Skip to main content
CVE-2026-14607 MEDIUM POC PATCH This Month

Memory corruption in RT-Thread's Linux-compatible process (lwp) syscall layer allows a local low-privileged user to crash the RTOS kernel by supplying a crafted `ai_addr` argument to the `sys_getaddrinfo` handler in `components/lwp/lwp_syscall.c`. All RT-Thread versions through 5.0.2 are affected, with impact limited to availability (VA:H) - no confidentiality or integrity loss is indicated. A public proof-of-concept exists (GitHub issue #11428), though exploitation is not confirmed in CISA KEV; the upstream fix remains an unmerged pull request, leaving all deployed versions currently unpatched.

Buffer Overflow Rt Thread
NVD VulDB GitHub
CVSS 4.0
5.4
EPSS
0.1%
CVE-2026-58283 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) stems from a type-confusion memory-safety defect (CWE-843) that a remote, unauthenticated attacker can leverage over the network to misrepresent content or origin to the victim. Microsoft rates it CVSS 8.1 with a changed scope, driven largely by high integrity impact, though the CVSS vector's high attack complexity (AC:H) signals non-trivial exploitation. There is no public exploit identified at time of analysis (CVSS E:U), and it is not listed in CISA KEV; Microsoft has already shipped an official fix (RL:O).

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-59234 MEDIUM PATCH This Month

{id} path parameter in GET /calendar/event/delete/{id}. The delete handler calls Calendar::find($id)->delete() with no user_id or company_id scoping, meaning possession of a valid session is the only gate to destroying arbitrary records. No public exploit has been identified at time of analysis; a confirmed fix is available in the v5.5.3 release.

Authentication Bypass PHP
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-58286 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker misrepresent trusted UI or content to a victim by abusing improper access control (CWE-284), per Microsoft's own advisory (MSRC CVE-2026-58286). The high CVSS 8.1 is driven by a scope-changed impact (S:C) with high integrity effect, though the AC:H rating signals the attack is not trivially reliable. Currently there is no public exploit identified at time of analysis and no CISA KEV listing, so this is a proactively-patched issue rather than one under active exploitation.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-58282 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker bypass an origin/security-context access control (CWE-284) to misrepresent trusted content or UI over a network. The flaw carries CVSS 8.1 with a scope-changed vector and high integrity impact, meaning a successful spoof can influence resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has shipped an official fix.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-49813 MEDIUM PATCH This Month

OS command injection in Dell PowerProtect Data Domain across four supported release tracks allows a high-privileged local attacker to execute arbitrary operating system commands. Affected versions span the main release line (7.7.1.0-8.7) as well as LTS2024, LTS2025, and LTS2026 branch releases. No public exploit code or active exploitation has been identified at time of analysis; the local access and high-privilege prerequisites substantially constrain the realistic attack surface despite the full C/I/A impact scores.

Command Injection Dell Powerprotect Data Domain
NVD VulDB
CVSS 3.1
6.7
EPSS
0.5%
CVE-2026-54483 MEDIUM PATCH This Month

OS command injection in Dell PowerProtect Data Domain enables a high-privileged local attacker to execute arbitrary operating system commands on the backup appliance, achieving full command execution within the Data Domain OS (DDOS). The flaw spans the general release track (7.7.1.0-8.6) and three LTS streams (LTS2024, LTS2025, LTS2026), indicating a shared vulnerable code path across a wide version surface. No public exploit code or CISA KEV listing exists at time of analysis, and the PR:H/AV:L prerequisites meaningfully constrain real-world risk to insider threats or post-compromise scenarios.

Command Injection Dell Data Domain Operating System
NVD VulDB
CVSS 3.1
6.7
EPSS
0.5%
CVE-2026-8804 MEDIUM This Month

Cleartext storage of sensitive parameters in Puppet's resource_api module (versions 1.5.0-1.9.1 and 2.0.0) causes passwords and other credential values to persist unmasked in the Puppet agent's local transaction state cache. The sensitive flag - intended to prevent exactly this exposure - is silently dropped during resource_api parameter processing, meaning any resource type built on this API and declaring sensitive parameters leaks those values to the cache filesystem. No public exploit exists and this is not listed in CISA KEV, but the confidentiality impact is high for environments where Puppet manages secrets such as database passwords or API tokens.

Information Disclosure Puppet Core Puppet Enterprise
NVD VulDB
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-26355 MEDIUM PATCH This Month

OS command injection in Dell PowerProtect Data Domain across four version release trains allows a high-privileged remote attacker to execute arbitrary operating system commands on the appliance. Affected products span mainline versions 7.7.1.0 through 8.7 and three LTS branches, confirmed by Dell Security Advisory DSA-2026-278. No public exploit identified at time of analysis and the CVE is absent from CISA KEV; however, the high integrity and availability impact (I:H/A:H) on a backup appliance makes patching urgent for environments where backup infrastructure is shared or admin credentials are broadly distributed.

Command Injection Dell Data Domain Operating System
NVD VulDB
CVSS 3.1
6.5
EPSS
1.1%
CVE-2026-56646 MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 expose sensitive information to unauthorized network actors, enabling spoofing attacks against users who interact with attacker-controlled content. The vulnerability maps to CWE-200, indicating that browser-internal sensitive data (likely origin, URL, or session context) is improperly disclosed across a network boundary, allowing an attacker to impersonate trusted content or identities. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS score of 6.5 with a network attack vector and no privilege requirement underscores meaningful real-world risk for any unpatched Edge deployment.

Google Microsoft Information Disclosure Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.5
EPSS
0.7%
CVE-2026-57987 MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows unauthenticated network attackers to perform spoofing by inducing a victim user to visit a malicious page, causing the browser to issue forged requests to internal or external resources. The confidentiality impact is rated High (CVSS C:H), indicating that sensitive data accessible via the browser's network context may be exfiltrated through the SSRF channel. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

SSRF Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-45489 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows a remote unauthenticated attacker to present deceptive browser UI to a victim user, resulting in high-confidentiality-impact information disclosure. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms exploitation is network-delivered and requires only a single user interaction, consistent with a classic UI-spoofing or URL-spoofing class of flaw. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a vendor-released patch is available.

Microsoft Google Microsoft Edge Chromium Based Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58523 MEDIUM PATCH This Month

Security feature bypass in Microsoft Edge for Android exposes high-confidentiality data to unauthenticated network attackers who can induce user interaction. The vulnerability stems from improper access control (CWE-284) in the Chromium-based mobile browser, allowing an attacker to circumvent a security boundary and access protected information without credentials. No active exploitation is confirmed (CISA KEV absent, temporal metric E:U), and a vendor patch is available via MSRC, making this a patch-priority item rather than an emergency response.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-58418 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) via HTTP redirect in Gitea's repository migration feature affects all versions through 1.25.4, allowing an authenticated attacker to coerce the Gitea server into issuing HTTP requests to arbitrary internal network destinations by supplying a crafted migration URL that redirects to an internal address. The CVSS score of 6.5 (C:H) reflects that successful exploitation can expose sensitive internal service responses - including cloud metadata endpoints, internal APIs, or other intranet services - to the attacker. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor patch is available in v1.26.3 and v1.26.4.

SSRF Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-46463 MEDIUM PATCH This Month

Integer overflow in Dell PowerProtect Data Domain across multiple release trains (main, LTS2024, LTS2025, LTS2026) exposes backup and data protection infrastructure to remote denial of service by an unauthenticated attacker. The CVSS vector (AV:N/AC:H/PR:N) confirms network-accessible, unauthenticated exploitation, though high attack complexity constrains practical exploitation to adversaries who can satisfy specific preconditions. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog.

Integer Overflow Dell Denial Of Service Powerprotect Data Domain
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-8351 MEDIUM This Month

Stored Cross-Site Scripting in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows authenticated contributors to persist arbitrary JavaScript in WordPress pages via the Advanced Heading widget's 'Background Text' field. The root cause is the direct concatenation of the user-controlled `background_text_heading` setting into an HTML attribute inside the widget's `render()` function without applying WordPress's `esc_attr()` sanitization, reported by Wordfence. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, but the contributor-level access prerequisite makes this realistically exploitable on multi-author or open-registration WordPress sites.

WordPress XSS Rtmkit
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8489 MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity once a subscriber account is obtained.

WordPress XSS Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9626 MEDIUM This Month

Stored Cross-Site Scripting in the JSON API User WordPress plugin (versions ≤ 4.1.0) allows authenticated attackers with subscriber-level or higher access to inject persistent JavaScript via the `content` parameter of the `post_comment` API endpoint. The plugin's `post_comment()` function passes attacker-controlled `comment_content` directly to WordPress's native `wp_insert_comment()` without any HTML sanitization, and a compounding design flaw permits callers to supply `comment_approved=1` to self-approve comments and entirely bypass the WordPress moderation queue. No public exploit code or CISA KEV listing is confirmed at time of analysis; however, the CVSS scope-change flag (S:C) and low authentication barrier make this a meaningful risk on any site permitting open user registration.

WordPress XSS Json Api User
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9756 MEDIUM This Month

Stored XSS in the GenerateBlocks WordPress plugin (all versions through 2.2.1) allows contributor-level authenticated attackers to inject arbitrary JavaScript via the Headline Block's `linkMetaFieldType` dynamic link attribute, executing in the browser of any user - including site administrators - who clicks the injected headline link. The attack chains a `get_safe_user_meta_keys()` allowlist bypass with insufficient URI scheme validation to construct a fully attacker-controlled `javascript:` href. No CISA KEV listing exists at time of analysis, but Wordfence reporting and direct source code references lower the barrier to independent exploitation.

WordPress XSS Generateblocks
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8892 MEDIUM This Month

Stored cross-site scripting in the CM Business Directory WordPress plugin (all versions ≤ 1.5.7) allows contributor-level authenticated users to persist arbitrary JavaScript in business listing address meta fields, executing against any visitor who loads the affected page. The vulnerability exploits a structural gap in WordPress's permission model: because the payload is written to post meta rather than post_content, the platform's native unfiltered_html capability check never fires, giving low-privilege contributors an injection vector that WordPress's architecture was designed to prevent. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though Wordfence has published full technical details including exact vulnerable code line references and an upstream fix commit.

WordPress XSS Cm Business Directory Optimise And Showcase Local Business
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12731 MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to persist malicious JavaScript in documentation pages by injecting arbitrary values into the 'sectionTitleTag' and 'articleTitleTag' Gutenberg block attributes, which are rendered without sanitization or output escaping in Sidebar block render.php. Any WordPress user who subsequently visits an injected documentation page will execute the attacker's script in their browser context, enabling session hijacking, credential harvesting, or defacement. No public exploit code or CISA KEV listing has been identified, but the low privilege bar (contributor) makes this accessible to a broad class of authenticated WordPress users.

WordPress XSS Wedocs
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12734 MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'connectorWidth' block attribute in the Sidebar block renderer (render.php lines 138 and 161). Any site visitor loading an affected documentation page triggers the payload in their browser, enabling session hijacking, credential harvesting, or malicious redirects. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though the attack technique is low-complexity for anyone with block editor knowledge.

WordPress XSS Wedocs
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-4804 MEDIUM This Month

Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.

WordPress XSS Zakra
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-58291 MEDIUM PATCH This Month

Information disclosure in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based attackers to expose sensitive browser data through a use-after-resource condition (CWE-672). Exploitation requires user interaction and high attack complexity, but the changed scope (S:C) indicates the flaw breaches browser isolation boundaries, yielding high confidentiality impact. No public exploit or active exploitation has been identified at time of analysis; vendor patch is available from Microsoft MSRC.

Information Disclosure Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.1
EPSS
0.6%
CVE-2026-58298 MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) before version 150.0.4078.48 lets a remote attacker trick a victim into rendering attacker-controlled script that spoofs UI or content over the network. Because the CVSS scope is changed (S:C) and user interaction is required (UI:R), a lured user visiting or interacting with a malicious page can be deceived into trusting forged content, undermining browser security-context integrity. Reported by Microsoft with a vendor patch available; EPSS is low (0.28%, 20th percentile) and no public exploit identified at time of analysis.

XSS Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-58524 MEDIUM PATCH This Month

Cross-site scripting in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled content. The flaw stems from improper input neutralization during web page generation (CWE-79), allowing injected scripts to execute within the browser's context and manipulate rendered content. No public exploit code or active exploitation has been identified at time of analysis, and Microsoft has released a patch addressing the issue.

XSS Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-4322 MEDIUM This Month

Reflected XSS in Destekz (all versions through 02062026) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by delivering crafted URLs containing unsanitized input. The CVSS scope change (S:C) confirms that successful exploitation can affect resources beyond the vulnerable application itself, such as the victim's browser session context. Critically, the vendor Raera has confirmed the product is end-of-life and unsupported, meaning no patch will ever be released and all deployed instances are permanently vulnerable. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS Destekz
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-12960 MEDIUM This Month

Improper export of Android application components in the ASUS Router App enables any co-installed third-party application on the same Android device to send a crafted Intent that forces the ASUS Router App to navigate to an attacker-specified URL. The flaw, classified as CWE-926, allows an attacker-controlled application to abuse the exposed component as an open redirect, potentially rendering phishing content or harvesting router management credentials within the app's trusted interface context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Google Router App
NVD
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-45488 MEDIUM PATCH This Month

UI misrepresentation in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 enables network-based spoofing attacks against users who interact with attacker-controlled web content. The browser fails to accurately present critical security information - such as origin indicators, security status, or authentication prompts - allowing an unauthenticated remote attacker to deceive victims into believing they are interacting with a trusted source. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and a vendor patch is available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-46467 MEDIUM PATCH This Month

Sensitive information disclosure in Dell PowerProtect Data Domain exposes credentials or configuration data to local low-privileged attackers via insufficiently protected log files. Affected are multiple release trains spanning versions 7.7.1.0 through 8.7, with specific LTS branches also impacted. No public exploit code or active exploitation has been identified at time of analysis, but the high confidentiality impact (C:H) warrants prompt patching on any appliance accessible to untrusted local users or shared administrative accounts.

Dell Information Disclosure Data Domain Operating System
NVD VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-58300 MEDIUM PATCH This Month

Absolute path traversal in Microsoft Edge for Android (Chromium-based) prior to version 150.0.4078.48 enables local, unauthenticated information disclosure by allowing crafted paths to escape the application's intended directory scope. The CVSS vector (AV:L/C:H/I:N/A:N) confirms the impact is limited to confidentiality loss on the local device, with no integrity or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.5
EPSS
0.4%
CVE-2026-58522 MEDIUM PATCH This Month

Relative path traversal in Microsoft Edge for Android (Chromium-based) before version 150.0.4078.48 permits a local, unprivileged attacker to read sensitive files outside the application's intended directory scope, achieving high confidentiality impact with minor integrity exposure. The flaw (CWE-23) stems from insufficient sanitization of relative path sequences in Edge's Android file-handling logic. No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available and should be prioritized given the high confidentiality impact rating.

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-46465 MEDIUM PATCH This Month

Format string exploitation in Dell PowerProtect Data Domain enables remote high-privileged attackers to disclose memory contents and crash the service across multiple concurrent release trains. Affected versions span the mainline (7.7.1.0-8.7), LTS2026 (8.6.1.0-8.6.1.10), LTS2025 (8.3.1.0-8.3.1.30), and LTS2024 (7.13.1.0-7.13.1.70) branches, creating broad organizational exposure for enterprises running any supported Data Domain release. No public exploit or confirmed active exploitation has been identified at time of analysis; the mandatory high-privilege prerequisite substantially constrains the realistic attacker pool.

Dell Denial Of Service Information Disclosure Powerprotect Data Domain
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-11397 MEDIUM This Month

Server-Side Request Forgery in WP Import Export Lite (all versions ≤ 3.9.30) allows authenticated administrators to bypass WordPress's native SSRF protections and reach internal network resources, including cloud instance metadata endpoints. The bypass exploits a design flaw: when WordPress's wp_safe_remote_get() correctly blocks a private-range URL and returns a WP_Error, the plugin's Download::download_file() method interprets that error as a cue to retry the original attacker-supplied URL via GuzzleHttp with no filtering and TLS verification disabled. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the cloud credential theft scenario on hosted WordPress environments elevates practical impact beyond the 5.5 base score.

WordPress SSRF Wp Import Export Lite
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-58278 MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) versions before 150.0.4078.48 enables unauthenticated remote attackers to perform network spoofing by inducing the browser to issue forged requests on behalf of a victim. The attack requires user interaction - a victim must visit or interact with attacker-controlled content - after which the browser can be coerced into making unauthorized requests that manipulate resource integrity or availability. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a vendor-released patch is available.

SSRF Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-11778 MEDIUM This Month

Arbitrary shortcode execution in the CURCY Multi Currency for WooCommerce WordPress plugin (versions up to and including 2.2.14) allows unauthenticated attackers to invoke any registered WordPress shortcode by sending a crafted request to a vulnerable action handler in frontend/cache.php. The root cause is a failure to validate the shortcode value before passing it to do_shortcode(), meaning any shortcode registered on the site - including those that expose user data, perform database queries, or render sensitive page content - can be triggered without authentication. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the low attack complexity and zero-authentication requirement elevate practical risk above what the moderate CVSS score suggests.

Code Injection WordPress RCE Curcy Multi Currency For Woocommerce Smoothly On Woocommerce 9 X
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-14614 MEDIUM This Month

Keycloak's ClientResource admin API component, when Fine-Grained Admin Permissions v2 (FGAP v2) is enabled, permits a delegated administrator to attach or detach hidden client scopes that fall outside their authorized management boundary. By injecting unauthorized scopes into client configurations, an attacker can manipulate the contents of OAuth2/OIDC security tokens issued to end-users, causing downstream applications to grant privilege levels beyond what the original access policy intended. No public exploit is identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; however, the token-injection impact class carries meaningful risk in federated identity deployments.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7 +1
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-9180 MEDIUM This Month

Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.

Authentication Bypass WordPress PHP Motopress Appointment Booking
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-11398 MEDIUM This Month

Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-14631 MEDIUM PATCH This Month

webpack-dev-server 5.2.5 and earlier crash the entire Node.js host process when an unauthenticated remote peer sends either an HTTP request with a malformed Host header or a WebSocket upgrade to the /ws endpoint with a malformed Origin header. The malformed value bypasses graceful error handling in the host-validation path, triggering an uncaught exception that terminates the dev server process entirely. Impact is confined to availability - no confidentiality loss and no code execution occur despite a misleading 'RCE' tag in the source intelligence, which appears to be a mislabeling inconsistent with the vendor description and CVSS vector (C:N/I:N). No public exploit or CISA KEV listing exists at time of analysis.

Node.js RCE Webpack Dev Server Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-14611 MEDIUM PATCH This Month

Information disclosure in DeepMyst Mysti's Per-Project Auto-Memory Handler allows low-privileged remote attackers to expose resources by supplying a manipulated workspacePath argument to the initProjectMemory function in src/managers/MemoryManager.ts. EUVD-2026-41610 confirms versions 0.1 through 0.4.0 are affected. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.3 reflects a limited, confidentiality-only impact with no integrity or availability consequences.

Information Disclosure Mysti
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-14355 MEDIUM PATCH This Month

Heap-based buffer overflow in PHP's OpenSSL extension affects all maintained PHP branches (8.2.x, 8.3.x, 8.4.x, 8.5.x) when the AES key-wrap-with-padding (AES-WRAP-PAD) algorithm per RFC 5649 is invoked. The output buffer is allocated based only on plaintext length, omitting the mandatory RFC 5649 padding expansion, causing OpenSSL to write beyond the allocated heap region, corrupt heap metadata, and abort the process. No public exploit has been identified at time of analysis; vendor-released patches are available for all affected branches.

Heap Overflow OpenSSL Buffer Overflow PHP Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12557 MEDIUM This Month

Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ninja Forms File Uploads
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-28705 MEDIUM PATCH This Month

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

Path Traversal Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-35159 MEDIUM PATCH This Month

Physical-access authentication bypass in Dell Client Platform BIOS (CWE-305) affects a sweeping range of Dell consumer, gaming, and enterprise platforms - including Inspiron, Alienware, Latitude, OptiPlex, and Precision lines. An unauthenticated attacker with physical access and the ability to meet high-complexity attack conditions can bypass the primary BIOS authentication mechanism, resulting in information disclosure and, per the CVSS integrity metric (I:H), potential high-integrity impact. Notably, the declared impact in the description is limited to 'Information Disclosure' while the supplied CVSS vector assigns I:H, a discrepancy that warrants clarification from Dell's advisory DSA-2026-195. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Dell Information Disclosure Inspiron 15 3520 G15 5530 +175
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-25782 MEDIUM PATCH This Month

Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-20909 MEDIUM PATCH This Month

Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.

Authentication Bypass Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-46464 MEDIUM PATCH This Month

Symlink-following vulnerability in Dell PowerProtect Data Domain allows a high-privileged remote attacker to traverse outside intended file paths and read arbitrary files, resulting in information disclosure. Multiple version branches are affected, including the current mainstream 8.7 release, LTS2026 builds through 8.6.1.10, LTS2025 builds through 8.3.1.30, and LTS2024 builds through 7.13.1.70. Dell published advisory DSA-2026-278 addressing this issue; no public exploit code or active exploitation has been identified at time of analysis.

Dell Information Disclosure Powerprotect Data Domain
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-12920 MEDIUM This Month

SQL injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (all versions up to and including 4.3.5) enables authenticated administrators to append arbitrary SQL clauses to existing queries via the unescaped 's' search parameter in the admin data-request table interface. The vulnerable code spans at least four distinct query paths in class-wpl-data-req-table.php (lines 322, 377, 492, and 513), each failing to sanitize or properly prepare user-supplied input before use in database queries. No public exploit or CISA KEV listing has been identified at time of analysis; the high privilege requirement (WordPress administrator) substantially constrains real-world attack surface.

WordPress SQLi Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-14620 MEDIUM PATCH This Month

Cross-site request forgery in webpack-dev-server 5.2.5 and earlier allows any website visited by a developer to silently invoke two unauthenticated state-changing endpoints - `/webpack-dev-server/open-editor` and `/webpack-dev-server/invalidate` - via simple browser-initiated GET requests that carry no CSRF protection. An attacker controlling a web page visited during an active dev session can open arbitrary local files in the developer's editor (including files outside the project root) and trigger repeated forced recompilations that degrade workstation performance. No public exploit has been identified at time of analysis, and exploitation is confined to developer workstations rather than production infrastructure.

CSRF Webpack Dev Server Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy