Skip to main content
CVE-2026-59097 MEDIUM POC PATCH This Month

Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.

Authentication Bypass Taiga Back
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-58579 MEDIUM POC PATCH This Month

Stored XSS in RAGFlow before 0.26.3 enables cross-user JavaScript execution through unsanitized agent pipeline node names rendered in a confirmation modal. An authenticated workspace member injects a payload into a DSL node name via the agent update endpoint; when a different workspace member opens the dataflow result and clicks 'Rerun from current step,' the payload executes in their browser, enabling session token theft and account takeover across the workspace trust boundary. No CISA KEV listing exists, but a public proof-of-concept is available and a vendor patch has been released as v0.26.3.

XSS Ragflow
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-55726 MEDIUM PATCH CISA This Month

Unauthenticated public listing of an Azure Blob Storage container exposes device log files across the entire Gardyn smart garden fleet to any internet-accessible actor. The misconfiguration affects all versions of Gardyn Home Firmware, Gardyn Studio Firmware, and the Gardyn Cloud API, meaning no specific patched version bounds the exposure - it is architectural rather than release-specific. Reported via ICS-CERT advisory ICSA-26-183-03, no confirmed active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis, though exploitation requires zero technical prerequisites beyond internet access and knowledge of the container URL.

Microsoft Information Disclosure Gardyn Home Firmware Gardyn Studio Firmware Gardyn Cloud Api
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-54477 MEDIUM PATCH CISA This Month

Missing HTTP security headers in the Gardyn admin panel expose Gardyn Home Firmware, Gardyn Studio Firmware, and Gardyn Cloud API to clickjacking and cross-site scripting attacks against authenticated administrators. The absence of directives such as X-Frame-Options, Content-Security-Policy frame-ancestors, and script-source restrictions allows an attacker to embed the admin panel in a malicious iframe or inject client-side scripts into the admin session context. Reported by ICS-CERT under advisory ICSA-26-183-03, no public exploit or active exploitation has been confirmed at time of analysis.

XSS Gardyn Home Firmware Gardyn Studio Firmware Gardyn Cloud Api
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-59101 MEDIUM PATCH This Month

Server-side request forgery in AutoBangumi before 3.2.8 allows unauthenticated remote attackers to probe internal network services by submitting arbitrary host values to the unprotected POST /api/v1/setup/test-downloader endpoint during the application's initial setup window. The server issues outbound HTTP GET requests to attacker-controlled targets - including internal or reserved IP ranges - and leaks reachability data through echoed connection-error responses, enabling internal network mapping. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.0 base score is 6.9 (Medium), reflecting unauthenticated network access with limited confidentiality impact.

SSRF Auto Bangumi
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-13371 MEDIUM This Month

Denial-of-service in WatchGuard Fireware OS Management Web UI allows an authenticated administrator to crash the management service by submitting crafted input to the put_data endpoint, which performs unsafe deserialization of attacker-controlled data (CWE-502). The CVSS 4.0 vector (PR:H, VA:H) confirms that exploitation is restricted to administrator-level accounts and results in availability loss only - no confidentiality or integrity impact. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this firmly in the insider-threat and compromised-credential risk category.

Deserialization Fireware Os
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-10077 MEDIUM PATCH This Month

Stored XSS in the yootheme WordPress theme before version 5.0.35 enables users holding the Author role to inject persistent malicious scripts into posts by exploiting a sanitization gap between WordPress's wp_kses_post() filter and the theme's bundled front-end framework, which interprets certain permitted HTML attributes as executable markup. Any visitor - including site administrators - who views an affected post triggers script execution in their browser, creating a realistic privilege escalation path on multi-author WordPress sites. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor patch version 5.0.35 is confirmed via WPScan advisory.

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-14029 MEDIUM This Month

SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8) enables authenticated attackers with the view_contacts capability to append arbitrary SQL to existing database queries via the unsanitized 'select' parameter, resulting in full database read access. The flaw spans multiple code paths - db/query/query.php (lines 228 and 427), db/db.php (line 1366), and api/v4/base-object-api.php (line 505) - confirmed in both the 4.5.7 and 4.5.8 tagged releases by Wordfence. No public exploit code or CISA KEV listing has been identified at time of analysis, though the vulnerable code is publicly browsable in the WordPress plugin repository, materially lowering the barrier for exploit development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-9145 MEDIUM This Month

Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The `create_entry_el()` function accepts attacker-controlled POST data as a file path and passes it directly to PHP's `copy()`, which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. Exploitation requires Elementor Pro to be installed and active alongside the vulnerable plugin; no public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector and high confidentiality impact make this a credible priority for mixed Elementor Pro deployments.

WordPress Path Traversal PHP Database For Contact Form 7 Wpforms Elementor Forms
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-52188 MEDIUM This Month

Denial-of-service via buffer overflow in UTT nv518G firmware (nv518GV3v3.2.7-210919-161313) allows an adjacent-network attacker to crash the device by sending a crafted request to the GoAhead embedded webserver's sub_497498 handler. The vulnerability is rooted in CWE-119 (improper bounds restriction) and requires no authentication, meaning any host on the same LAN segment can trigger device unavailability. A GitHub-hosted CVE report with technical detail exists, indicating publicly available exploit code, though EPSS at 0.22% (13th percentile) reflects low observed exploitation probability - consistent with the limited geographic and market footprint of UTT devices.

Denial Of Service Buffer Overflow N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-11965 MEDIUM PATCH This Month

Payment enforcement bypass in the User Registration & Membership WordPress plugin before 5.2.0 allows any visitor to self-register a free account and then activate a paid membership subscription without completing payment, gaining unauthorized access to gated premium content. The flaw is a business logic failure: the plugin activates the paid plan upon subscription initiation rather than upon confirmed payment receipt. No public exploit or CISA KEV listing exists at time of analysis, but exploitation is trivially low-effort given the plugin's open registration model and the CVSS vector of AV:N/AC:L/PR:N/UI:N.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-52733 MEDIUM PATCH GHSA This Month

Persistent RocksDB state corruption in zebrad up to v4.4.1 arises from an asymmetric cleanup bug in the non-finalized chain fork handler: `pop_tip` omits the Sapling and Orchard note commitment subtree root cleanup that `pop_root` correctly performs, causing stale subtree root entries to survive in memory and be flushed to disk during subsequent chain finalization. The corrupted subtree root history survives node restarts and is served to downstream consumers of `z_getsubtreesbyindex` - primarily `lightwalletd` and light wallets - causing wallet synchronization failures or incorrect wallet state that requires a full database rebuild to recover. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV; the risk is passive silent corruption accumulating on all unpatched nodes during routine chain fork events rather than adversarial exploitation.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
CVE-2026-52731 MEDIUM PATCH GHSA This Month

Process termination via crafted RPC input in zebrad (Zcash Foundation's Zcash node) up to v4.4.1 allows an authenticated network attacker to kill the entire node daemon by submitting a `getblocktemplate` RPC call with a `LongPollId` parameter containing multi-byte UTF-8 characters. The root cause is unsafe byte-index string slicing in Rust, which panics when a byte offset lands mid-character; because the release profile sets `panic = "abort"`, this immediately terminates the zebrad process rather than unwinding only the RPC task. No public exploit or active exploitation is identified at time of analysis, but the attack is trivially repeatable on restart, making it a reliable denial-of-service for mining pools and infrastructure dependent on the getblocktemplate workflow.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
CVE-2026-50149 MEDIUM PATCH GHSA This Month

JWT authentication bypass in Project Contour (Kubernetes ingress controller) allows unauthenticated remote clients to reach protected upstream services without a valid JWT token when an HTTPProxy resource incorrectly combines `spec.virtualhost.tls.enableFallbackCertificate: true` with `spec.virtualhost.jwtProviders`. Contour fails to detect and reject this incompatible configuration, so any TLS client that omits an SNI extension or presents an SNI not matching any configured HTTPProxy FQDN is silently matched by the fallback certificate handler, which operates outside the JWT verification pipeline. No public exploit has been identified and this CVE is not in the CISA KEV catalog; a vendor-released patch (v1.33.5) is available.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
CVE-2026-57764 MEDIUM This Month

Stored Cross-Site Scripting in the Surbma Yoast SEO Breadcrumb Shortcode WordPress plugin (versions <= 1.2) allows contributor-level authenticated users to inject malicious JavaScript via the breadcrumb shortcode, which executes in the browser context of any victim who views the affected content - most critically a site administrator. The scope change (S:C) in the CVSS vector confirms the script escapes the plugin's own context and can hijack privileged sessions or perform unauthorized admin actions. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

XSS Surbma Yoast Seo Breadcrumb Shortcode
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57763 MEDIUM This Month

Cross-site scripting in the Structured Content WordPress plugin (versions <= 1.7.0) allows a Contributor-level authenticated user to inject malicious JavaScript that executes in the browser of higher-privileged users who subsequently view the crafted content. The CVSS scope change (S:C) confirms the payload crosses into the victim's browser security context, enabling session hijacking, credential theft, or unauthorized administrative actions within a WordPress installation. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS Structured Content
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57755 MEDIUM This Month

Stored or reflected Cross-Site Scripting in the Mosaic Gallery - Advanced Gallery WordPress plugin (versions <= 1.2.0) is exploitable by authenticated users holding a Contributor role. A Contributor-level attacker can inject malicious JavaScript into gallery content, which executes in the browsers of higher-privileged users - such as editors or administrators - who subsequently view the affected page, enabling session hijacking or unauthorized administrative action. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS Mosaic Gallery 8211 Advanced Gallery
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57754 MEDIUM This Month

Stored Cross-Site Scripting in Livemesh Addons for WPBakery Page Builder versions 3.9.4 and earlier allows authenticated Contributors to inject persistent malicious scripts into WordPress pages. When a higher-privileged user such as an Editor or Administrator views the affected content, the injected script executes in their browser session - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin panel. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-privilege entry point and Changed scope elevate real-world risk for multi-author WordPress installations.

XSS Livemesh Addons For Wpbakery Page Builder
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57747 MEDIUM This Month

Unauthenticated CSRF in Booked WordPress plugin (versions <= 3.0.0) enables remote attackers to trigger availability-impacting actions against authenticated WordPress users without their consent. The CVSS vector (C:N/I:N/A:H) indicates this CSRF leads to a destructive availability outcome - likely deletion or corruption of booking/scheduling data - rather than data theft or code execution. No public exploit or active exploitation has been identified at time of analysis, though the low attack complexity and no required privileges for staging the attack make social-engineering delivery straightforward.

CSRF Booked
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-57731 MEDIUM This Month

Broken access control in the Flatsome WordPress theme (versions <= 3.20.5) allows contributor-level authenticated users to access sensitive data they are not authorized to view. The flaw stems from missing authorization checks (CWE-862), enabling privilege escalation beyond the contributor role's intended scope - specifically a high confidentiality impact with no integrity or availability consequence per the CVSS vector. No public exploit code or active exploitation has been identified at time of analysis, though the low attack complexity and network-accessible attack vector lower the bar for abuse by any site user holding a contributor account.

Authentication Bypass Flatsome
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57684 MEDIUM This Month

TheFox WordPress theme by tranmautritam in versions 3.9.70 and earlier allows a Contributor-level authenticated attacker to inject persistent Cross-Site Scripting payloads into theme-specific input fields, which then execute in the browsers of any user who views the affected content. The Changed Scope (S:C) in the CVSS vector confirms the payload crosses security boundaries into the victim browser context, enabling session token theft, credential harvesting, or unauthorized administrative actions against higher-privileged users such as editors or site admins. No public proof-of-concept and no CISA KEV listing have been identified at time of analysis; the vulnerability was reported and documented by Patchstack.

XSS Thefox
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57680 MEDIUM This Month

Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. No public exploit code or CISA KEV listing has been identified at the time of analysis.

Authentication Bypass Kirki
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57669 MEDIUM This Month

Broken access control in the Advanced Contact Form 7 DB WordPress plugin (versions <= 2.0.9) permits subscriber-level authenticated users to read all stored contact form submissions without authorization. The root cause is a missing capability check (CWE-862) on a data retrieval endpoint, exposing names, email addresses, phone numbers, and message content submitted by site visitors. No public exploit or CISA KEV listing exists at time of analysis, but low attack complexity and high confidentiality impact make this a meaningful risk on any WordPress site that permits open user registration.

Authentication Bypass Advanced Contact Form 7 Db
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57355 MEDIUM This Month

Broken access control in the Classified Listing WordPress plugin (versions <= 5.4.2) allows subscriber-level authenticated users to perform privileged actions they should not be authorized to execute, resulting in high integrity impact. The vulnerability stems from missing authorization checks (CWE-862) on one or more plugin endpoints or AJAX handlers, enabling low-privilege WordPress users to manipulate listing data, settings, or administrative functions beyond their intended role. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and network accessibility make this a realistic threat on any affected WordPress installation.

Authentication Bypass Classified Listing
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57354 MEDIUM This Month

Stored Cross-Site Scripting in JetReviews plugin for WordPress (versions <= 3.0.0.1) allows subscriber-level authenticated users to inject malicious scripts into review fields that execute in victims' browsers when the content is viewed. The vulnerability carries a changed scope (S:C), meaning the injected payload breaks out of the plugin's context and can target higher-privileged users such as site administrators. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low attack complexity and the prevalence of WordPress in production environments make this a credible escalation path to full site compromise.

XSS Jetreviews
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57353 MEDIUM This Month

Broken access control in Link Whisper Premium WordPress plugin versions 2.9.0 and below allows subscriber-level authenticated users to perform privileged actions that should be restricted to higher-capability roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to make unauthorized modifications with high integrity impact. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the low attack complexity and network accessibility make this straightforward to exploit for any user holding even a basic WordPress account on the target site.

Authentication Bypass Link Whisper Premium
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57347 MEDIUM This Month

Sensitive subscriber data exposure in the Hotel Booking Lite WordPress plugin (versions 6.0.3 and earlier) allows authenticated low-privileged users to access confidential booking or guest information they should not be authorized to view. The vulnerability, classified under CWE-201, involves the plugin including sensitive data in API responses or rendered output accessible to subscriber-level WordPress accounts. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact and low barrier to exploitation (only a subscriber account required) make patching a priority for any hospitality operator running this plugin.

Information Disclosure Hotel Booking Lite
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-57342 MEDIUM This Month

Stored Cross-Site Scripting in ShortPixel Adaptive Images WordPress plugin (versions <= 3.11.3) enables authenticated subscriber-role users to inject malicious scripts that execute in the browsers of higher-privileged users, including administrators. The CVSS changed-scope indicator (S:C) signals that injected payloads can transcend the attacker's own session context - a meaningful risk in WordPress environments where admin account takeover is feasible via session hijacking. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

XSS Shortpixel Adaptive Images
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49779 MEDIUM This Month

Path traversal in the Tax Exempt for WooCommerce plugin (versions <= 1.9.3) by Addify enables authenticated customer-level users to read arbitrary files from the server's filesystem. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact, as a low-privileged account (a standard customer/shopper) can traverse directory boundaries to access sensitive files such as wp-config.php containing database credentials. No public exploit code or active CISA KEV listing has been identified at time of analysis.

WordPress Path Traversal Tax Exempt For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-27433 MEDIUM This Month

Broken access control in the Motors WordPress theme (by StyleMixThemes) versions 5.6.80 and earlier allows unauthenticated remote attackers to perform unauthorized actions, resulting in limited integrity and availability impact without requiring any credentials or user interaction. The vulnerability stems from CWE-862 (Missing Authorization), where specific theme functionality fails to enforce permission checks before executing sensitive operations. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated, low-complexity attack profile makes opportunistic exploitation straightforward for any threat actor targeting WordPress installations.

Authentication Bypass Motors
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-69132 MEDIUM This Month

Sensitive data exposure in the Corpkit WordPress theme (versions <= 1.0.5) allows an authenticated subscriber-level user to retrieve confidential information that should be inaccessible to that role. The CVSS vector (PR:L, C:H) confirms that any low-privileged account holder - the default registered-user role in WordPress - can trigger the disclosure over the network with no additional interaction required. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier of entry (subscriber registration is often open on WordPress sites) elevates real-world risk.

Information Disclosure Corpkit
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-13252 MEDIUM This Month

Stored Cross-Site Scripting in the Feedzy RSS Aggregator WordPress plugin (all versions through 5.2.1) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the unsanitized 'aspectRatio' attribute of the RSS feed block. When any user - including site administrators - visits a page containing the injected content, the payload executes in their browser, enabling session hijacking, credential theft, or privilege escalation to full site control. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the low privilege bar (contributor) and scope change to administrator sessions make this a meaningful risk for multi-author WordPress deployments.

WordPress XSS Rss Aggregator By Feedzy Feed To Post Autoblogging News Youtube Video Feeds Aggregator
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-13704 MEDIUM This Month

Stored Cross-Site Scripting in GiveWP (WordPress Donation Plugin and Fundraising Platform) versions up to and including 4.16.1 allows authenticated attackers holding the Give Worker role or above to inject persistent malicious scripts via the Sequoia form template's introduction image parameter. The CVSS Scope:Changed rating reflects that injected payloads execute in the security context of any victim browser that loads the affected donation page, enabling session hijacking or credential theft from site visitors and administrators alike. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-10089 MEDIUM This Month

Stored Cross-Site Scripting in the Insert Pages WordPress plugin (versions through 3.11.4) allows authenticated attackers with author-level access to persist arbitrary JavaScript via post custom field key names. The vulnerability arises because the `the_meta()` function applies `wp_kses_post()` to custom field values but interpolates the custom field KEY directly into rendered HTML without any escaping, exploitable only when the `[insert page='ID' display='all']` shortcode is used. Any visitor loading a page containing the shortcode will execute the attacker's payload in their browser, enabling session hijacking or credential theft; no public exploit identified at time of analysis.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-14449 MEDIUM This Month

Reflected XSS in u5CMS through v12.8.8 allows unauthenticated remote attackers to inject arbitrary JavaScript into victim browsers via the unsanitized 'thanks' parameter exposed across multiple form components. When a victim user is socially engineered into visiting a crafted URL, injected scripts execute in the application's browser context, with the CVSS 4.0 vector indicating high subsequent-system impact (SC:H/SI:H/SA:H) - consistent with session hijacking, credential theft, or unauthorized actions on behalf of the victim. No public exploit identified at time of analysis; fix is available in v12.8.9.

XSS
NVD GitHub
CVSS 4.0
6.4
EPSS
0.3%
CVE-2026-57681 MEDIUM This Month

Server-Side Request Forgery (SSRF) in the GeoDirectory WordPress plugin (versions 2.8.161 and earlier) allows authenticated subscribers to force the server to issue arbitrary internal or external HTTP requests. Because the vulnerability is accessible at the lowest WordPress registered-user privilege level (subscriber), any registered site user can trigger it without elevated permissions. No public exploit or CISA KEV entry has been identified at time of analysis, but the Scope:Changed CVSS rating confirms the impact extends beyond the WordPress application itself to backend infrastructure reachable from the server.

SSRF Geodirectory
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-54887 MEDIUM PATCH This Month

The DTLS server in Erlang/OTP ssl initializes its cookie secret to a hardcoded empty binary on startup, making HMAC-based cookie computation deterministic and fully predictable to any network observer for the 0-to-15-second window before the first secret rotation. Any attacker who can observe a plaintext DTLS ClientHello during this window can forge valid cookies, bypassing the RFC 6347 §4.2.1 source address verification mechanism and enabling handshake amplification attacks with spoofed source IPs. No public exploit has been identified at time of analysis; vendor-released patches are available in OTP 29.0.3, 28.5.0.3, and 27.3.4.14.

Authentication Bypass Otp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.4%
CVE-2026-54891 MEDIUM PATCH This Month

Blind plaintext injection into Erlang/OTP TLS clients allows a network-positioned attacker to insert unauthenticated APPLICATION_DATA records during the handshake that the application subsequently receives as authenticated post-handshake server data. The root asymmetry is in tls_gen_connection:handle_protocol_record/3, which correctly rejects pre-handshake APPLICATION_DATA for TLS server endpoints but omits the equivalent guard for client endpoints, enabling record buffering prior to authentication. No active exploitation has been confirmed (not in CISA KEV, no POC referenced), but the network-only attack requirement and breadth of affected OTP versions - spanning OTP 17.0 through current - make patching urgent for Erlang-based services that consume TLS client data in untrusted network environments.

Code Injection Otp
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-55110 MEDIUM PATCH This Month

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious web page ride that user's active session to perform privileged actions on the device, stemming from a permissive CORS policy that trusts untrusted origins. The flaw affects UniFi OS Server and the console firmware running on Dream Machines, Dream Routers, Dream Wall, Cloud Gateways, Cloud Keys, Enterprise Fortress Gateway, Express 7, and Network/Enterprise Video Recorders. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; success hinges on social-engineering an already-logged-in admin (CVSS 7.5, UI:R, AC:H).

Ubiquiti Cors Misconfiguration Information Disclosure Unifi Os Server Dream Machines +10
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-58381 MEDIUM This Month

Double-free memory corruption in GIMP's PSP file format parser exposes local users to denial of service and potential arbitrary code execution when opening a specially crafted Paint Shop Pro image file. The flaw in read_layer_block() allows heap memory corruption that reliably crashes GIMP and, in a more sophisticated exploitation scenario, could enable arbitrary code execution with the privileges of the victim user. No public exploit has been identified and this vulnerability does not appear in the CISA KEV catalog, though upstream tagging of the issue as RCE-capable warrants patching in environments where GIMP users may open untrusted image files.

Denial Of Service Buffer Overflow RCE Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-13698 MEDIUM PATCH This Month

Memory leak in OpenVPN (pre-2.7.5) allows network-accessible unauthenticated attackers to exhaust server memory, resulting in high availability impact and denial of service. The flaw, classified CWE-401, requires specific attack prerequisites (CVSS 4.0 AT:P) and passive client interaction (UI:P), meaning it is not trivially exploitable against all default deployments. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis; vendor patch v2.7.5 is available.

Microsoft Information Disclosure Openvpn Red Hat Suse
NVD GitHub
CVSS 4.0
6.0
EPSS
0.5%
CVE-2026-50280 MEDIUM PATCH GHSA This Month

Improper access control in Craft CMS 5.x allows a low-privileged, authenticated control-panel user to inject content into sections where they hold only read access, bypassing the editorial authorization model. The EntriesController::actionMoveToSection() endpoint validates the destination section using viewEntries permission rather than the required saveEntries permission, enabling an attacker to rewrite an entry's sectionId and persist it into protected sections. No public exploit has been identified at time of analysis, but the fix is available in version 5.9.21.

Authentication Bypass
NVD GitHub
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-55792 MEDIUM POC PATCH GHSA This Month

Server-side file exfiltration in Craft CMS versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x allows any control panel user granted the utility:system-messages permission to embed a dataUrl() Twig payload into system email templates, causing the server to read and base64-encode arbitrary files - including the .env file - into outbound email bodies. Exfiltration of CRAFT_SECURITY_KEY from the .env file enables an attacker to forge valid session tokens and escalate to full administrator account takeover, chaining a confidentiality breach into complete privilege escalation. No public exploit has been identified at time of analysis; patches are available in 4.18.0 and 5.10.0.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.3%
CVE-2026-58580 MEDIUM This Month

Broken object-level authorization in LobeChat server-database deployments through version 2.2.9 enables any authenticated user to overwrite another user's message sub-resources - including plugin tool-call metadata, plugin state and error fields, text-to-speech records, and translation records - by submitting tRPC API requests that reference the victim's message identifier. Five MessageModel write methods (updateMessagePlugin, updatePluginState, updatePluginError, updateTTS, updateTranslate) and one read method (findMessagePlugin) filter database rows by message ID alone, silently omitting the userId scope enforced in all sibling methods, causing the tampered content to be served back to the victim as their own data. No public exploit has been identified at time of analysis, and practical exploitation is gated by the requirement to possess a victim's non-enumerable message identifier.

Authentication Bypass Lobehub
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-13122 MEDIUM PATCH This Month

Denial-of-service in OpenVPN via a reachable assertion (CWE-617) allows a remote, low-privileged attacker to crash the OpenVPN daemon under high-complexity, timing-specific conditions. All OpenVPN deployments running versions prior to v2.7.5 are affected; the fix is available in the v2.7.5 release disclosed pre-NVD via GitHub. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 (Medium) reflects the constrained exploitation path, though VPN service disruption carries meaningful operational impact for affected operators.

Microsoft Information Disclosure Openvpn Red Hat Suse
NVD GitHub
CVSS 4.0
5.9
EPSS
0.5%
CVE-2026-50721 MEDIUM PATCH This Month

Signature forgery and denial-of-service in Libreswan's IKEv1 RSA authentication allows a remote unauthenticated attacker to impersonate an IKE peer or crash the daemon. The flaw lives in RSA_authenticate_hash_signature_raw_rsa(), which fails to validate the length of the authentication hash inside a PKCS #1 (RFC 2313) encoded SIG payload; when a peer uses a small RSA public exponent such as e=3, a Bleichenbacher-style forgery becomes feasible. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the impersonation impact against IKEv1 raw-RSA authentication makes this a high-severity issue (CVSS 8.1); remote code execution is explicitly not possible and X.509 certificate verification is unaffected.

Jwt Attack Denial Of Service RCE Libreswan
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2026-50722 MEDIUM PATCH This Month

Peer impersonation and denial-of-service in Libreswan IPsec/IKEv2 arises from improper DER/ASN.1 digest verification in RSA_authenticate_hash_signature_pkcs1_1_5_rsa() when the IKEv2 AUTH payload uses RSASSA-PKCS1-v1_5 signatures. A remote unauthenticated attacker can mount a Bleichenbacher-style forgery to impersonate a peer when small RSA public exponents (e.g., e=3) are in use, or send an undersized hash to trip an assertion that aborts and restarts the daemon for sustained DoS. A vendor patch is available and there is no public exploit identified at time of analysis; RCE is not possible and X.509 certificate verification of the peer is unaffected.

Jwt Attack Denial Of Service RCE Libreswan
NVD
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-13728 MEDIUM This Month

WatchGuard Fireware OS deployed in FireCluster high-availability configurations falls back to a static, hard-coded encryption key to protect saved Access Portal credentials under unspecified exception circumstances, meaning any actor who can retrieve those encrypted credential stores can decrypt them offline using the known firmware key. Affected builds span Fireware OS 12.1 through 12.12 and 2025.1 through 2026.2; standalone Fireboxes and devices without Access Portal support are explicitly out of scope. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, but CWE-798 class flaws become broadly exploitable once the static key is extracted from firmware through reverse engineering.

Authentication Bypass Watchguard Fireware Os
NVD VulDB
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-52739 MEDIUM PATCH GHSA This Month

Process abort in zebrad (Zcash Foundation's Rust node) up to v4.4.1 allows a malicious block producer to crash targeted nodes by submitting a child block that repeats a shielded V5 transaction from its non-finalized parent. The ordering bug in `Chain::push` causes an `assert_eq!` uniqueness check on `tx_loc_by_hash` to fire before the duplicate shielded-nullifier guard can cleanly reject the block; under Zebra's `panic = "abort"` release profile, this terminates the entire node process rather than returning a validation error. No public exploit or CISA KEV listing has been identified, but the vendor describes two concrete attack models requiring only modest mining hashrate, making targeted denial-of-service achievable in practice.

Denial Of Service Checkpoint
NVD GitHub
CVSS 3.1
5.9
CVE-2026-49244 MEDIUM PATCH NEWS GHSA This Month

Path traversal in SFTPGo's public web-client partial ZIP download endpoint allows unauthenticated remote attackers to read files located outside a browsable share's directory boundary. The flaw exists because the endpoint validated file entries using a raw string prefix check rather than a directory-boundary-aware comparison - a crafted request can escape the share root by supplying paths whose canonical form begins with the shared directory name but resolves to a parent or sibling path. Affected versions prior to v2.7.3 are vulnerable; no public exploit or CISA KEV listing has been identified at time of analysis.

Canonical Path Traversal
NVD GitHub
CVSS 3.1
5.9
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy