Skip to main content
CVE-2025-69094 HIGH This Week

SQL injection in the Unicamp WordPress theme (versions 2.2.2 and earlier) by ThemeMove allows an attacker holding a low-privilege Subscriber account to inject arbitrary SQL into backend database queries. Because the CVSS scope is marked changed with high confidentiality impact, a successful attacker can read data beyond their normal authorization boundary, including other users' records and potentially credentials stored in the WordPress database. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

SQLi Unicamp
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-57276 HIGH This Week

Remote code execution in GeoVision GeoWebPlayer (the browser-facing 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and related products) is possible because the local WebSocket server's connectionInfo handler copies attacker-controlled JSON fields into fixed-size buffers with unchecked byte-by-byte loops. A remote attacker who lures a user to a malicious web page can drive the victim's browser to send an oversized password field to the localhost WebSocket, overflowing the buffer and achieving code execution (CVSS 8.3). There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Buffer Overflow Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-57275 HIGH This Week

Cross-site WebSocket-driven buffer overflow in GeoVision GeoWebPlayer (the 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and VMS-Cloud) lets an attacker reach the localhost WebSocket server and overflow fixed-size buffers via the `connectionInfo` command's username field, achieving memory corruption and likely code execution (CVSS 8.3, CWE-120). Because the server listens on localhost, exploitation is reached through a victim's browser visiting a malicious page (UI:R, AC:H), giving high confidentiality, integrity and availability impact with a scope change. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw was independently documented by Cisco Talos (TALOS-2026-2375).

Buffer Overflow Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-57274 HIGH This Week

Buffer overflow vulnerabilities in GeoVision's GeoWebPlayer WebSocket addon (CWE-120) allow a remote attacker to induce code execution by luring a user running the addon into visiting a malicious webpage that sends a crafted `connectionInfo` WebSocket command with an oversized password field to the locally-listening service. The unbounded manual byte-by-byte copy in `handle_connection_info` overwrites adjacent memory, potentially yielding full process compromise across all impact dimensions (C:H/I:H/A:H). Reported by Cisco Talos (TALOS-2026-2375) and acknowledged by GeoVision; no public exploit code or CISA KEV listing identified at time of analysis.

Buffer Overflow Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-57273 HIGH This Week

Remote code execution in GeoVision GeoWebPlayer (the "Web Plugin"/"WS Player" addon bundled with GV-VMS, GV-Cloud and VMS-Cloud) is possible because the addon's localhost WebSocket server processes a 'connectionInfo' command whose handler copies attacker-supplied JSON strings into fixed-size buffers without bounds checks (CWE-120). Because the WebSocket is reachable via the victim's browser (AV:N), a malicious web page can drive the overflow when a user with the addon installed visits it (UI:R), yielding memory corruption with high confidentiality, integrity and availability impact and a scope change. No public exploit identified at time of analysis, though Cisco Talos has published a detailed report (TALOS-2026-2375); no EPSS or CISA KEV data was provided.

Buffer Overflow Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-57268 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) can lead to remote code execution when the addon's localhost WebSocket server processes a saveVideo command with an attacker-controlled index. Because the addon ships with widely-used GeoVision products (GV-VMS, GV-Cloud) and is reachable from a victim's browser via a malicious web page, a lured user visiting attacker-controlled content can trigger an out-of-bounds function-pointer call. This is a Talos-reported (TALOS-2026-2373) issue with no public exploit identified at time of analysis and is not listed in CISA KEV.

RCE Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-57278 HIGH This Week

Buffer overflow in GeoVision's GeoWebPlayer addon (also branded "Web Plugin" in GV-VMS and "WS Player" in VMS-Cloud) allows memory corruption and likely code execution in the local WebSocket server process. The `handle_connection_info` handler for the `connectionInfo` command copies attacker-controlled JSON strings (including the `ip` field) into fixed-size stack/heap buffers using unbounded byte-by-byte loops, so an oversized value overruns the buffer. Because the WebSocket server binds to localhost, exploitation is realistically driven by luring an authenticated user's browser to a malicious page that issues the command; no public exploit is identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-57277 HIGH This Week

Stack buffer overflow in GeoVision's GeoWebPlayer addon (also branded "Web Plugin" for GV-VMS and "WS Player" for VMS-Cloud) lets an attacker corrupt fixed-size buffers and potentially achieve code execution against users of GV-VMS, GV-Cloud and related GeoVision products. The flaw lives in the local WebSocket server's connectionInfo command handler, which copies attacker-controlled JSON strings byte-by-byte without length checks; because a malicious web page loaded in the victim's browser can drive that local WebSocket, exploitation is scored network-reachable (CVSS 8.3) but requires user interaction and high attack complexity. No public exploit is identified at time of analysis, though the issue was reported by Cisco Talos, which typically develops proof-of-concept material.

Buffer Overflow Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.3%
CVE-2026-57272 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer add-on (also branded 'Web Plugin' for GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker abuse the 'byPass' WebSocket command by supplying an unchecked 'index' value, corrupting memory to achieve high-impact compromise (CVSS 8.3). The bundled component runs a local WebSocket server for GeoVision web interfaces (GV-VMS, GV-Cloud); because the server is reachable from a victim's browser, a malicious web page can drive the flaw with only user interaction and no authentication. No public exploit identified at time of analysis, though a Talos vulnerability report (TALOS-2026-2373) documents the issue.

Authentication Bypass Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57269 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (a.k.a. 'Web Plugin' / 'WS Player') addon lets an attacker read memory, corrupt state, or crash the local WebSocket helper bundled with GV-VMS, GV-Cloud, and related surveillance software. The plugin's localhost WebSocket server processes commands (such as 'disconnect') that carry an attacker-controlled 'index' used to dereference internal arrays without bounds checking (CWE-129), yielding high confidentiality, integrity, and availability impact. The CVSS 3.1 vector (AV:N/UI:R/S:C) reflects a cross-origin browser-driven vector where a victim lured to a malicious page has their browser relay commands to the local WebSocket; there is no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57271 HIGH This Week

Out-of-bounds array indexing in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) allows a remote attacker to leak memory or crash the local WebSocket service by delivering a malformed 'pause' command. The addon runs a WebSocket server that backs the browser interfaces of GeoVision products such as GV-VMS and GV-Cloud, so any browser tricked into connecting to it can trigger the flaw. No public exploit identified at time of analysis; the issue was reported by the vendor (GeoVision) and documented by Cisco Talos (TALOS-2026-2373).

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57270 HIGH This Week

Out-of-bounds array access in GeoVision GeoWebPlayer (a.k.a. "Web Plugin"/"WS Player"), a websocket-server addon bundled with GV-VMS, GV-Cloud and related GeoVision software, lets an attacker who lures a victim to a malicious web page reach the localhost websocket and supply an unvalidated `index` to leak memory and corrupt state (CWE-129). The play command in particular accepts an attacker-controlled index used to index internal arrays without a range check, enabling information disclosure and potential code-path corruption. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor has published a security advisory and Talos has released a detailed report.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57267 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (the 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and related software) lets an attacker abuse the local WebSocket server's snapshot command by supplying an unchecked 'index' value that indexes arrays beyond their bounds. Because the CVSS vector is AV:N/UI:R with a scope change, a victim who visits a malicious web page can have their browser drive the localhost WebSocket into out-of-bounds reads/writes, yielding information disclosure and potential memory corruption (C:H/I:H/A:H). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57266 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer addon (also branded 'Web Plugin' in GV-VMS and 'WS Player' for VMS-Cloud) lets an attacker corrupt memory or leak sensitive data by sending a 2wayAudio WebSocket command with an unchecked index value. The addon runs a localhost WebSocket server that expands GeoVision web interfaces, and its command handlers use caller-supplied index values to index internal arrays without validating their range. Reported by GeoVision and Talos (TALOS-2026-2373); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57265 HIGH This Week

Memory-disclosure and denial-of-service in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) stems from an unvalidated `index` parameter in its localhost WebSocket command handler (audio command path), letting an attacker read and act on out-of-bounds array elements. Because the WebSocket listener is reachable cross-origin, a victim who is lured to a malicious web page can have their browser drive the local service, so the effective attack vector is network-based despite the server binding to localhost. No public exploit code is identified at time of analysis, though a Cisco Talos advisory (TALOS-2026-2373) documents the flaw; it is not listed in CISA KEV.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-57264 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets an attacker corrupt or read process memory by sending crafted WebSocket commands to the localhost server the addon exposes. The specific 'setPIP' command accepts an attacker-controlled 'index' that is used to index internal arrays without range validation, yielding information disclosure and potential memory corruption. There is no public exploit identified at time of analysis, though a Cisco Talos technical report (TALOS-2026-2373) documents the flaw; it is not listed in CISA KEV and no EPSS score is provided.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13132 HIGH This Week

Out-of-bounds array access in GeoVision's GeoWebPlayer (also branded 'Web Plugin' in GV-VMS and 'WS Player' in VMS-Cloud) lets an attacker abuse the addon's localhost WebSocket server via a crafted 'setStream' command whose attacker-controlled 'index' is used to index arrays without range validation (CWE-129), enabling memory disclosure and possible corruption. Because a victim's browser can be steered into connecting to the local WebSocket service, the vendor rates this AV:N/UI:R (CVSS 8.3) - a remote web page can pivot to the local service after the user visits it. No public exploit is identified at time of analysis and it is not in CISA KEV, so this is not confirmed as actively exploited.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13131 HIGH This Week

Out-of-bounds array access in GeoVision GeoWebPlayer (the "Web Plugin"/"WS Player" addon bundled with GV-VMS, GV-Cloud and related software) lets a remote attacker corrupt memory via the local WebSocket server's connectInfo command. Because the server trusts an attacker-supplied index without range validation, a victim lured to a malicious web page can trigger high-impact confidentiality, integrity and availability effects (CVSS 8.3, scope-changed). No public exploit identified at time of analysis; the flaw was reported by the vendor (GV) and documented by Cisco Talos.

Information Disclosure Geowebplayer
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-55118 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network to elevate their permissions within the application by abusing an Improper Access Control weakness (CWE-284). The CVSS 3.1 score of 8.3 reflects that a network-reachable actor holding limited credentials can, under certain conditions, gain high integrity and availability impact over the controller. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Ubiquiti has published Security Advisory Bulletin 066 addressing it.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-55952 HIGH PATCH This Week

Denial of service in the Erlang/OTP ssl application (OTP 22.2 through 29.0.3, and the 28.5.x/27.3.x maintenance branches) lets an unauthenticated remote attacker permanently disable TLS 1.3 session ticket handling on a listener with a single crafted ClientHello. Because the pre-shared key extension's identity list and binder list are not length-checked before being handed to the session ticket handler, a mismatched OfferedPreSharedKeys record crashes that process, causing all subsequent TLS 1.3 handshakes to fail at ticket issuance until the ssl application is restarted. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 4.0 base score of 8.2 reflects the trivial, pre-authentication trigger.

Denial Of Service Otp
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.5%
CVE-2026-14336 HIGH This Week

Server-side request forgery and OIDC token forgery in Eclipse CSI PIA lets an unauthenticated attacker abuse a flawed Jenkins issuer allowlist (a bare `startswith('https://ci.eclipse.org')` check in `is_issuer_known`, pia/models.py:139) to redirect OIDC discovery and JWKS fetches to an attacker-controlled host. By posting a crafted issuer such as `https://ci.eclipse.org@evil.host` or `https://ci.eclipse.org.evil.host` to `POST /v1/upload/sbom`, an attacker forces PIA to make outbound requests to arbitrary hosts and to accept a JWT signed with the attacker's own key, effectively bypassing token verification. No public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable, and the CVSS 3.1 base score is 8.2.

SSRF Jenkins Eclipse Csi Pia
NVD
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-59096 HIGH This Week

Authentication bypass via OIDC discovery poisoning in Dapr Sentry allows a remote unauthenticated attacker to inject an attacker-controlled issuer and jwks_uri into the /.well-known/openid-configuration document by supplying a crafted X-Forwarded-Host header. Because the endpoint honors that header without validation when no allowed-hosts list is set (the default) and caches the response publicly for one hour, relying parties that perform dynamic, unpinned OIDC discovery will fetch keys from an attacker's server and accept attacker-signed JWTs - effectively forging trusted identities. Reported by VulnCheck (CVSS 4.0 8.2); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Dapr
NVD GitHub
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-7311 HIGH This Week

Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).

WordPress Path Traversal RCE PHP Tinypng Jpeg Png Webp Image Compression
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2026-57688 HIGH This Week

Missing authorization in the POS Entegratör WordPress plugin (versions <= 3.7.103, vendor gurmehub) lets unauthenticated remote attackers reach privileged plugin functions that lack capability checks, enabling unauthorized modification of data with limited service disruption. The flaw is remotely reachable with no authentication or user interaction (CVSS 8.2), but has no confidentiality impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Pos Entegrat R
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-5821 HIGH This Week

Arbitrary file deletion in the Image Optimizer plugin for WordPress (versions up to and including 1.7.4) lets an authenticated attacker with Author-level access or higher delete any file the web server can write to, potentially causing denial of service, data loss, or removal of security-relevant files such as wp-config.php. The flaw stems from the plugin trusting attacker-controllable backup paths stored in post meta. This was reported by Wordfence; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

WordPress Denial Of Service
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-8147 HIGH PATCH This Week

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to experiments they are not authorized to access, defeating experiment-level authorization when authentication is enabled. The flaw stems from the trace API endpoints being omitted from the `_before_request` authorization handler, so requests reach these endpoints without any validator running. No public exploit has been identified at time of analysis, though a fix commit and huntr bounty report are public.

Authentication Bypass Information Disclosure Mlflow Mlflow
NVD GitHub
CVSS 3.0
8.1
EPSS
0.3%
CVE-2026-54409 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-55119 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevated privileges within the application through an improper access control (CWE-284) weakness, tracked as CVE-2026-55119 and rated CVSS 8.1. Ubiquiti tagged the issue as an Authentication Bypass, and a successful attack yields high confidentiality and integrity impact (C:H/I:H) over an existing authenticated session without any user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Talk Application
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-57751 HIGH This Week

Cross-Site Request Forgery in the Heateor Social Login WordPress plugin (versions up to and including 1.1.39) lets an unauthenticated remote attacker forge state-changing requests that are executed with a logged-in victim's privileges once the victim is lured into interacting with a malicious page. The CVSS 3.1 score is 8.1 with High confidentiality and integrity impact, reflecting potential account or configuration manipulation, though exploitation is gated on user interaction (UI:R). There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

CSRF Heateor Social Login
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42382 HIGH This Week

Unauthenticated Local File Inclusion in the Audrey WordPress theme (elated-themes) affects all versions up to and including 1.5, letting remote attackers coerce the PHP application into including arbitrary files. Because CWE-98 covers PHP file-inclusion flaws, a successful include can leak sensitive files (wp-config.php, credentials) and, where remote or attacker-controlled content is includable, escalate to code execution. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, though the network-reachable, unauthenticated nature (CVSS 8.1) makes it a meaningful patching priority for sites running this theme.

LFI Information Disclosure PHP Audrey
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-27412 HIGH This Week

Local File Inclusion in the Pearl - Corporate Business WordPress theme (StyleMixThemes) versions 3.4.10 and earlier lets unauthenticated remote attackers coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and credentials. Rated CVSS 8.1 by Patchstack, the flaw requires no authentication (PR:N) but carries high attack complexity (AC:H), and depending on include handling could escalate from information disclosure toward code execution. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied in the source data.

LFI Information Disclosure PHP Pearl Corporate Business
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-58902 HIGH This Week

Unauthenticated Local File Inclusion in the AncoraThemes 'Lighthouse' WordPress theme (versions 1.2.12 and earlier, classified under CWE-98) lets remote attackers with no credentials coerce the theme's PHP include/require logic into loading attacker-influenced file paths. Because CWE-98 covers PHP remote/local file inclusion, a successful attack can disclose sensitive server files (wp-config.php, credentials) and, depending on server configuration, escalate to code execution, which is why NVD scores full C/I/A impact. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

LFI Information Disclosure PHP Lighthouse
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-38972 HIGH This Week

Local code execution in Notepad3 (versions through 6.25.822.1) arises from an insecure LoadLibrary(L"MSFTEDIT.DLL") call in the About-dialog path within src/Notepad3.c. Because the DLL is loaded by bare name, an attacker who can drop a malicious MSFTEDIT.DLL into the application directory or an earlier search-order location runs arbitrary code as the current user once that user opens the About dialog. No public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local, user-interaction-dependent flaw rather than a mass-exploitation target.

RCE Notepad3
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12168 HIGH This Week

Local privilege escalation in Little Orbit's GameFirst Anti-Cheat (GFAC) lets a low-privileged user reach SYSTEM and run arbitrary code in kernel mode by sending crafted messages to the GFAC_Sys_x64.sys minifilter communication port. All GameFirst Anti-Cheat builds up to and including the 2025-07-07 release are affected, and a public GitHub repository covering this CVE alongside two sibling flaws indicates exploit material is available. There is no public exploit identified as being actively used, but the CERT/CC coordination and shared PoC repository make weaponization plausible.

RCE Gamefirst Anti Cheat
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-12167 HIGH This Week

Local privilege escalation in Little Orbit's GameFirst Anti-Cheat (GFAC) kernel driver GFAC_Sys_x64.sys allows an unprivileged local user to invoke privileged driver functionality because the minifilter communication port exposes its interface without proper access control. Any local account can send crafted requests through the port to reach kernel-level operations, yielding full confidentiality, integrity, and availability impact (CVSS 7.8). A CERT/CC-coordinated advisory (VU#639124) and a public GitHub repository covering CVE-2026-12166/12167/12168 suggest exploit code is likely available, though no active exploitation is confirmed.

Information Disclosure Gamefirst Anti Cheat
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-8247 HIGH This Week

Remote code execution in WatchGuard Fireware OS (the firmware powering WatchGuard Firebox firewall appliances) allows an unauthenticated attacker positioned on the same local/adjacent network segment to trigger an out-of-bounds write and execute arbitrary code. The flaw spans a wide firmware range - 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2 - and was self-reported by WatchGuard via its PSIRT. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-adjacent, unauthenticated, high-impact profile makes it a serious perimeter-device concern.

Watchguard Buffer Overflow RCE Fireware Os
NVD VulDB
CVSS 4.0
7.7
EPSS
0.2%
CVE-2026-9834 HIGH This Week

Authenticated OS command injection in the WP Database Backup plugin for WordPress (all versions up to and including 7.11) lets administrator-level users execute arbitrary operating system commands on the underlying server, escalating a WordPress admin foothold into full host RCE. The flaw stems from the wp_db_exclude_table POST parameter being concatenated unescaped into the mysqldump shell command; the injection is stored, so payloads persist in the options table and fire whenever a backup runs. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection WordPress RCE PHP Wp Database Backup Unlimited Database Files Backup By Backup For Wp
NVD
CVSS 3.1
7.2
EPSS
2.7%
CVE-2026-58652 HIGH PATCH This Week

Root-level command injection in OpenWrt's luci-app-travelmate/travelmate (confirmed in 2.4.5-r3, sink still present in 2.4.6-1) lets an rpcd/LuCI session holding only the luci-app-travelmate write ACL escalate to arbitrary command execution as root. The LuCI UI limits the auto-login script picker to /etc/travelmate/*.login, but that is a frontend-only check: the root-run backend reads the raw UCI 'script' and 'script_args' values, so an attacker sets script to /bin/sh with controlled arguments to run commands as root when the captive-portal auto-login branch fires. Reported by VulnCheck with no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection Luci App Travelmate Travelmate
NVD GitHub
CVSS 4.0
7.7
EPSS
0.5%
CVE-2026-13251 HIGH This Week

Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. Reported by Wordfence with a CVSS of 7.5 (high).

WordPress Path Traversal Google Perfmatters
NVD VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-50279 HIGH PATCH GHSA This Week

Authorization bypass in Craft CMS versions 5.0.0-RC1 through 5.9.20 lets a low-privileged authenticated user spoof entry authorship by reassigning an entry's author to an arbitrary user without holding the dedicated peer-author-change permission. Because EntriesController::actionSaveEntry() checks edit permissions before applying request-controlled author changes and never re-runs authorization after mutating the author list, any existing author of an entry can hijack attribution. No public exploit has been identified at time of analysis; the flaw is fixed in 5.9.21.

Authentication Bypass
NVD GitHub
CVSS 4.0
7.6
EPSS
0.2%
CVE-2026-12413 HIGH This Week

Denial of service in the Libreswan IPsec VPN's pluto daemon allows remote unauthenticated attackers to crash and repeatedly restart the daemon by sending an invalidly formatted IKEv2 fragment. The off-by-one flaw affects any deployment permitting IKEv2 connections that do not explicitly set fragmentation=no, with no authentication or user interaction required; repeated exploitation sustains the outage. No public exploit identified at time of analysis, and no remote code execution is possible despite the mislabeled 'RCE' tag.

Denial Of Service RCE Libreswan
NVD VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-13369 HIGH This Week

Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. No public exploit has been identified at time of analysis; there is no CISA KEV listing and no EPSS score was supplied.

WordPress Path Traversal Ninja Forms File Uploads
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-33592 HIGH PATCH This Week

Remote memory exhaustion in open62541's FindServers Discovery Service lets an unauthenticated attacker crash or degrade OPC UA servers built on versions 1.4.0-1.4.16, 1.5.0-1.5.4, and master. Because the serverUris field of a FindServersRequest is never validated for length or array size, an attacker can declare a string of up to ~3.9 GB and stream it across chunks while withholding the final chunk, forcing the server to buffer everything in RAM until the SecureChannel times out. The attack is pre-session, requires no authentication, and bypasses all encryption configuration; no public exploit identified at time of analysis.

Denial Of Service Open62541
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-8441 HIGH This Week

SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated attackers extract arbitrary database contents through the 'notinstring' parameter of the wprp_load_more_revs AJAX action. Because the action is exposed via wp_ajax_nopriv and its required nonce is leaked to the frontend through wp_localize_script on any page rendering the plugin shortcode, anyone who can reach a public page hosting the plugin can exploit it. Reported by Wordfence with a CVSS of 7.5; no public exploit identified at time of analysis.

WordPress SQLi Wpreviewslider Com
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-9563 HIGH This Week

Denial of service in Eclipse Parsson before 1.1.8 lets remote unauthenticated attackers exhaust CPU and memory on any application that parses attacker-controlled JSON. Because the parser enforced no default cap on characters consumed per document, a single oversized payload - large arrays, strings, numbers, deep nesting, or whitespace - can hang or crash the service. No public exploit is identified at time of analysis; the fix (1.1.8) adds a configurable default limit of 15 million parser-consumed characters.

Denial Of Service Eclipse Parsson
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-49353 HIGH PATCH GHSA This Week

Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.

Authentication Bypass Python Information Disclosure RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55111 HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti UniFi Protect Floodlight devices lets a network-adjacent attacker read files on the device via path traversal, exposing potentially sensitive local data. The flaw (CWE-22) is remotely reachable without authentication per the CVSS vector (PR:N) and carries high confidentiality impact but no integrity or availability effect. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; Ubiquiti has issued a fix via Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Protect Floodlight
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-14249 HIGH This Week

Unauthenticated code injection in the Request a Quote plugin for WordPress (versions up to and including 2.5.5) lets remote attackers invoke arbitrary zero-argument PHP functions on the server through the emd_delete_file AJAX action. Because the handler is registered for wp_ajax_nopriv and derives a callable function name from the attacker-controlled $_POST['path'] parameter, an attacker can trigger functions such as phpinfo() to expose server configuration and credentials, or destructive built-in functions. No public exploit identified at time of analysis, but the nonce that is the sole gatekeeper is printed directly into the public quote-form page, effectively neutralizing it.

WordPress RCE PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-52187 HIGH This Week

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_483ba0 component

Denial Of Service Buffer Overflow N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55113 HIGH PATCH This Week

Server-Side Request Forgery in Ubiquiti's UniFi Talk Application allows a network-positioned attacker to coerce the application into making unintended internal requests, resulting in a Denial of Service and an authentication bypass against certain UniFi Talk API endpoints. The flaw carries CVSS 7.5 (scope-changed, high availability impact) and is reachable by remote attackers without authentication (PR:N), though a high attack complexity (AC:H) constrains reliable exploitation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF Ubiquiti Denial Of Service Unifi Talk Application
NVD
CVSS 3.1
7.5
EPSS
0.2%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy