Skip to main content
CVE-2026-57762 MEDIUM This Month

Stored Cross-Site Scripting in the Simple URLs WordPress plugin (versions <= 151) allows authenticated author-level users to inject persistent malicious scripts into content rendered in the WordPress admin interface. The CVSS Scope:Changed metric indicates the injected payload executes in a security context beyond the attacker's own session - most likely the administrative dashboard viewed by higher-privileged users such as site administrators. No public exploit code or active exploitation confirmed at time of analysis, but the scope change introduces a realistic privilege escalation path from author to administrator via session hijacking.

XSS Simple Urls
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-12166 MEDIUM This Month

NULL pointer dereference in the GFAC_Sys_x64.sys kernel driver of Little Orbit's GameFirst Anti-Cheat enables a local low-privileged attacker to crash the entire Windows system by sending crafted requests to the driver. All versions released up to 2025-07-07 are affected per EUVD-2026-41377. A public GitHub repository containing proof-of-concept exploit code covering this CVE alongside two sibling vulnerabilities (CVE-2026-12167, CVE-2026-12168) exists, though no active exploitation has been confirmed by CISA KEV.

Denial Of Service Gamefirst Anti Cheat
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-12657 MEDIUM This Month

Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2026-13459 MEDIUM This Month

Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. No public exploit has been identified at time of analysis, but the attack is trivially executable against any site where a published JetFormBuilder form with a get_from_db field exists, as all required parameters (form ID, field name, generator ID) are discoverable by browsing the site's public forms.

Authentication Bypass WordPress Jetformbuilder Dynamic Blocks Form Builder
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2026-11896 MEDIUM This Month

Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and zero authentication requirement make opportunistic enumeration trivially feasible.

Authentication Bypass WordPress My Calendar Accessible Event Manager
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-44332 MEDIUM PATCH GHSA This Month

Remote username enumeration in GoFiber fiber v3's default BasicAuth middleware exploits a timing side-channel caused by Go's short-circuit `&&` evaluation, producing a ~1,000,000:1 response-time ratio between valid and invalid usernames when bcrypt hashing is in use. Any GoFiber v3 application relying on the default `Authorizer` with hashed credentials is affected; an unauthenticated remote attacker can enumerate valid usernames by measuring HTTP response latency, then focus credential brute-force exclusively on confirmed accounts. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Oracle Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-9188 MEDIUM This Month

Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.

Authentication Bypass WordPress Appointment Bookings For Zoom Googlemeet And More Wappointment
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-4772 MEDIUM This Month

Stored XSS in TR7 Cyber Defense Inc.'s WAF-ASP web application firewall permits authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users - including administrators - who later view the affected page. Versions from v1.0.324.900 up to but not including v1.4.0.117 are confirmed affected. No public exploit code or CISA KEV listing exists at time of analysis; exploitation nonetheless requires only low-privilege credentials and a single victim page-view.

XSS Waf Asp
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-12122 MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-12472 MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass WordPress Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-45045 MEDIUM PATCH GHSA This Month

IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. No public exploit has been identified at time of analysis, but exploitation requires only the ability to set an arbitrary HTTP header, making this trivially accessible to any network attacker targeting deployments using the BalancerForward helper.

Authentication Bypass Nginx Node.js Apache
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-54886 MEDIUM PATCH This Month

Infinite loop denial-of-service in Erlang OTP's ssh_sftpd module allows an authenticated SFTP user to permanently freeze individual SFTP channel processes by sending SSH_MSG_CHANNEL_EXTENDED_DATA frames. The affected function handle_data/4 tail-calls itself indefinitely when it receives extended-data channel messages (type != 0) with an empty pending buffer, because the SFTP protocol never expects such messages and the catch-all clause has no exit condition for them. No public exploit code or active exploitation has been identified at time of analysis; the vulnerability was disclosed and patched by the Erlang Ecosystem Foundation.

Denial Of Service Otp
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-5348 MEDIUM This Month

Unauthenticated curriculum exposure in the Academy LMS WordPress plugin (versions ≤ 3.8.1) allows any internet user to retrieve detailed topic and lesson structures from courses explicitly protected by private, draft, scheduled, or password-protected post statuses. The root cause is the plugin's '/topics' REST API endpoint registering with '__return_true' as its permission callback, entirely bypassing WordPress's built-in post visibility and enrollment enforcement. No exploit code has been publicly identified and the vulnerability is not listed in CISA KEV, but the zero-complexity network vector makes automated course ID enumeration trivially scriptable with standard HTTP tools.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-52734 MEDIUM PATCH GHSA This Month

Unbounded memory exhaustion in zebrad's mempool download pipeline allows unauthenticated remote peers to crash Zcash full nodes by sustaining P2P transaction traffic. The root cause is that timed-out verification tasks never remove their entries from the `cancel_handles` map because `tokio::time::error::Elapsed` carries no payload, making the transaction ID unrecoverable at the timeout arm of `Downloads::poll_next()`. All nodes running zebrad up to v4.4.1 with default configuration are affected, and a working end-to-end reproduction exists on a live regtest network. No patch has been released at time of analysis; the only recovery action is a node restart.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
CVE-2026-52737 MEDIUM PATCH GHSA This Month

Repeated sync-stalling via a crafted P2P block response in Zebra (zebrad) v4.4.1 and earlier allows any unauthenticated peer to indefinitely delay a syncing node's chain catch-up by forcing 67-second global sync restart cycles. The root cause is that the AboveLookaheadHeightLimit error variant in the sync download pipeline does not carry the advertiser's peer address, so the offending peer is never scored or disconnected, and the restart cancels all in-flight downloads from honest peers on every cycle. No public exploit has been identified at time of analysis, but the vendor advisory confirms the attack requires no authentication, mining capability, or valid chain data - only a standard post-handshake P2P connection.

Denial Of Service
NVD GitHub
CVSS 3.1
5.3
CVE-2026-52732 MEDIUM PATCH GHSA This Month

Mempool admission in zebrad up to v4.4.1 can be completely blocked by a single unauthenticated P2P peer using minimal bandwidth (~1 KB/s), exploiting absent per-peer slot accounting in the transaction download/verification pipeline. By advertising fake transaction IDs via inv messages, an attacker holding one TCP connection can monopolize all 25 MAX_INBOUND_CONCURRENCY slots, causing every subsequent inbound transaction from honest peers - and local RPC sendrawtransaction calls - to fail with MempoolError::FullQueue indefinitely. No public exploit has been identified at time of analysis; the issue is fixed in zebrad 4.5.0.

Denial Of Service
NVD GitHub
CVSS 3.1
5.3
CVE-2026-58653 MEDIUM PATCH This Month

Cross-tenant authorization bypass in PraisonAI before 0.1.7 allows authenticated users to inject issues into projects belonging to other workspaces by supplying an unvalidated project_id in issue create and update request bodies. The server trusts the client-supplied project_id without verifying it belongs to the workspace identified in the URL, a classic IDOR pattern classified under CWE-639. An attacker can corrupt project statistics aggregation across tenant boundaries, undermining data integrity in multi-tenant deployments. No public exploit code has been identified at time of analysis, and this is not listed in the CISA KEV catalog.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57760 MEDIUM This Month

Missing authorization checks in the Sendcloud Shipping WordPress plugin (versions through 1.0.29) allow unauthenticated remote attackers to perform unauthorized integrity-impacting actions without credentials. Rooted in CWE-862, the plugin fails to enforce capability checks on one or more endpoints or AJAX handlers, enabling access control bypass as tagged by Patchstack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; EPSS data was not provided, but the unauthenticated network vector (PR:N) lowers the bar for opportunistic probing.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57753 MEDIUM This Month

Unauthenticated sensitive data exposure in the Kit (formerly ConvertKit) for WooCommerce WordPress plugin versions 2.1.5 and below allows remote unauthenticated attackers to access sensitive information without any credentials or user interaction. The vulnerability is classified under CWE-497, indicating the plugin inadvertently surfaces system or application-level sensitive data to an unauthorized control sphere - likely including API keys, subscriber data, or configuration secrets tied to the Kit email marketing integration. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Kit Formerly Convertkit For Woocommerce
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57750 MEDIUM This Month

Broken access control in ez Form Calculator Premium WordPress plugin (versions up to and including 2.14.1.2) permits unauthenticated remote attackers to perform restricted plugin actions, resulting in unauthorized integrity modifications. Disclosed by Patchstack and classified under CWE-862 (Missing Authorization), the flaw requires no credentials, no user interaction, and no special configuration, lowering the exploitation barrier significantly. No public exploit code and no CISA KEV listing have been identified at the time of analysis, suggesting limited observed exploitation despite the low attack complexity.

Authentication Bypass Ez Form Calculator Premium
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-66076 MEDIUM This Month

Unauthenticated broken access control in Woostify Sites Library WordPress plugin versions up to and including 1.6.2 permits remote, unauthenticated attackers to bypass authorization checks and perform restricted actions against affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making automated scanning and exploitation straightforward. No active exploitation has been identified at time of analysis, and no public exploit code is known.

Authentication Bypass Woostify Sites Library
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-71385 MEDIUM PATCH This Month

Reflected XSS in Netdata before 2.3.1 allows unauthenticated network attackers to inject and execute arbitrary JavaScript in a victim's browser within the Netdata origin by crafting a malicious URL targeting the `/api/v2/ilove.svg` or `/api/v3/ilove.svg` endpoints. The `love` query parameter is embedded verbatim into an SVG response served as `image/svg+xml`, a MIME type browsers treat as an active scripting context. These endpoints are explicitly registered with `HTTP_ACL_NOCHECK` and bearer-token protection is off by default, making this a zero-prerequisite server-side exposure requiring only victim interaction - no public exploit or CISA KEV listing exists at time of analysis, but the attack is trivially reproducible from the description alone.

XSS Netdata
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-54431 MEDIUM PATCH This Month

DPoP (Demonstrating Proof-of-Possession) proof verification in OpenIDC's liboauth2 C library incorrectly accepts malformed proofs that embed private Elliptic Curve (EC) key material in the JWK header, directly violating RFC 9449 §4.3 step 7. The `oauth2_token_verify()` function returns success instead of rejecting such proofs, subverting DPoP's core token-binding security guarantee and enabling information disclosure of private key material. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and a patch is available in liboauth2 2.3.0.

Information Disclosure Liboauth2
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-54430 MEDIUM PATCH This Month

Server-Side Request Forgery in liboauth2 prior to version 2.3.0 allows an unauthenticated attacker to force any application using the AWS ALB JWT verification path to issue GET requests to arbitrary internal network paths. The vulnerability exists because the `oauth2_jose_jwks_aws_alb_resolve()` function reads the unverified `kid` JWT header field and appends it directly to the configured `alb_base_url` - without URL encoding or path sanitization - before any cryptographic signature check occurs. No public exploit code has been identified at time of analysis, but the low attack complexity and zero privilege requirement make this a meaningful risk for AWS-integrated deployments where liboauth2 handles ALB token verification.

SSRF Liboauth2
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-13357 MEDIUM This Month

SQL injection in the Houzez Property Feed WordPress plugin (versions up to and including 2.5.46) permits authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database by manipulating the `orderby` GET parameter on admin log pages. The root cause is a `$wpdb->prepare()` misuse pattern: user-supplied `$_GET['orderby']` and `$_GET['order']` values are filtered only with `sanitize_text_field()` - which does not neutralize SQL metacharacters - then concatenated directly into the SQL format string before `prepare()` is invoked, meaning prepare() only parameterizes the trailing LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. No public exploit has been identified at time of analysis, and the high privilege requirement (WordPress Administrator) significantly constrains the realistic attacker pool.

WordPress SQLi
NVD VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-50282 MEDIUM PATCH GHSA This Month

Craft CMS versions 4.x prior to 4.17.14 and 5.x prior to 5.9.21 contain a missing authorization check (CWE-862) in the asset folder move operation that allows an authenticated user to delete a destination folder they lack delete permission on by exploiting the force=true overwrite path in AssetsController::actionMoveFolder(). The CVSS 4.0 score of 4.9 with PR:L and VI:H reflects a real but internally-scoped integrity impact: an attacker with move-but-not-delete rights can destroy asset content outside their permission boundary. No public exploit code exists and no active exploitation has been identified; the E:U supplemental metric in the provided vector corroborates this assessment.

Authentication Bypass Cms
NVD GitHub
CVSS 4.0
4.9
EPSS
0.2%
CVE-2026-13377 MEDIUM This Month

Stored XSS in WatchGuard Fireware OS's SIP Proxy module enables a high-privileged attacker to plant persistent malicious JavaScript that executes in the browsers of other privileged users who access affected management interface pages. Covering Fireware OS versions 12.0 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this CVE is explicitly disclosed as an additional, previously unmitigated attack path for CVE-2025-6947 - meaning organizations that applied the prior patch may incorrectly believe their exposure is closed. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-13376 MEDIUM This Month

Stored XSS in WatchGuard Fireware OS's spamBlocker module enables a high-privileged attacker to persist malicious JavaScript that executes in the browsers of other authenticated users viewing the affected management interface. This vulnerability is explicitly identified as an additional, unmitigated attack path bypassing the remediation applied for CVE-2025-1071, indicating the original fix was incomplete. The CVSS 4.0 vector scores this at 4.8 (Medium), with no confirmed active exploitation and no public exploit identified at time of analysis.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-13375 MEDIUM This Month

Stored cross-site scripting in WatchGuard Fireware OS's Autotask Technology Integration module allows a high-privileged attacker to inject persistent malicious scripts that execute in the browsers of other users who view the affected management interface pages. Affecting Fireware OS versions 12.4 through 12.12, 12.5 through 12.5.18, and 2025.1 through 2026.2, this flaw is explicitly described as an additional unmitigated attack path alongside the related CVE-2025-13938, suggesting prior remediation efforts were incomplete. No public exploit code or confirmed active exploitation has been identified at time of analysis.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-13374 MEDIUM This Month

Stored cross-site scripting in WatchGuard Fireware OS via the ConnectWise Technology Integration module allows a highly privileged attacker to inject persistent malicious scripts into the web management interface, which then execute in the browsers of other authenticated users who view the affected pages. This vulnerability is explicitly described as an additional, previously unmitigated attack path for CVE-2025-13937, indicating that the prior remediation was incomplete and a bypass exists. No public exploit code or CISA KEV listing has been identified at time of analysis, but the relationship to an earlier CVE suggests at least some organizational knowledge of the attack surface.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-13373 MEDIUM This Month

Stored XSS in WatchGuard Fireware OS's Tigerpaw Technology Integration module allows a high-privileged attacker to persist malicious scripts within the management interface, which then execute in the browsers of other authenticated users who visit the affected pages. Critically, this CVE is identified as an additional unmitigated attack path for CVE-2025-13936, indicating an incomplete remediation of a prior related XSS flaw in the same integration module. Affected versions span the 12.4, 12.5, and 2025.x/2026.x release trains; no public exploit or CISA KEV listing has been identified at time of analysis.

XSS Watchguard Fireware Os
NVD VulDB
CVSS 4.0
4.8
EPSS
0.3%
CVE-2026-57352 MEDIUM This Month

Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.

WordPress Information Disclosure Ald Dropshipping And Fulfillment For Aliexpress And Woocommerce
NVD
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-4770 MEDIUM This Month

DOM-Based cross-site scripting in TR7 Cyber Defense Inc.'s WAF-ASP product allows an authenticated low-privilege attacker to inject malicious JavaScript that executes in the browser of any user who interacts with a crafted page within the WAF's web interface. Affected versions span v1.0.42.239 through versions prior to v1.4.0.117. No public exploit or active exploitation has been identified at time of analysis; the irony is notable in that this is a security control product with an XSS vulnerability in its own management interface.

XSS Waf Asp
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2026-10104 MEDIUM This Month

Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.

WordPress XSS Product Video Gallery For Woocommerce
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-12134 MEDIUM This Month

Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS 4.3 Medium score accurately reflects a bounded, integrity-only impact with no path to code execution or privilege escalation.

Authentication Bypass WordPress Joomsport For Sports
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-11592 MEDIUM This Month

Authorization bypass in the Email Subscribers & Newsletters WordPress plugin (all versions through 5.9.27) allows contributor-level authenticated users to hijack the site's email infrastructure - overwriting sender identity, creating mailing lists, injecting arbitrary contacts, and dispatching mass email to arbitrary external recipients. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity, network-accessible exploitation requiring only a contributor account, which is commonly available on multi-author WordPress sites. No public exploit code has been identified at time of analysis, but the abuse potential - mass phishing campaigns sent through a trusted domain's authenticated mail relay - materially exceeds what the 4.3 CVSS score implies.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-11600 MEDIUM This Month

Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, making this a lower-urgency but real information-disclosure risk for WordPress sites with multiple or untrusted Author-level users.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-8482 MEDIUM This Month

Secret credential leakage in StormShield Network Security's CLI tool exposes the proxy CA passphrase or TPM password to other users sharing an SSH session on the firewall appliance. Affected versions span three distinct branches - 4.3.0-4.3.41, 4.8.0-4.8.15, and 5.0.0-5.0.5 - and exploitation is gated behind SSH multiuser mode being explicitly enabled. No active exploitation has been confirmed by CISA KEV and no public proof-of-concept has been identified at time of analysis, though the leaked secrets carry high downstream value for privilege escalation or certificate authority abuse.

Information Disclosure Stormshield Network Security
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57730 MEDIUM This Month

Broken access control in Flatsome WordPress theme versions 3.20.5 and earlier allows authenticated subscriber-level users to access restricted resources or perform actions beyond their intended authorization. The flaw stems from missing authorization checks (CWE-862) on one or more endpoints or actions within the theme, enabling low-privilege WordPress users to retrieve information they should not be permitted to view. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is limited to authenticated users, reducing opportunistic risk.

Authentication Bypass Flatsome
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57690 MEDIUM This Month

Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthenticated attackers to perform unauthorized state-changing actions on behalf of authenticated WordPress users. The flaw stems from missing or inadequate CSRF token validation on one or more theme action endpoints, meaning a crafted web page or link can silently trigger privileged operations when visited by a logged-in user. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

CSRF Werkstatt
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-57689 MEDIUM This Month

Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.

Authentication Bypass Werkstatt
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57685 MEDIUM This Month

Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. No public exploit or CISA KEV listing was present in the available data at time of analysis.

Authentication Bypass WordPress Martfury Woocommerce Marketplace Wordpress Theme
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-52738 MEDIUM PATCH GHSA This Month

Persistent denial-of-service in zebrad (Zcash Foundation's Zcash node) up to and including v4.4.1 allows an attacker with mining capability and approximately 1,100-2,100 ZEC to permanently halt all Zebra nodes on the network by mining a single consensus-valid block. The block exploits a credit-before-debit processing order in the finalized transparent state writer, causing an intermediate per-address balance to overflow the MAX_MONEY cap and trigger a Rust panic-abort. Because the triggering block is consensus-valid, the panic recurs on every restart, creating an unrecoverable halt until the node is patched. No public exploit or KEV listing has been identified at time of analysis.

Buffer Overflow
NVD GitHub
CVE-2026-50290 MEDIUM PATCH GHSA This Month

CSS injection sanitization bypass in SpecifyJS's server-side render-to-string function exposes applications to cross-site scripting when the library processes attacker-controlled CSS values. The sanitizer in core/src/server/render-to-string.ts (lines 307-311) used naive regex to block patterns like 'expression(' and 'url(javascript:' without first normalizing the input, allowing bypass via CSS unicode escapes (e.g., \65xpression()), null bytes, or CSS comments (e.g., exp/**/ression()). Critically, the XSS payload only executes in legacy browsers (IE6-IE10), which substantially limits real-world impact. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS
NVD GitHub
CVE-2026-50192 MEDIUM POC PATCH GHSA This Month

{}` that carries no `CheckRedirect` policy. Because Go's `net/http` strips only the standard `Authorization`, `Cookie`, and `WWW-Authenticate` headers on cross-host redirects - not arbitrary custom headers - any 30x redirect issued by the configured `HubURI` causes both keys to be forwarded verbatim to the redirect destination. A proof-of-concept confirming the leak has been provided by the reporter; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Open Redirect Information Disclosure
NVD GitHub
CVE-2026-50185 MEDIUM POC PATCH GHSA This Month

Incorrect conditional-move output in the RustCrypto `cmov` crate's aarch64 backend causes cryptographic constant-time operations to silently produce wrong results on aarch64 platforms. The inline assembly implementations of `Cmov` and `CmovEq` compare full 32-bit register contents instead of the intended narrowed type widths when evaluating conditions, because Rust's inline assembly specification explicitly leaves upper register bits undefined for inputs smaller than the register size. A proof-of-concept demonstrating the failure is included in the advisory; the vulnerability is not listed in CISA KEV and no active exploitation has been reported.

Information Disclosure
NVD GitHub
CVE-2026-47251 MEDIUM This Month

Insufficient data exists to characterize this vulnerability. CVE-2026-47251 was reported by Ubuntu but carries no description, CVSS score, CVSS vector, CWE classification, or reference links at the time of this analysis. No impact, affected product, or exploitation mechanism can be determined from the available intelligence. Security teams should treat this as unresolved pending vendor disclosure.

Information Disclosure
NVD
CVE-2026-47709 MEDIUM PATCH This Month

Insufficient intelligence to synthesize. CVE-2026-47709 description is marked unknown, CVSS vector is not available, CWE is not available, and no product name or affected versions are specified - only that Ubuntu reported it. Comprehensive vulnerability analysis requires description, CVSS vector, affected product details, and remediation data.

Information Disclosure
NVD
CVE-2026-47254 MEDIUM PATCH This Month

Insufficient data to analyze. CVE-2026-47254 is reported by Ubuntu but no description, CVSS score, vector, or CWE information is available. Cannot determine attack vector, affected product, version, or real-world impact without vulnerability details.

Information Disclosure
NVD
CVE-2026-47714 MEDIUM PATCH This Month

CVE-2026-47714 is a vulnerability reported by Ubuntu with no public description, CVSS score, CWE classification, or technical details available at time of analysis. The affected product, vulnerability class, and impact cannot be determined from the available intelligence. No exploitation status, patch availability, or affected version range has been confirmed.

Information Disclosure
NVD
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy