Skip to main content
CVE-2026-50740 MEDIUM This Month

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the `refresh` parameter in the zone-include.php iFrame invocation script. The CVSS scope change (S:C) indicates that attacker-controlled script executes in the victim's browser security context, enabling session hijacking, credential theft, or malicious redirects against targeted users who click a crafted URL. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis, though the low attack complexity makes this straightforward for any attacker with XSS capability.

XSS PHP Adserver
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-50742 MEDIUM This Month

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent XSS payloads via entity names that render unescaped within the maintenance-acl-check.php and maintenance-banners-check.php tools. When an administrator later runs these maintenance utilities and inconsistencies are detected, the malicious payload executes in the admin's browser context, potentially enabling session hijacking or unauthorized administrative actions. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the AC:H vector reflects that payload execution is partially outside attacker control, contingent on admin use of the specific maintenance tools.

XSS PHP Adserver
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-56823 MEDIUM PATCH This Month

{webhook_id}/ping` endpoint performs no ownership check - only verifying that a caller is authenticated, not that the target webhook belongs to them. An attacker with a valid account can confirm webhook existence, leak OAuth provider metadata, and trigger unauthorized ping deliveries on behalf of other users. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Autogpt
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-57661 MEDIUM This Month

Broken access control in WPComplete WordPress plugin versions up to and including 2.9.5.5 allows authenticated subscribers to perform actions reserved for higher-privileged roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privileged WordPress users to bypass access restrictions on plugin functionality. No public exploit code or CISA KEV listing is identified at time of analysis, but the low attack complexity and network accessibility make this straightforward to exploit by any subscriber-level account.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-57646 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in the Majestic Support WordPress plugin (versions up to and including 1.1.7) allows any authenticated subscriber-level user to access or modify support objects belonging to other users by manipulating user-controlled resource identifiers. Reported by Patchstack's audit team and tracked as EUVD-2026-39761, the flaw carries a CVSS 5.4 Medium rating with both confidentiality and integrity impact confirmed. No public exploit code or CISA KEV listing is identified at time of analysis, but the low attack complexity and broad attacker pool (any registered WordPress user) make it a meaningful risk on multi-tenant or customer-facing WordPress installations running this plugin.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-57632 MEDIUM This Month

Broken access control in Email Marketing for WooCommerce by Omnisend (versions up to and including 1.19.0) allows authenticated subscriber-level WordPress users to invoke privileged plugin functionality without proper authorization checks. Exploitation requires only a low-privilege WordPress account and no user interaction, enabling unauthorized modification of plugin state and potential availability disruption. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier - subscriber-level access - elevates real-world concern on sites with open user registration.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2025-63041 MEDIUM This Month

Broken access control in the 'Forget About Shortcode Buttons' WordPress plugin (versions <= 2.1.3) allows authenticated Contributors to invoke restricted plugin functionality without proper authorization checks. The root cause is CWE-862 (Missing Authorization), meaning the plugin exposes one or more privileged endpoints or actions without verifying that the calling user holds a sufficient role. An attacker with a Contributor account on the target WordPress site can exploit this to make unauthorized integrity or availability modifications within the scope of what the plugin controls. No public exploit code and no CISA KEV listing are identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-13426 MEDIUM This Month

Path traversal in Mattermost's Go server module allows authenticated remote attackers to redirect API calls to unintended endpoints by embedding path traversal components (e.g., '../') within crafted ID parameters. The affected library is github.com/mattermost/mattermost/server/public versions prior to v0.1.22, which fails to sanitize path parameters before constructing API route paths. Exploitation yields limited confidentiality and integrity impact (CVSS 5.4 Medium); no public exploit code and no CISA KEV listing have been identified at time of analysis.

Mattermost Path Traversal
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-29509 MEDIUM PATCH This Month

Path traversal in Patool's safe_extract() function allows an attacker-controlled archive to write files to arbitrary locations on the filesystem when extracted by a victim running Patool before 4.0.5 on Python before 3.12. The flaw exists because the is_within_directory() helper in patoolib/programs/py_tarfile.py uses os.path.commonprefix() for character-level string prefix matching rather than path-component-level comparison, making it trivially bypassable with crafted member paths. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-complexity exploitation conditions and complete integrity bypass make this a meaningful risk for affected deployments.

Python Path Traversal Patool
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2025-32423 MEDIUM PATCH This Month

Memory amplification denial-of-service in AutoGPT's ExtractTextInformationBlock enables authenticated users to exhaust server memory with disproportionately small inputs - a 10KB submission forces approximately 50GB of server-side memory allocation, a 5,000,000:1 amplification ratio. All AutoGPT versions prior to 0.6.32 by Significant-Gravitas are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vendor released a fix in version 0.6.32.

Denial Of Service Autogpt
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-64637 MEDIUM This Month

Unauthenticated content injection in the Auros Core WordPress plugin (versions 5.3.1 and earlier) permits remote attackers to inject script-related HTML tags into rendered page output without any privileges or user interaction. The vulnerability is classified under CWE-80 (Basic XSS) and carries a CVSS 3.1 score of 5.3 (Medium), with impact limited to low confidentiality - consistent with an attacker reading page-context data rather than persistently compromising other users' sessions. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57660 MEDIUM This Month

Unauthenticated broken access control in the Booking and Rental Manager WordPress plugin (versions <= 2.7.1) allows remote unauthenticated attackers to perform restricted actions, resulting in unauthorized integrity modifications to booking or rental data. The flaw stems from missing authorization checks (CWE-862), meaning any network-accessible request can bypass intended access controls without credentials. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 5.3 (Medium) reflects the limited impact scope - integrity only, no confidentiality or availability loss.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57925 MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.2.16593 permits authenticated low-privileged users to read saved queries and tags outside their authorized scope. The flaw stems from missing authorization checks (CWE-862), meaning the application fails to verify whether the requesting user holds the required permissions before serving these resources over the network. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible nature of the issue means any authenticated user on an exposed YouTrack instance is a potential threat actor.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57924 MEDIUM PATCH This Month

Excessive user profile data disclosure in JetBrains YouTrack before 2026.2.16593 results from overly permissive default role configuration, allowing any authenticated low-privilege user to read more user profile attributes than intended. The root cause is CWE-276 (Incorrect Default Permissions), where the shipped default role grants broader read access to user directory data than the principle of least privilege requires. No public exploit or confirmed active exploitation exists at time of analysis.

Privilege Escalation Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57922 MEDIUM PATCH This Month

Project settings disclosure in JetBrains YouTrack before version 2026.2.16593 allows an authenticated low-privileged user to read project configuration data they are not authorized to access via the MCP (Model Context Protocol) integration. The root cause is a missing authorization check (CWE-862) on MCP-exposed endpoints, meaning the server returns project settings without validating the requesting user's project-level permissions. No public exploit has been identified at time of analysis, no KEV listing exists, and a vendor-released patch is available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-50029 MEDIUM POC PATCH GHSA This Month

Silent type confusion in js-toml's TOML interpreter allows attacker-controlled input to overwrite falsy primitive values (false, 0, empty string) with truthy objects, defeating duplicate-key enforcement required by TOML 1.0.0 spec. All versions of js-toml up to and including 1.1.1 are affected via the npm package (pkg:npm/js-toml). Attackers who can supply TOML input to an application using this parser can cause security-gated boolean checks such as if (config.isAdmin) or if (!user.banned) to silently evaluate as truthy, enabling authentication bypass. A working proof-of-concept is publicly available in the GitHub security advisory GHSA-m34p-749j-x6m6; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
CVE-2026-44163 MEDIUM PATCH GHSA This Month

Memory exhaustion in fluent-plugin-opentelemetry versions 0.5.2 and earlier allows unauthenticated remote attackers to crash the Fluentd process by sending an oversized HTTP request body or a decompression bomb to the `in_opentelemetry` HTTP input endpoint (default port 4318). The plugin reads and decompresses the entire payload into memory without enforcing size thresholds, enabling an OOM kill of Fluentd and complete disruption of log collection and forwarding on the affected node. No public exploit code or CISA KEV listing has been identified at time of analysis.

Nginx Denial Of Service
NVD GitHub
CVSS 3.1
5.3
CVE-2025-32394 MEDIUM PATCH This Month

Memory exhaustion in AutoGPT's AITextSummarizerBlock allows authenticated users to trigger extreme resource amplification - approximately 10 KB of crafted input causes the server to allocate roughly 50 GB of memory, crashing the platform for all users. All versions prior to 0.6.32 are affected per the vendor's GitHub Security Advisory (GHSA-955p-gpfx-r66j). No public exploit or CISA KEV listing has been identified, but the low attack complexity for any authenticated user makes this a realistic internal or multi-tenant threat.

Denial Of Service Autogpt
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-11779 MEDIUM This Month

Improper authorization in PayloadCMS 3.84.1 allows low-privilege authenticated users to invoke the account unlock operation without sufficient access control, effectively bypassing the brute-force lockout mechanism protecting other user accounts. Reported by Fluid Attacks, this flaw has both a confidentiality and integrity dimension: attackers can disclose account state information and manipulate the lock status of accounts they do not own. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Payloadcms
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57665 MEDIUM This Month

Unauthenticated IDOR in GravityView WordPress plugin (≤ 3.0.0) allows remote attackers to bypass object-level authorization and access form entry data belonging to other users without any credentials or interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation is trivially reachable over the network with no prerequisites beyond the plugin being active and a view being publicly rendered. No public exploit code or CISA KEV listing has been identified at time of analysis, but the zero-authentication requirement and low complexity make manual exploitation straightforward.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57652 MEDIUM This Month

Unauthenticated IDOR in the JS Help Desk WordPress plugin (versions ≤3.1.0) exposes support ticket objects to unauthorized access by any remote attacker. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction against a default plugin installation. Impact is limited to confidentiality (C:L), enabling enumeration and read access to other users' ticket data; no public exploit code identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57633 MEDIUM This Month

Unauthenticated sensitive data exposure in the WCBoost - Products Compare WordPress plugin (versions <= 1.1.0) allows any remote attacker to access sensitive information without credentials. The CVSS vector confirms network-accessible exploitation requiring no authentication, no user interaction, and low complexity, yielding a partial confidentiality breach. No public exploit code or active exploitation has been identified at time of analysis, though the zero-barrier entry point makes opportunistic scanning trivial.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57630 MEDIUM This Month

Unauthenticated IDOR in Blocksy Companion Pro WordPress plugin (versions through 2.1.46) allows remote unauthenticated attackers to access restricted objects by manipulating user-controlled reference keys, resulting in unauthorized information disclosure. The CVSS 5.3 Medium score reflects network-reachable, zero-authentication access (AV:N/AC:L/PR:N/UI:N) but limited confidentiality impact only (C:L/I:N/A:N). No active exploitation has been confirmed (not listed in CISA KEV), and no EPSS data was provided, though the trivial exploitation complexity elevates practical risk above the moderate score suggests.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-24547 MEDIUM This Month

Broken access control in the SiteGround Email Marketing WordPress plugin (versions 1.7.5 and earlier) permits unauthenticated remote attackers to perform privileged actions due to missing authorization checks (CWE-862). The CVSS vector confirms network-accessible, low-complexity, zero-privilege exploitation with an integrity-only impact, meaning attackers can manipulate plugin-managed data or functionality without logging in. No active exploitation has been confirmed at time of analysis, and no public exploit code has been identified.

Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-66123 MEDIUM This Month

Unauthenticated IDOR in the BookPro WordPress plugin (versions ≤ 1.1.0) exposes arbitrary booking records to remote attackers without any authentication. By manipulating object reference identifiers in HTTP requests, an unauthenticated attacker can retrieve booking data belonging to other users, bypassing authorization entirely. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS confirms the impact is limited to partial confidentiality disclosure with no integrity or availability consequence.

Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-64636 MEDIUM This Month

Broken access control in the Donation Thermometer WordPress plugin version 2.2.7 and earlier allows unauthenticated remote attackers to perform unauthorized actions with low integrity impact against affected WordPress installations. The flaw stems from missing authorization checks (CWE-862), permitting requests that should be gated behind authentication or capability checks to succeed without credentials. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.3 Medium reflects the limited impact scope.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48770 MEDIUM PATCH This Month

Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via a malformed WM_COPYDATA message. The COPYDATA_FULL_CMDLINE handler in NppBigSwitch.cpp dereferences COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* without validating against the COPYDATASTRUCT.cbData length field, enabling an out-of-bounds read that results in process termination. No active exploitation has been confirmed (no CISA KEV listing, no public POC), and the fix is available in the vendor-released patch 8.9.6.1.

Microsoft Buffer Overflow Information Disclosure Notepad Plus Plus
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.3%
CVE-2026-28385 MEDIUM PATCH This Month

Server-Side Request Forgery in Canonical LXD's image import endpoint allows authenticated users holding the can_create_images entitlement to direct the LXD daemon to make arbitrary outbound HTTP connections, including to loopback addresses, RFC1918 private ranges, and cloud instance metadata services such as 169.254.169.254. Affected versions span 4.12 through 6.9. An attacker can leverage error-based responses to enumerate internal TCP ports and fingerprint internal HTTP services from the daemon's privileged network position, enabling lateral reconnaissance in multi-tenant or cloud-hosted environments. No public exploit code has been identified at time of analysis, and CISA has not listed this in KEV.

SSRF Canonical Lxd
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-13434 MEDIUM This Month

Network annotation injection in KubeVirt's VirtualMachineInstance API allows authenticated tenants to attach launcher pods to arbitrary network namespaces by writing unsanitized JSON into the Multus CNI default-network annotation. Exploitation is gated on the ExternalNetResourceInjection Beta feature gate being explicitly enabled by a cluster-admin (off by default, first available in OpenShift Virtualization 4.21), which intentionally bypasses the NAD namespace lookup that would otherwise reject malformed annotation values. A successful attack permits cross-namespace network attachment and IP/MAC address impersonation on segments normally segregated from tenant workloads; no public exploit has been identified at time of analysis.

Code Injection Red Hat Openshift Virtualization 4 Suse
NVD VulDB
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-54242 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery (SSRF) in Statamic CMS allows authenticated low-privilege users to cause the server to make HTTP requests to internal addresses - including loopback, RFC-1918 private ranges, and cloud metadata endpoints such as 169.254.169.254 - by exploiting a DNS rebinding flaw in the Glide image proxy. Affected versions are statamic/cms before 5.73.24 and 6.x before 6.20.1 on sites that accept user-supplied remote image URLs. No public exploit or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector and cloud metadata exposure make this a meaningful risk for cloud-hosted deployments.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.9
CVE-2026-57627 MEDIUM This Month

Server-Side Request Forgery in the Kirki WordPress customizer framework plugin (versions up to and including 6.0.11) allows authenticated subscriber-level users to induce the server to issue arbitrary HTTP requests to internal or external network destinations. The Scope:Changed CVSS designation confirms the exploit can pivot beyond the WordPress application itself to reach internal infrastructure. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, but the subscriber-level privilege requirement lowers the bar significantly for sites permitting open user registration.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-8661 MEDIUM PATCH This Month

Server-side JavaScript execution and outbound HTTP request capabilities in Rapid7 InsightConnect Markdown Plugin versions 3.1.4 and earlier allow remote attackers to execute arbitrary scripts and make unauthorized HTTP requests through malicious content embedded in Markdown input to the markdown_to_pdf action. The PDF rendering engine lacks sufficient restrictions on script execution and network access. Patched version 4.0.0 is available from the vendor.

XSS SSRF Insightconnect Markdown Plugin
NVD GitHub
CVSS 3.1
4.8
EPSS
0.3%
CVE-2026-48785 MEDIUM PATCH GHSA This Month

Apptainer's `limit container paths` security directive in setuid mode fails to enforce path boundaries correctly because it uses string prefix matching rather than full path-component comparison, allowing local users to run containers from sibling directories whose names begin with an allowed path string. A system configured to allow only `/data/safe` will inadvertently also permit `/data/safe-but-unsafe` or any other path sharing that prefix. This affects only installations running Apptainer in setuid mode with the `limit container paths` directive explicitly configured; no public exploit has been identified at time of analysis, and the vendor-confirmed fix is available in version 1.5.1.

Path Traversal Suse
NVD GitHub
CVSS 3.1
4.8
CVE-2026-38571 MEDIUM This Month

Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbitrary memory via the serial console.

Authentication Bypass Tenda N A
NVD GitHub VulDB
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-47778 MEDIUM PATCH This Month

Certificate SAN validation in Envoy Proxy is bypassed when an attacker-controlled upstream serves a TLS certificate containing an embedded NUL byte in the dNSName Subject Alternative Name field. Envoy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 are affected, allowing an attacker who controls or can impersonate an upstream TLS endpoint to pass Envoy's configured SAN match check with a fraudulent certificate and intercept proxied traffic. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Envoy
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-47692 MEDIUM PATCH This Month

PROXY Protocol v2 TLV overflow in Envoy Proxy versions 1.34.0 through the pre-fix series allows an operator-level attacker on an adjacent network to smuggle extraneous bytes into upstream requests. Envoy's header generator writes TLV content exceeding the protocol-mandated 65535-byte maximum without adjusting the length field, creating a header where declared length and actual byte count diverge - a textbook CWE-130 length-parameter inconsistency. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog; risk is constrained by the high-privilege and adjacent-network prerequisites reflected in the CVSS 4.8 medium score.

Information Disclosure Envoy
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-49355 MEDIUM PATCH This Month

The meeting agenda items REST API in OpenProject before 17.4.0 leaks private work package data to authenticated users who lack project-level access. When a meeting agenda item is linked to a work package belonging to a private or inaccessible project, the GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id endpoint returns that work package's confidential data in its response, silently bypassing project-level authorization checks. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV; a vendor-released patch is available in version 17.4.0.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44732 MEDIUM PATCH This Month

OpenProject's document update endpoint before versions 17.3.2 and 17.4.0 contains an authorization order-of-operations flaw (CWE-639) that allows any authenticated low-privilege user to move or modify documents belonging to projects they do not have permission to manage. By sending a single crafted PATCH request containing a `project_id` attribute pointing to a foreign project, the attacker exploits the endpoint's incorrect sequence - attributes are applied to the record before authorization is enforced - bypassing the `:manage_documents` permission check entirely. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the attack requires only a valid user session and standard HTTP tooling.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-44731 MEDIUM PATCH This Month

User account enumeration in OpenProject's meetings filter feature allows authenticated attackers to probe arbitrary user IDs and, by observing differences in server responses, determine whether each ID corresponds to a valid account and retrieve the associated user's full name. All versions prior to 17.3.2 and 17.4.0 are affected. No public exploit code or active exploitation has been identified at time of analysis, though the low-complexity attack path makes this straightforward to weaponize for reconnaissance.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-50744 MEDIUM This Month

Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to bypass the admin-only restriction on that API. The ox.login method issues a valid session cookie in HTTP response headers before completing credential validation; when authentication fails, the error is returned to the caller but the underlying server-side session is never torn down. A threat actor who captures that leaked cookie can then replay it to invoke otherwise admin-restricted XML-RPC methods without possessing admin credentials. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-50739 MEDIUM This Month

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link their own trackers to campaigns belonging to other managers on the same instance via the `tracker-campaigns.php` script. This is a bypass of the fix introduced for CVE-2026-34913, which applied ownership checks only to the forward linking operation but omitted the reverse direction. The impact is confined to integrity - specifically, creation of inconsistent cross-manager ownership relationships - with no confidentiality or availability consequences. No public exploit identified at time of analysis.

Authentication Bypass PHP Adserver
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2026-57648 MEDIUM This Month

Broken access control in the Nelio Content WordPress plugin (versions 4.3.4 and earlier) allows authenticated users holding only the Contributor role to bypass intended authorization restrictions and perform actions reserved for higher-privileged roles. The root cause is missing authorization checks (CWE-862) on one or more plugin endpoints, enabling unauthorized integrity-affecting operations on content managed by the plugin. No public exploit code is identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-41262 MEDIUM POC PATCH GHSA This Month

Cross-team policy data exposure in Fleet DM allows any authenticated user holding observer-level access on a single team to read the full policy details - including SQL queries, host compliance counts, and software/script metadata - of policies belonging to any other team in the instance. The vulnerability stems from an authorization check performed against a placeholder empty struct (nil TeamID) rather than the actual fetched policy object, causing Fleet's OPA authorization engine to incorrectly grant access. A public proof-of-concept is included in the GitHub advisory (GHSA-gm7f-v959-fr2g); no active exploitation has been confirmed via CISA KEV. The issue is fixed in Fleet DM v4.85.0.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
CVE-2026-55838 MEDIUM This Month

Unauthorized access to the admin metrics endpoint in RustFS 1.0.0-beta.7 and earlier allows any authenticated IAM user to read server-wide operational telemetry regardless of their assigned policy. The MetricsHandler for /rustfs/admin/v3/metrics omits the validate_admin_request call that every other admin handler enforces, exposing disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state to restricted users whose policies should grant no such visibility. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Rustfs
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57664 MEDIUM This Month

Sensitive data exposure in the Bopo - WooCommerce Product Bundle Builder plugin for WordPress (versions ≤ 1.1.6) allows low-privileged authenticated users to access information that should be restricted to higher-trust roles. The flaw is classified under CWE-497, indicating the plugin exposes sensitive system or application data to an unauthorized control sphere - likely via an improperly protected REST API endpoint or AJAX action lacking appropriate capability checks. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57657 MEDIUM This Month

Cross-Site Request Forgery in the Gmail SMTP WordPress plugin (versions up to and including 1.2.3.19) enables a remote unauthenticated attacker to trigger unauthorized state-changing actions on behalf of a logged-in WordPress administrator. The attacker does not need any credentials - only the administrator's authenticated browser session, obtained by luring them to a malicious page. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and zero-privilege requirement make it straightforward to exploit once a target is identified.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57649 MEDIUM This Month

Broken access control in the Shoppable Images Lite WordPress plugin (versions 1.3 and below) allows subscriber-level authenticated users to perform actions or access data beyond their authorized scope. Rooted in CWE-862 (Missing Authorization), the plugin fails to verify whether the requesting user holds sufficient privileges before executing restricted functionality. No public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis; real-world risk is tempered by the authentication prerequisite and the plugin's limited deployment footprint.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57640 MEDIUM This Month

Broken Access Control in the MasterStudy LMS WordPress plugin (versions ≤ 3.7.30) permits authenticated subscriber-level users to perform actions that exceed their intended permissions. Rooted in CWE-862 (Missing Authorization), the plugin fails to enforce capability checks on one or more endpoints, allowing low-privileged registered users to make unauthorized integrity-affecting modifications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low complexity and network accessibility make it straightforward to exploit on sites with open user registration.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57637 MEDIUM This Month

Cross-Site Request Forgery in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions 6.8.0 and below) enables unauthenticated remote attackers to perform unauthorized state-changing actions by luring an authenticated site user into visiting a malicious page. The CVSS score of 4.3 (Medium) reflects a limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57634 MEDIUM This Month

Password Protect WordPress Page (PPWP) plugin versions up to and including 1.9.19 expose an Insecure Direct Object Reference (IDOR) flaw exploitable by authenticated Contributors, enabling unauthorized modification of password-protected page objects outside the attacker's authorized scope. The plugin fails to validate that the user-supplied object reference belongs to a resource the requesting Contributor is authorized to manage, as classified under CWE-639. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; real-world risk is meaningfully constrained by the Contributor authentication prerequisite.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.2%
Prev Page 7 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy