIGH PATCH This Week

Privilege/context escalation in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 lets an authenticated user with write access to a shared workspace plant a custom PowerShell VPN editor entry whose display name collides with an existing VPN script link, causing the attacker's PowerShell to run in another user's context when that link is resolved. The flaw stems from incorrect link resolution by display name (CWE-706) rather than a stable identifier, yielding total compromise of the victim's session (C:H/I:H/A:H). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available.

Information Disclosure Remote Desktop Manager
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-57321 HIGH This Week

Arbitrary file deletion in the H5P WordPress plugin (versions 1.17.7 and earlier) lets a low-privileged authenticated user with Contributor-level access delete arbitrary files on the server via path traversal. The CVSS:3.1 vector (AV:N/PR:L) confirms remote, low-privilege exploitation with high availability impact, and no public exploit has been identified at time of analysis. Deleting critical files such as wp-config.php can break the site or, in some setups, enable a reinstallation-based takeover.

Path Traversal
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57918 HIGH PATCH This Week

Client-side memory-safety failure in libnfs (through 6.0.2, fixed by commit f0b109d/935b8db) lets a malicious or compromised NFS server trigger an unsigned integer underflow in the RPC record-marker handling of rpc_read_from_socket(). When a victim application using libnfs connects to a crafted server, the server can supply a record marker whose declared xid/pdu length is smaller than the size libnfs expects to read, wrapping the length value and driving an oversized READ_IOVEC read with corresponding heap memory disclosure or corruption. There is no public exploit identified at time of analysis and it is not in CISA KEV; exploitation requires the victim to initiate a connection to an attacker-controlled NFS endpoint.

Integer Overflow Information Disclosure Libnfs Suse
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57314 HIGH This Week

Reflected cross-site scripting in the SureCart WordPress e-commerce plugin (versions 4.3.2 and earlier) lets unauthenticated remote attackers inject browser-executed script by luring a victim to a crafted link. Because the CVSS scope is changed (S:C), the injected payload can act in the security context of the WordPress session, enabling theft of admin session data or actions performed on the victim's behalf. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Patchstack has cataloged it as a confirmed reflected XSS.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56041 HIGH This Week

Cross-site scripting in the Responsive Lightbox WordPress plugin (versions up to and including 2.7.6) lets unauthenticated remote attackers inject script that executes in a victim's browser when they interact with a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope-changing reflected/stored XSS (UI:R) that can run in the context of any visitor or logged-in administrator. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53303 HIGH PATCH This Week

Out-of-bounds read (CWE-125) in the Linux kernel F2FS filesystem lets a local user trigger inconsistent access to the mount extension list by racing a sysfs read against a concurrent update. The f2fs_sbi_show() handler reads extension_list, extension_count and hot_ext_count without holding sbi->sb_lock, so a simultaneous f2fs_update_extension_list() store can yield a mismatched count/array pair and drive an out-of-bounds read that leaks stale kernel data or crashes the system. No public exploit identified at time of analysis; EPSS is low (0.17%, 7th percentile) and the issue is not in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57325 HIGH This Week

Cross-Site Scripting in the NanoMag WordPress theme (versions 1.8 and earlier) lets unauthenticated remote attackers inject browser-executed script that runs in the context of a victim lured into following a crafted link or loading an attacker-influenced page. The CVSS 3.1 score is 7.1 with a scope change, reflecting that script executes beyond the vulnerable component into the user's session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57322 HIGH This Week

Reflected cross-site scripting in the weMail WordPress plugin (versions 2.1.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The scope-changed CVSS 3.1 score of 7.1 reflects that the injected script runs in the WordPress site context, potentially affecting authenticated admin sessions. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57319 HIGH This Week

Reflected/stored cross-site scripting in the FOX - Currency Switcher Professional for WooCommerce WordPress plugin (versions 1.4.8 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. Because the CVSS scope is marked changed, successful injection can affect resources beyond the vulnerable component, including the broader site session. This was reported by Patchstack (CVE-2026-57319, CVSS 7.1); no public exploit code has been identified and it is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57317 HIGH This Week

Cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions <= 1.6.12.2) lets unauthenticated remote attackers inject script that executes in a victim's browser when they load a crafted page or follow a crafted link. The CVSS:3.1 vector (PR:N, UI:R, S:C) confirms no authentication is required but a user must interact, and the Changed scope reflects script crossing the security boundary into the visitor's browser context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through Patchstack's vulnerability research program.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57312 HIGH This Week

Reflected cross-site scripting in the Everest Forms WordPress plugin (versions 3.4.8 and earlier) lets an unauthenticated attacker craft a malicious link that, when opened by a victim, executes arbitrary JavaScript in the victim's browser under the affected site's origin. The CVSS:3.1 base score is 7.1 (scope-changed, low impact across C/I/A) and exploitation requires victim user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56072 HIGH This Week

Reflected cross-site scripting in the WoodMart premium WooCommerce/WordPress theme (versions up to and including 8.5.3) allows unauthenticated remote attackers to inject script that executes in a victim's browser when the victim is lured into triggering a crafted request. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with a changed scope, reflecting impact that crosses from the theme into the user's authenticated session context. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56047 HIGH This Week

Reflected cross-site scripting in the Perfmatters WordPress plugin (versions 2.6.3 and earlier) allows unauthenticated attackers to inject malicious script that executes in a victim's browser when they follow a crafted link. The scope-changed CVSS 3.1 score of 7.1 reflects that successful exploitation can affect resources beyond the vulnerable component, such as an authenticated administrator's session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56045 HIGH PATCH This Week

Stored/reflected cross-site scripting in the WP Automatic WordPress plugin (versions before 3.135.1) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they visit or interact with a crafted resource. The CVSS 3.1 score is 7.1 with a scope change (S:C), reflecting that injected script can affect components beyond the vulnerable plugin context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56044 HIGH This Week

Stored/reflected Cross-Site Scripting in the Blog2Social WordPress plugin (versions 8.9.2 and earlier) lets unauthenticated remote attackers inject malicious JavaScript that executes in a victim's browser when they view an affected page. The CVSS 3.1 vector (AV:N/PR:N/UI:R) indicates no authentication is required but the victim must take an action such as visiting a crafted URL. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied with this report from Patchstack.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56043 HIGH This Week

Stored/reflected Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (versions up to and including 5.110.1) lets unauthenticated attackers inject malicious script that executes in a victim's browser when they view the affected page. The CVSS:3.1 vector (AV:N/PR:N/UI:R, scope changed) indicates network-reachable, no-authentication exploitation that requires the victim to interact with attacker-controlled content. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.

WordPress XSS
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56040 HIGH This Week

Cross-site scripting in the Gutenverse Form WordPress plugin (versions ≤ 2.4.7) lets unauthenticated remote attackers inject script that executes in a victim's browser when the victim interacts with a crafted link or page. The CVSS:3.1 score is 7.1 with a changed scope, reflecting that injected script crosses the trust boundary into the user's authenticated WordPress session. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56039 HIGH This Week

Reflected cross-site scripting in the Quick Interest Slider WordPress plugin (versions 3.1.6 and earlier) lets an unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link or load a malicious page. The CVSS 3.1 base score is 7.1 with a scope change, reflecting that script execution crosses the plugin's security boundary into the broader WordPress session. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56011 HIGH This Week

Reflected/stored Cross-Site Scripting in the MapPress Maps for WordPress plugin (versions 2.97.3 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript that executes in the browser of a victim who interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script can act beyond the vulnerable component to affect logged-in users including administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-7958 HIGH This Week

Authenticated code injection (CWE-94) in Trellix Network Security appliances (NX, EX, FX, AX, and CMS/Central Management) lets a logged-in administrator run arbitrary commands by abusing how the web UI renders Alert artifact details. The flaw requires existing high-privilege admin access on an adjacent network rather than remote anonymous access, so it functions primarily as a privilege/trust-boundary escape rather than a mass-exploitable internet-facing bug. The CVSS 4.0 maturity flag (E:P) indicates proof-of-concept exploit material exists, but the issue is not listed in CISA KEV and shows no confirmed active exploitation.

Code Injection RCE Trellix Network Security Nx Ex Fx Ax And Cms
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-43920 MEDIUM This Month

Unauthenticated remote access to the /run-patcher maintenance endpoint in FOSSBilling versions 0.5.4 through 0.7.2 allows any network-reachable attacker to trigger privileged database schema changes (including ALTER TABLE and DROP TABLE), configuration file migrations, filesystem mutations, and batch token regeneration for all admin and client accounts via a single HTTP GET request. The attack requires no credentials, no CSRF token, and no special headers, making it trivially automatable against any publicly exposed instance. No active exploitation has been confirmed in the CISA KEV catalog, but the attack surface is broad and the operational impact - forced session invalidation, potential database inconsistency from concurrent invocations, and cache destruction - constitutes a meaningful denial-of-service risk against production instances.

Authentication Bypass CSRF
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-13083 MEDIUM This Month

Stored XSS in Red Hat's Pen Drive report generator allows a cluster administrator to inject persistent JavaScript payloads into cluster objects such as ClusterVersion spec.channel, which then execute in the browser of any user who opens a generated HTML report. The flaw (CWE-79) stems from cluster-sourced data being rendered into HTML output without escaping or sanitization, crossing a security boundary (S:C) from infrastructure into end-user browser sessions. No public exploit or CISA KEV listing has been identified at time of analysis, but the C:H confidentiality impact indicates potential for session token or credential harvesting from report consumers.

XSS Pen Drive
NVD
CVSS 3.1
6.9
EPSS
0.2%
Prev Page 4 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy