Skip to main content
CVE-2026-57518 HIGH POC This Week

Privilege escalation to remote code execution in Pagekit CMS 1.0.18 lets an authenticated user holding the 'user: manage users' permission grant themselves arbitrary custom roles via an unprotected UserApiController::saveAction(), then assign a role carrying 'system: manage packages' to upload a malicious PHP package through the admin installer and run arbitrary code. Publicly available exploit code exists (gist by sermikr0, reported by VulnCheck), and the chain converts a limited management permission into full server compromise. No public evidence of active exploitation has been confirmed (not in CISA KEV).

Authentication Bypass RCE Privilege Escalation PHP Pagekit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-48801 HIGH POC PATCH GHSA This Week

Denial of service in linkify-it (npm) through v5.0.0 lets remote unauthenticated attackers wedge a rendering worker by submitting tens of KB of repeated email/link-like text. The core public API LinkifyIt.prototype.match runs an O(N²) scan loop that re-slices the input and re-runs unanchored fuzzy regex searches once per match, so 64 KB of "a@b.com" burns ~2.5 s of single-threaded CPU and 128 KB ~10 s. The flaw is inherited by markdown-it (~21.6M weekly npm downloads) whenever linkify:true is set, exposing forums, chat, wikis and AI chat UIs; publicly available exploit code (a PoC in the GHSA advisory) exists, but there is no evidence of active exploitation.

Apple Node.js Mattermost Denial Of Service Gitlab
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-48778 HIGH POC PATCH This Week

Local code execution in Notepad++ before 8.9.6.1 occurs because the <GUIConfig name="commandLineInterpreter"> value in config.xml is loaded into _nppGUI._commandLineInterpreter with no validation, whitelist, or signature check, then passed directly to ShellExecute when a user invokes File → Open Containing Folder → cmd. An attacker who can plant or modify config.xml runs an arbitrary executable in the victim's session the next time they use this menu action. Publicly available exploit code exists (Exploit-DB 52606), but there is no public exploit identified as actively exploited; the issue is not in CISA KEV.

Command Injection Notepad Plus Plus
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.8
EPSS
1.4%
CVE-2026-10835 HIGH POC PATCH This Week

SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.

WordPress SQLi Salesmanago Leadoo
NVD WPScan VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-38639 HIGH POC This Week

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.

Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-38641 HIGH POC This Week

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by getting it to load a maliciously crafted shared library, which mishandles resources in the DSO::mmap_and_copy dynamic-linking routine (CWE-404). Publicly available exploit code exists, but the flaw is not in CISA KEV and EPSS is very low (0.17%, 6th percentile), indicating no observed in-the-wild exploitation. Impact is confined to availability - no confidentiality or integrity loss.

Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-10823 HIGH POC PATCH This Week

Information disclosure in the YMC Filter WordPress plugin before 3.11.3 lets unauthenticated remote attackers read the titles and content of private, draft, and other non-public posts by abusing a REST API endpoint that lacks proper authorization and fails to validate a user-supplied query parameter. WPScan reported the flaw, a public exploit exists, and a vendor patch is available; the CVSS 3.1 score is 7.5 reflecting high confidentiality impact with no integrity or availability effect.

WordPress Information Disclosure Ymc Filter
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-55975 HIGH CISA Act Now

Authenticated command injection in H.View HV-500S6 IP cameras allows a logged-in user to inject unsanitized XML field values into the device's certificate generation interface, which are passed into a backend certificate-creation shell command and executed with elevated privileges. Because exploitation requires valid credentials (CVSS 4.0 PR:H) but is reachable over the network with low complexity, an attacker who obtains any account on the device can run arbitrary OS commands and take full control of the camera. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV.

Command Injection Hv 500S6 Ip Camera
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.7%
CVE-2026-56414 HIGH CISA Act Now

Arbitrary file upload in H.View HV-500S6 IP cameras lets an authenticated, high-privilege user (per CVSS PR:H) write unvalidated content to fixed, persistent filesystem paths reserved for trusted TLS certificate material, with no checks on file type, structure, or size. Because the planted data survives reboot, an attacker can corrupt or replace certificate stores to undermine device integrity, availability, and trust. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but it is the subject of a CISA ICS advisory (ICSA-26-176-05).

File Upload Hv 500S6 Ip Camera
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2026-33560 HIGH CISA Act Now

Arbitrary file upload in the Daktronics DMP-5000 (and related VFC-DMP-5000 and DMP-8000) media player file service lets authenticated users write files of any type - including executable binaries and scripts - directly to the server with no extension filtering or content inspection. This unrestricted upload (CWE-434) gives a low-privileged operator a path to plant and potentially execute malicious code on these OT digital-media/scoreboard controllers. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

File Upload Vfc Dmp 5000 Dmp 5000 Dmp 8000
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.3%
CVE-2026-32833 HIGH PATCH This Week

Remote code execution in the Cudy LT300 3.0 4G LTE router (firmware before 2.5.12) lets authenticated users run arbitrary OS commands by embedding shell metacharacters in the cbid.system.ntp.current POST parameter of the system time (NTP) configuration page. Because the CVSS 4.0 vector specifies PR:L, an attacker needs valid (low-privileged) web credentials but no user interaction, and successful injection yields full host compromise (VC/VI/VA all High). No public exploit identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.

Command Injection RCE Lt300 3 0
NVD
CVSS 4.0
8.7
EPSS
1.3%
CVE-2026-50741 HIGH This Week

Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for CVE-2026-34916, either by supplying a disallowed-but-valid plugin identifier in the `type` parameter or by abusing the `ox.setChannelTargeting` XML-RPC API method. The flaw lets an attacker inject and execute arbitrary code (CWE-94) on the server, fully compromising confidentiality, integrity, and availability. Reported via HackerOne by multiple researchers (including phucrio and offsetmd); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Adserver
NVD
CVSS 3.0
8.8
EPSS
0.3%
CVE-2026-56008 HIGH This Week

Privilege escalation in the Fusion Builder WordPress plugin (versions 3.15.4 and earlier) lets a low-privileged authenticated user, such as a Contributor, gain capabilities far beyond their role and effectively act as an administrator. The flaw was reported by Patchstack and carries a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because Fusion Builder is the page builder bundled with the widely sold Avada theme, the exposure spans a large number of WordPress sites that allow self-registration or untrusted contributor accounts.

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-53281 HIGH PATCH This Week

Local privilege escalation or denial of service in the Linux kernel's Intel VT-d IOMMU driver (iommu/vt-d) arises from incomplete handling of a missing dev_pasid entry during PASID teardown; an authenticated low-privileged actor able to drive IOMMU/PASID detach operations can trigger a NULL pointer dereference or unbalanced refcount that may decay into a use-after-free. This completes an earlier partial fix (commit 60f030f7418d) and is tagged as Denial of Service. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.17% (6th percentile).

Linux Denial Of Service Null Pointer Dereference
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53322 HIGH PATCH This Week

Resource access-after-free in the Linux kernel's vfio/pci subsystem allows a local user with device access to read or corrupt PCI device resources during a race window on device shutdown, because vfio_pci_core_close_device() disabled the function before tearing down DMABUF exports. During the window the function's Memory Space Enable bit is cleared and its BARs (and their backing resources) are freed and reassignable to another driver, while stale DMABUF mappings still reference them. EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis; the upstream fix reorders cleanup to revoke DMABUF access first.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-49258 HIGH GHSA This Week

Cross-operator authorization bypass in juev/nebula-mesh (<= 0.3.4) lets any authenticated non-admin operator read and mutate resources owned by other operators through the web UI (/ui/*), which-unlike the JSON API fixed in GHSA-598g-never applies per-operator CA scoping. An attacker with a low-privileged operator account can enumerate every operator's hosts and networks (names, Nebula/public IPs, certificate fingerprints, CIDRs) and can block (revoke certificates) or delete any host in the deployment, causing cross-operator denial of service. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is trivial for any non-admin user once one exists.

Authentication Bypass Denial Of Service
NVD GitHub
CVSS 3.1
8.8
CVE-2026-52784 HIGH PATCH This Week

Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id carrying the POST parameter user[admin], coercing a logged-in privileged user's browser into granting administrator rights to an arbitrary account. The flaw (CWE-352) rates CVSS 8.8 because a successful forgery yields full administrative control over the instance; no public exploit is identified at time of analysis and it is not listed in CISA KEV. Both the 17.3.x and 17.4.x maintenance lines are affected, with fixes shipped in 17.3.3 and 17.4.1.

CSRF Openproject
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-45405 HIGH PATCH This Week

Arbitrary file write in Dokku before 0.38.2 lets an attacker with deploy-level access escalate to full shell access on the host. The git:from-archive and certs:add commands extract attacker-supplied tar/zip archives without sanitizing member paths, and because GNU tar creates and then follows symlinks during extraction, a crafted archive can plant files anywhere the dokku user can write - most damagingly ~/.ssh/authorized_keys. There is no public exploit identified at time of analysis and CISA SSVC records exploitation as none, but the technical impact is rated total.

Information Disclosure Docker Dokku
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-45406 HIGH PATCH This Week

OS command execution on the Dokku host is possible through the openresty-vhosts plugin in versions prior to 0.38.2, where custom OpenResty include filenames from an app's git repository are interpolated unescaped into a single-quoted shell string that is later run through eval. An attacker who can deploy a Dokku app with the openresty proxy enabled can plant a file whose name contains a single quote to break the quoting and inject a command substitution, executing arbitrary commands as the dokku user on the next deploy. There is no public exploit identified at time of analysis and it is not in CISA KEV, though the upstream advisory and a security regression test document the mechanism precisely.

Code Injection Information Disclosure Docker Dokku
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-57659 HIGH This Week

Cross-Site Request Forgery in the WordPress plugin 'Paid Memberships Pro - Add Member From Admin' (versions 0.7.2 and earlier) lets a remote attacker forge privileged member-management actions by tricking a logged-in administrator into loading a malicious page. Because the plugin's member-add functionality lacks valid CSRF nonce protection (CWE-352), an attacker can abuse the admin's authenticated session to create or modify membership records, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not supplied.

CSRF
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-56055 HIGH This Week

Authenticated PHP object injection in the RealHomes WordPress theme (versions 4.5.3 and earlier) lets a low-privileged Subscriber-level account inject crafted serialized objects into an unsafe deserialization sink (CWE-502). Because WordPress applications and plugins commonly contain POP gadget chains, this can escalate to arbitrary file operations, SQL injection, or remote code execution, which is reflected in the high CVSS 8.8 (C:H/I:H/A:H). Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization PHP
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-56038 HIGH This Week

Privilege escalation in the Frisbii Pay (reepay-checkout-gateway) WordPress plugin through version 1.8.2 allows a low-privileged authenticated user holding a Contributor role to elevate to higher privileges due to a missing authorization check. Reported through Patchstack's audit program and tagged as both Authentication Bypass and Privilege Escalation, the flaw carries a CVSS 8.8 and full confidentiality, integrity, and availability impact, meaning a successful actor can effectively take administrative control of the affected WordPress site. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-56010 HIGH This Week

Privilege escalation in the Abandoned Cart Pro for WooCommerce plugin (versions <= 10.4.0) allows an authenticated low-privileged user (Subscriber) to elevate their own permissions and gain higher-privileged capabilities within the WordPress site. The flaw, reported by Patchstack and classified as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 8.8 and is network-exploitable with low complexity once an attacker holds any minimal account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-68052 HIGH This Week

Cross-Site Request Forgery in the Eagle Booking WordPress plugin (versions 1.3.4.3 and earlier) lets an unauthenticated attacker forge state-changing requests that execute with a logged-in victim's privileges when that victim is lured into triggering a malicious page. Reported through Patchstack and tracked as CVE-2025-68052 (CWE-352) with a CVSS 8.8 score, it has no public exploit identified at time of analysis and is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user (UI:R), real-world impact depends on which privileged user is targeted.

CSRF
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-57527 HIGH PATCH This Week

Arbitrary code execution in the OWASP ZAP ViewState add-on (versions before 4) lets a malicious or attacker-controlled proxied web server compromise the security tester's own ZAP instance. By embedding a crafted serialized Java object in the javax.faces.ViewState response parameter, an attacker triggers unsafe Java deserialization inside the ZAP JVM the moment the operator views the ViewState panel in the Desktop UI. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor has published an advisory and shipped a fix (viewstate-v4) that disables JSF support entirely.

Deserialization Java RCE
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-56773 HIGH PATCH This Week

Broken access control in Teable's v2 REST API lets any authenticated user bypass authorization and act across bases and tables they should not reach. Because the ORPC controller endpoints (e.g. GET /api/v2/tables/get, POST /api/v2/tables/updateRecords) ship without the required @Permissions metadata, an attacker holding even a low-privileged account can enumerate schemas, create tables, and modify or delete arbitrary records. No public exploit is identified at time of analysis, and the issue is not on CISA KEV, but a vendor fix (PR #3285) and patched release are available.

Authentication Bypass
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-9220 HIGH This Week

Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Google
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-9221 HIGH This Week

Session hijacking in the Setracker2 Android companion app (com.tgelec.setracker) version 3.1.5 and earlier stems from the use of MD5 to generate the request signature that authenticates traffic between the mobile client and the backend REST API. Because MD5 is cryptographically broken, an attacker who can observe a signed request may reverse the signature to recover the embedded session ID and then impersonate the legitimate user, issuing authenticated API calls against the kids'/GPS-tracker backend. Reported by CISA ICS-CERT (DHS) and tracked in a CSAF advisory; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Google
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-55069 HIGH PATCH This Week

Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.

PostgreSQL Kubernetes Privilege Escalation Kestra
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.2%
CVE-2026-56876 HIGH Monitor

Arbitrary file read/write in the Node.js extract-zip library (max-mapper/extract-zip) arises because symlink entries inside zip archives are extracted without validating their targets. An attacker who supplies a crafted archive containing a symlink with a traversal target such as '../../../../etc/passwd' can cause files to be placed or resolved outside the intended extraction directory, leading to disclosure or modification of sensitive files depending on how the host application uses the extracted output. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, though the CVSS 4.0 base score of 8.6 reflects high confidentiality and integrity impact.

Path Traversal Extract Zip
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-49991 HIGH This Week

Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket write arbitrary objects into other tenants' buckets, fully breaking multi-tenant isolation. The flaw lives in the Snowball auto-extract feature and chains three weaknesses (unsanitized tar entry keys, IAM wildcard matching on raw paths, and filesystem path cleaning that resolves ../ across bucket boundaries). No public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal Rustfs
NVD GitHub
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-57877 HIGH This Week

Unauthenticated format string flaw in the vlsvr service of GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote attackers send crafted login data that the device passes unsanitized into a log-formatting routine. Successful exploitation can leak memory contents, corrupt memory, or crash the service, with the high availability impact (CVSS 8.6) reflecting denial of service as the most reliable outcome. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Information Disclosure Gv Lpclpc2011 2211
NVD
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-56035 HIGH This Week

Information disclosure and related weaknesses in the BitFire Security WordPress firewall plugin (versions 5.0.3 and earlier) let remote unauthenticated attackers extract sensitive data and tamper with limited integrity, per a Patchstack-reported advisory. The CVSS 3.1 base score of 8.6 reflects network-reachable, no-privilege exploitation (AV:N/AC:L/PR:N/UI:N) with high confidentiality impact, ironic for a product whose purpose is to harden WordPress sites. No public exploit code has been identified at time of analysis, and the issue is not on the CISA KEV list; EPSS data was not provided.

Information Disclosure
NVD VulDB
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-57667 HIGH This Week

SQL injection in the Groundhogg WordPress CRM/marketing-automation plugin (versions <= 4.5) allows an authenticated low-privileged user holding the Sales Representative role to inject arbitrary SQL into a database query, exposing sensitive data across the WordPress installation. The CVSS 3.1 base score is 8.5 (High) with a scope change, reflecting that compromise of the plugin's data layer reaches beyond its own privilege boundary. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS value supplied in the source data.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57642 HIGH This Week

SQL injection in the WordPress 'Gallery' plugin (gallery-plugin) through version 4.7.8 lets authenticated low-privilege users (Contributor role and above) inject crafted SQL via plugin-handled parameters, exposing the WordPress database. Tracked as CVE-2026-57642 (CWE-89) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 8.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A Contributor account is required, which limits exploitation to sites that allow self-registration or otherwise provision contributor-level access.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-13325 HIGH This Week

Cross-tenant VM compromise in KubeVirt (and Red Hat OpenShift Virtualization 4) occurs when spec.configuration.migrations.disableTLS is set to true, causing virt-handler to expose an unauthenticated plaintext TCP proxy into a virt-launcher's virtqemud control socket on all interfaces. An authenticated tenant who can run any pod on the cluster network can reach this listener and issue arbitrary libvirt RPC commands against another tenant's virtual machine - reading guest memory, altering VM state via QMP, or destroying the VM. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.

Authentication Bypass Red Hat Openshift Virtualization 4
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-8797 HIGH This Week

Local privilege escalation in NEC's ExpressUpdate Agent for Windows allows a low-privileged user who can already access the host to execute arbitrary code with SYSTEM privileges, owing to insufficient access controls on the agent. Reported by NEC under advisory NV26-004, the flaw carries a CVSS 4.0 base score of 8.5 (High) and maps to CWE-782 (exposed IOCTL with insufficient access control). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Microsoft RCE Expressupdate Agent For Windows
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-56663 HIGH PATCH This Week

Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the SendWebRequestBlock to reach internal network services that the private-IP filter is supposed to protect. The flaw stems from _is_ip_blocked() in backend/backend/util/request.py failing to normalize IPv4-mapped IPv6 addresses and omitting RFC 6598 CGNAT space (100.64.0.0/10), so a hostname resolving to a mapped address passes validation and the request hits the embedded internal IPv4 endpoint. No public exploit identified at time of analysis; this affects all AutoGPT Platform deployments and is fixed in 0.6.52.

SSRF Autogpt
NVD GitHub
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57663 HIGH This Week

SQL injection in the Zip Recipes (Recipe Maker For Your Food Blog) WordPress plugin lets an authenticated Contributor-level user inject arbitrary SQL through the plugin in versions 8.2.7 and earlier, exposing the full WordPress database. Reported by Patchstack, the flaw carries a CVSS 3.1 score of 8.5 with a scope change (S:C) reflecting access beyond the plugin's own data. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57662 HIGH This Week

SQL injection in the Contest Gallery WordPress plugin (versions <= 30.0.0) allows an authenticated user with Contributor-level access to inject arbitrary SQL through unsanitized input, exposing the contents of the WordPress database. The flaw was disclosed via Patchstack and carries a CVSS 8.5; no public exploit code has been identified at time of analysis and it is not listed in CISA KEV. The CVSS vector indicates a scope change (S:C), meaning the impact reaches beyond the vulnerable component into the underlying database.

SQLi
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57653 HIGH This Week

SQL injection in the WP Job Portal WordPress plugin (versions 2.5.2 and earlier) lets a low-privileged Contributor-level user inject arbitrary SQL into a backend query, exposing the WordPress database. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H) reflects high confidentiality impact with a scope change, and the issue was reported by Patchstack. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57644 HIGH This Week

SQL injection in the Restaurant Menu by MotoPress WordPress plugin (versions 2.4.10 and earlier) lets users holding Contributor-level accounts inject crafted SQL into backend database queries. Reported by Patchstack and classified as CWE-89, the flaw carries CVSS 8.5 and primarily threatens confidentiality, allowing a low-privileged authenticated user to read arbitrary data from the WordPress database. No public exploit identified at time of analysis, and EPSS/KEV data were not provided in the source intelligence.

SQLi
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57643 HIGH This Week

SQL injection in the WP Post Author WordPress plugin (versions 3.9.1 and earlier) allows authenticated users with Contributor-level access to inject arbitrary SQL into the site database. Because exploitation requires only a low-privilege account (PR:L) over the network with no user interaction, any site that permits self-registration or has untrusted contributors is at material risk of database content disclosure. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but Patchstack-reported WordPress plugin SQLi flaws are commonly weaponized after disclosure.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57636 HIGH This Week

SQL injection in the wpForo Forum plugin for WordPress (versions 3.0.9 and earlier) allows users holding low-privileged Contributor accounts to inject arbitrary SQL into backend database queries. Reported by Patchstack, the flaw (CWE-89) carries a CVSS 8.5 and a scope-changing vector, meaning an authenticated forum contributor can read sensitive database contents beyond the plugin's own data. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-57315 HIGH This Week

Remote code execution in Blocksy Companion Pro (the premium add-on plugin for the Blocksy WordPress theme) versions 2.1.45 and earlier allows authenticated users holding only the low-privilege Contributor role to inject and execute arbitrary PHP code on the host. The flaw, reported by Patchstack and tracked under CWE-94, carries a CVSS 3.1 base score of 8.5 with a changed scope, meaning successful exploitation can impact components beyond the WordPress application itself. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; no EPSS score was provided in the source data.

Code Injection RCE
NVD VulDB
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-56064 HIGH This Week

SQL injection in the Tourfic WordPress plugin (versions 2.22.5 and earlier) lets authenticated subscriber-level users inject arbitrary SQL through a vulnerable parameter, exposing the WordPress database. Because only a low-privilege account is required and registration is often open on WordPress sites, an attacker can read sensitive data such as user records and credential hashes. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-9219 HIGH This Week

Unauthorized device enrollment in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets remote attackers hijack other users' GPS smartwatches by guessing their registration ID. The registration ID is predictably derived from the device IMEI, and the enrollment workflow performs no secondary authentication before binding a watch to an account, so an attacker who learns or calculates the ID can take over the target's tracker. No public exploit has been identified at time of analysis, and the issue carries a CVSS 4.0 base score of 8.3 with high confidentiality impact, reflecting exposure of a child's or wearer's location data.

Information Disclosure Google
NVD
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-56063 HIGH This Week

Broken access control in the WordPress "MailChimp Block" plugin (versions 1.1.15 and earlier) lets unauthenticated remote attackers invoke protected plugin functionality without any authorization check, per the CVSS:3.1 vector (AV:N/PR:N/UI:N) and Patchstack's CWE-862 classification. The scope-changed vector (S:C) with low confidentiality, integrity, and availability impact indicates the missing authorization can affect resources beyond the vulnerable component itself. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-52783 HIGH PATCH This Week

Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Redis Microsoft Information Disclosure Openproject
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-55188 HIGH This Week

Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no effective bucket or admin permissions read remote replication target configuration via the bucket replication admin API. Because the returned BucketTarget objects embed remote credentials, an attacker can harvest replication access keys and secret keys for downstream systems. The flaw affects 1.0.0-alpha.1 through versions prior to 1.0.0-beta.9 and is fixed in 1.0.0-beta.9; no public exploit identified at time of analysis.

Information Disclosure Rustfs
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.2%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy