Skip to main content
CVE-2026-10708 HIGH This Week

Sensitive information disclosure in Adalo App Builder (versions 1 through 2) lets remote unauthenticated attackers harvest personal data at scale by sending a single request to a minimal leaderboard component, returning user records that include emails, UUIDs, and custom fields. The flaw stems from wildcard CORS behavior combined with long-lived twenty-day JWTs and no token revocation, meaning any Adalo application can be scraped without app-specific secrets. No public exploit is identified at time of analysis, and the EPSS score is low (0.10%), but the network-reachable, no-authentication nature makes mass automated collection straightforward.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-5356 HIGH This Week

Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0) lets unauthenticated attackers finalize bookings while paying an arbitrary amount. The Stripe Connect payment processor trusts a client-supplied PaymentIntent ID, so an attacker can replay a previously succeeded PaymentIntent token to satisfy the payment check. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-6854 HIGH This Week

Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.8) lets remote attackers inject SQL through the 'mc_auth' parameter, enabling extraction of sensitive database contents such as user credentials and secret keys. The flaw stems from unescaped user input concatenated into an unprepared query, and being reachable without authentication makes it broadly exploitable on any site running a vulnerable version. No public exploit identified at time of analysis, but the technique (time-based blind extraction) is well understood and readily automatable.

WordPress SQLi My Calendar Accessible Event Manager
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-6230 HIGH This Week

SQL injection in the Tainacan WordPress plugin (versions ≤ 1.0.3) lets unauthenticated attackers exfiltrate database contents through the 'geoquery' parameter, which is concatenated into a SQL query without proper escaping or prepared-statement binding. Because the injection is time-based blind, attackers infer data character-by-character from response delays rather than direct output. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the network-reachable, no-authentication vector makes it a realistic target for automated scanning once details spread.

WordPress SQLi Tainacan
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-24700 HIGH This Week

An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.

Command Injection Cisco Rv130 Firmware Rv130W Firmware Rv110W Firmware
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
1.0%
CVE-2026-24699 HIGH This Week

An OS command injection vulnerability exists in the sub_34984() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.

Command Injection Cisco Rv130 Firmware Rv130W Firmware Rv110W Firmware
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
1.0%
CVE-2026-24698 HIGH This Week

Root-level OS command injection in Cisco RV130/RV130W (firmware 1.0.3.55) and RV110W (firmware 1.2.2.5/1.2.2.8) small-business routers lets an authenticated remote attacker run arbitrary commands via the unsanitized model_name parameter in the httpd binary's save_syslog_to_file() function. Because injected commands run as root, successful exploitation yields full device takeover. Publicly available exploit code exists (SSVC exploitation status: poc) but the flaw is not listed in CISA KEV.

Command Injection Cisco Rv130 Firmware Rv130W Firmware Rv110W Firmware
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
1.0%
CVE-2026-24697 HIGH This Week

Root-level OS command injection in Cisco RV130, RV130W, and RV110W small-business routers lets an authenticated remote administrator inject arbitrary shell commands through the wan_hostname parameter, which is passed unsanitized into the start_bonjour() routine of the 'rc' binary. Because the 'rc' process runs as root, successful exploitation yields full command execution and complete device takeover. Publicly available exploit details exist in an IoT vulnerability write-up; there is no evidence of active exploitation (not in CISA KEV) and no EPSS score was provided.

Command Injection Cisco Rv130 Firmware Rv130W Firmware Rv110W Firmware
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
1.0%
CVE-2026-0288 HIGH PATCH This Week

Memory corruption in the User-ID Terminal Server Agent (TSA) of Palo Alto Networks PAN-OS lets an unauthenticated network attacker crash the service (DoS) or potentially execute arbitrary code by sending crafted traffic to the TSA listener. Multiple out-of-bounds write bugs are involved; the vendor's CVSS 4.0 vector flags the exploit as unproven (E:U), and no public exploit has been identified at time of analysis. Panorama is explicitly not affected, and exposure hinges on whether the optional TSA component is deployed and reachable.

Memory Corruption Paloalto Buffer Overflow Denial Of Service RCE +1
NVD VulDB
CVSS 4.0
7.2
EPSS
0.5%
CVE-2026-10698 HIGH PATCH This Week

Server-side NoSQL injection in Progress MOVEit Transfer (Custom Reports modules) lets an authenticated high-privilege user inject crafted query elements to read, alter, or disrupt backend data. It affects MOVEit Transfer 2025.0.x before 2025.0.8, 2025.1.x before 2025.1.4, and 2026.0.0 before 2026.0.1, with full confidentiality, integrity, and availability impact per the CVSS vector. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-56246 HIGH PATCH This Week

Cross-organization authorization bypass in Capgo before 12.128.2 lets a scoped API key (limited_to_orgs) inherit its owner's full user permissions, so an admin holding a write key restricted to one organization can execute destructive operations against a different organization. Because route-level authorization (rbac_check_permission_direct) checks the owner's user privileges before enforcing the key's org scope, a key intended to be confined to Org A can call DELETE /organization or DELETE /organization/members on Org B. No public exploit has been identified at time of analysis; the flaw is documented in a GitHub Security Advisory (GHSA-ccm4-hf72-p28m) and a VulnCheck advisory.

Authentication Bypass
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-6820 HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated remote attackers persist arbitrary JavaScript via the 'email' parameter, which then executes in the browser of any user - including hotel staff and admins - who later views the affected page. Because the injection point is reachable without authentication and the payload is stored server-side, it enables session hijacking, admin action forgery, and content defacement against booking-management back offices. This issue is not in CISA KEV and no public exploit has been identified at time of analysis.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-6818 HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated attackers persist arbitrary JavaScript via the 'special_requests' booking field, which then executes when a hotel operator or user views the injected order in the admin back-end. Reported by Wordfence with a CVSS 7.2 (scope-changed) rating; no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed in version 1.8.9, whose patched source is referenced in the advisory.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-55761 HIGH PATCH This Week

Authentication bypass in Portainer Community Edition (2.39.0-2.39.3 and 2.40.0 through 2.42.x) lets an unauthenticated network attacker seize full administrative control of a freshly deployed, uninitialized instance. During the five-minute post-deployment setup window the /api/restore and /api/users/admin/init endpoints stay reachable without credentials, so an attacker who wins the race can create the first admin account or restore a crafted backup and take over the platform along with every Docker, Swarm, Kubernetes and ACI environment it manages. No public exploit identified at time of analysis and it is not on CISA KEV, but the fix is available in 2.39.4 and 2.43.0.

Authentication Bypass Kubernetes Docker Portainer
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-56401 HIGH PATCH This Week

Denial of service in Wazuh wazuh-modulesd (all releases before 5.0.0-beta3) lets an enrolled agent crash the manager's inventory synchronization module by sending a verifier-valid FlatBuffer DataValue message that omits the optional id field, triggering a null pointer dereference (CWE-476). Exploitation requires only a valid enrolled agent (PR:L) over the network with no user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is availability-only - no data confidentiality or integrity loss - but it can repeatedly take down central inventory sync, blinding a security monitoring deployment.

Wazuh Denial Of Service Null Pointer Dereference
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-35210 HIGH PATCH This Week

Authorization bypass in OpenCTI prior to version 7.260326.0 lets any authenticated user holding the KNOWLEDGE_KNUPDATE permission override Confidence Level validation and Object Marking restrictions simply by adding the 'synchronized-upsert: true' HTTP header. Exploitation allows downgrading confidence levels, stripping security markings such as TLP:RED, and tampering with STIX objects (Indicators, Threat Actors, Malware, Reports) and their relationships. There is no public exploit identified at time of analysis, and the issue is not on CISA KEV; the fix is delivered in release 7.260326.0.

Authentication Bypass Opencti
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-59262 HIGH PATCH This Week

Broken access control in AFFiNE (toeverything/AFFiNE monorepo) lets any authenticated workspace member read the edit history of documents they should not access by querying the GraphQL 'histories' field with an arbitrary document GUID. Because the resolver never checks Doc.Read permission, an attacker can enumerate private page timelines and harvest contributor user names, emails, and edit timestamps. No public exploit has been identified at time of analysis, but exploitation is trivial for any low-privileged member.

Authentication Bypass Monorepo
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-59805 HIGH PATCH This Week

Broken access control in Gumroad's PurchasesController (versions before 2026.07.06.2) lets any authenticated seller revoke or restore buyer access to products they do not own by sending PUT requests to the revoke_access and undo_revoke_access actions, which fail to validate seller ownership. Because the actions operate on arbitrary purchase records via direct object reference, a low-privileged seller can tamper with the is_access_revoked flag on other sellers' sales. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV, but the fix is confirmed in release v2026.07.06.2.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56220 HIGH PATCH This Week

Authorization bypass in Capgo before 12.128.2 lets read-only organization members insert rows into the public.manifest table via a flawed INSERT row-level-security policy, poisoning the OTA update manifests that Capacitor apps fetch. Because these forged entries carry attacker-chosen s3_path values and are served to client devices through the unauthenticated /updates endpoint, a low-privileged insider can steer devices toward malicious update assets. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-41122 HIGH PATCH This Week

Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS2025 8.3.1.x, and LTS2024 7.13.1.x branches) lets a remote attacker persist malicious script in the appliance management interface that executes in other users' browser sessions. Because the flaw is reachable without authentication and the injected payload runs in the victim's authenticated context, an attacker can achieve information disclosure, session/token theft, and client-side request forgery against operators of the backup appliance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Dell has published advisory DSA-2026-278.

XSS Dell Information Disclosure Data Domain Operating System
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-59948 HIGH PATCH This Week

Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served from an untrusted, third-party repository to write attacker-controlled files outside the vendor directory and outside the project root during an install or update. The flaw stems from an invalid package name that is not validated before dependency-resolution results are written to disk (CWE-22 path traversal), and no public exploit has been identified at time of analysis. Exploitation requires the victim to have configured a non-default, untrusted repository (not Packagist.org or Private Packagist) and to run composer install/update, so it is not a default-configuration remote attack.

Path Traversal PHP Composer
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-29007 MEDIUM This Month

Out-of-bounds read in U-Boot's TCP stack (net/tcp.c, tcp_rx_state_machine()) allows remote unauthenticated attackers to corrupt bootloader TCP connection state by sending a crafted packet with deliberately mismatched IP total length and TCP data offset fields. Affected builds span U-Boot through 2026.04-rc3, but only when compiled with CONFIG_PROT_TCP - a non-default option. Impact is disruption of TCP window calculations via corruption of rmt_win_scale and rmt_timestamp variables, potentially breaking network-based boot sequences. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.

Buffer Overflow Information Disclosure U Boot
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-59938 MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2025-3110 MEDIUM This Month

HTTP request smuggling in OpenVPN Access Server 2.7.2 through 3.1.0 enables remote unauthenticated attackers to inject or manipulate backend requests when the Access Server is deployed behind a reverse proxy. The server incorrectly accepts bare line-feed (LF-only, without carriage return) characters inside HTTP header values, creating a parsing discrepancy between the front-end proxy and the Access Server backend - the hallmark of CWE-444. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.9 with integrity impact on both the vulnerable and subsequent systems indicates meaningful risk in typical enterprise VPN gateway deployments fronted by load balancers or reverse proxies.

Request Smuggling Information Disclosure Access Server Red Hat
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59937 MEDIUM PATCH This Month

Uncontrolled resource consumption in pypdf prior to 6.14.0 allows unauthenticated remote attackers to cause denial of service by submitting a crafted PDF containing repeated malformed cross-reference streams. The library's XRef table recovery routine performs unbounded work on such inputs, leading to excessive CPU time consumption and effectively hanging or severely degrading any application that processes attacker-supplied PDFs. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-8649 CRITICAL PATCH Act Now

SQL/NoSQL query injection in Progress MOVEit Transfer (Custom Reports modules) lets remote unauthenticated attackers manipulate backend data-query logic to read, alter, or destroy managed-file-transfer data across versions before 2025.0.7, 2025.1.3, and 2026.0.0. Rated CVSS 9.8 with full confidentiality, integrity, and availability impact, though real-world exploitation is currently rated low (EPSS 0.22%, CISA SSVC exploitation 'none') and no public exploit has been identified at time of analysis. MOVEit's history as a mass-exploitation target (Cl0p, 2023) makes this a high-priority patch despite the currently quiet threat signal.

Nosql Injection Information Disclosure Moveit Transfer
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-56284 MEDIUM PATCH This Month

Unauthenticated information disclosure in Capgo (Cap-go/capgo) before 12.128.2 exposes sensitive organization metrics through a misconfigured Supabase PostgREST RPC endpoint. The Supabase function public.get_total_metrics(org_id) is accessible to the anon role using only the publicly distributed sb_publishable_* key, meaning any external party can query it without credentials. By iterating valid organization UUIDs against POST /rest/v1/rpc/get_total_metrics, attackers can confirm organization existence and harvest usage data including monthly active users, bandwidth consumption, and install counts. No public exploit or CISA KEV listing exists at time of analysis; the EPSS signal is absent from provided data but the low exploitation complexity suggests elevated opportunistic risk.

Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-35211 MEDIUM PATCH This Month

Elasticsearch Painless script injection via OpenCTI's GraphQL API allows any authenticated user holding the KNOWLEDGE capability to submit computationally expensive, unvalidated scripts that saturate Elasticsearch cluster CPU, degrading or denying service for the entire platform. All OpenCTI deployments prior to version 7.260401.0 are affected, with the vulnerability residing in the exposed 'script' FilterOperator of the GraphQL API. No public exploit code or CISA KEV listing is confirmed at time of analysis; a vendor-released patch is available in version 7.260401.0.

Code Injection Elastic RCE Opencti
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-60001 MEDIUM PATCH This Month

OpenSSH sshd before version 10.4 fails to consistently enforce its built-in minimum authentication delay, undermining the rate-limiting defense designed to slow credential-guessing attacks against SSH services. All OpenSSH releases prior to 10.4 are affected across all platforms, enabling unauthenticated remote attackers to submit authentication attempts at a rate higher than the daemon intends to permit. No public exploit code has been identified and the vulnerability is absent from CISA KEV; however, the trivial attack complexity combined with OpenSSH's near-universal deployment footprint makes prompt patching appropriate.

SSH Denial Of Service Openssh
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-6280 MEDIUM This Month

Nomysem, an education and consulting management platform by Turkish vendor NOMYSOFT Informatics, exposes sensitive information to authenticated low-privilege users due to incompatible ACL policies that fail to properly constrain access to restricted functionality. Network-accessible endpoints can be reached by any valid account holder, yielding high-confidentiality-impact data exposure without requiring elevated rights or user interaction. No public exploit code has been identified at time of analysis; however, the vendor failed to respond to coordinated disclosure, leaving the vulnerability unpatched.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-15154 MEDIUM This Month

ReDoS vulnerability in the guardrails-detectors component of Red Hat OpenShift AI enables adjacent-network attackers to submit specially crafted regular expressions to the public detection API, triggering catastrophic backtracking that pins a worker process at 100% CPU indefinitely. The availability impact extends beyond the component itself - the entire guardrails-mediated LLM pipeline is rendered non-functional. No public exploit identified at time of analysis, but exploitation requires no authentication and trivial effort from an adjacent network position.

Red Hat Denial Of Service Openshift Ai
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57259 MEDIUM This Month

XXE injection in Foxit PDF Editor and Foxit PDF Reader exposes any local file readable by the victim user when they open a maliciously crafted document disguised as a PDF. The parser processes documents that are not structurally valid PDFs, resolving attacker-controlled external XML entities that reference local filesystem paths via file:// or similar protocols, enabling out-of-band exfiltration of sensitive local files. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is gated by user interaction (UI:R), limiting opportunistic mass exploitation.

XXE Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59896 MEDIUM PATCH This Month

Server-side rendering in Hono's JSX module (versions 4.11.8 through before 4.12.27) fails to isolate context values per request, enabling cross-request data leakage under concurrent load. When async components yield at an await boundary, the shared context store can be overwritten by a concurrent in-flight request, causing createContext, useContext, jsxRenderer, or useRequestContext data from one user's session to bleed into another user's response. No public exploit has been identified at time of analysis, but the C:H CVSS impact rating reflects that leaked context values frequently carry sensitive per-user material such as authentication state, session tokens, or profile data.

Race Condition Information Disclosure Hono
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59998 MEDIUM PATCH This Month

OpenSSH sshd before version 10.4 silently ignores the GSSAPIStrictAcceptorCheck configuration directive when the server is integrated with Windows Active Directory, defeating a security control that administrators rely on to enforce GSSAPI acceptor name validation during Kerberos-based SSH authentication. This undocumented behavior means AD-joined SSH servers may accept GSSAPI authentications against unintended Kerberos service principals regardless of how the option is configured, yielding limited confidentiality and integrity impact. No public exploits or active exploitation have been identified; the CVSS AC:H rating reflects the specific environmental prerequisites required for exploitation.

SSH Microsoft Information Disclosure Openssh
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-15109 MEDIUM PATCH This Month

Uninitialized memory use in Chrome's ANGLE graphics layer exposes potentially sensitive process memory contents to remote attackers across all desktop Chrome versions prior to 150.0.7871.115. The flaw is triggered by a crafted HTML page requiring user interaction, limiting automated mass exploitation - consistent with SSVC classifying it as non-automatable with partial technical impact. No public exploit code exists and EPSS sits at 0.18% (7th percentile), but Chrome's ubiquitous deployment footprint and the high confidentiality impact still justify prompt patching.

Information Disclosure Google
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-58494 MEDIUM PATCH This Month

Wasmtime's WASI filesystem implementation allows a sandboxed WebAssembly guest to overwrite host files that were intentionally exposed as read-only preopens. The wasmtime-wasi component checks directory-level permissions during hard-link creation (path_link) and rename (path_rename) operations but fails to verify that the source and destination preopens carry matching FilePerms flags - meaning FilePerms::READ enforcement is bypassed at the operation level. Affected versions span multiple major release trains (prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1); no public exploit code or CISA KEV listing is present at time of analysis, but the scope change from guest sandbox to host filesystem makes this a meaningful sandbox-escape class defect.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-49463 MEDIUM PATCH GHSA This Month

Broken object-level authorization in the nl-portal-backend-libraries GraphQL API exposes sensitive personal data belonging to arbitrary users to any authenticated caller. Two resolvers - document content retrieval (all published versions of nl.nl-portal:documenten-api since 0.2.2.RELEASE, 2023) and the besluiten (decisions) module (nl.nl-portal:besluiten 1.5.0-3.0.0) - were declared without a CommonGroundAuthentication parameter, causing the Spring framework to never bind the authenticated principal into the call path and leaving ownership checks impossible at the resolver level. The two endpoints chain naturally: an attacker enumerates decision records and their attached document IDs via the besluit queries, then exfiltrates raw document content through the document endpoint; decisions frequently contain government benefit, permit, and objection rulings, giving the exposure high real-world sensitivity. No public exploit has been identified at time of analysis, and this was discovered during a structured penetration testing engagement in May 2026.

Java Information Disclosure
NVD GitHub
CVSS 3.1
6.5
CVE-2026-49455 MEDIUM POC PATCH GHSA This Month

Cross-Site Request Forgery in Waku's RSC request dispatcher allows a remote attacker to invoke any state-mutating 'use server' server action with a victim's session cookies by exploiting the complete absence of Origin header validation in the core request handler at packages/waku/src/lib/utils/request.ts. Both the RSC path prefix branch (exploitable via Content-Type: text/plain, no preflight) and the progressive-enhancement HTML form branch (exploitable via multipart/form-data) are unguarded, with opaque-origin contexts such as sandboxed iframes and browser extension pages additionally exploitable via Origin: null. The reporter confirmed a working proof-of-concept against waku 1.0.0-beta.0 with dynamic verification on 2026-05-17; all HTTP adapters share the same vulnerable dispatcher and no patched version has been identified at time of analysis.

CSRF
NVD GitHub
CVSS 3.1
6.5
CVE-2026-10570 MEDIUM This Month

Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector (6.4 Medium) reflects real cross-user impact on WordPress sites where multiple Authors are active.

WordPress XSS Sympl Repeater For Acf And Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6740 MEDIUM This Month

Stored cross-site scripting in the Nexter Blocks - Gutenberg Blocks, Page Builder & AI Website Builder WordPress plugin (versions through 4.7.4) enables authenticated contributors to persistently inject malicious JavaScript via the unsanitized 'commentIcon' parameter, executing in any visitor's browser on affected pages. The CVSS Scope:Changed metric reflects that attacker-controlled code crosses trust boundaries into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of privileged users such as site administrators. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress XSS Nexter Blocks Gutenberg Blocks Page Builder Ai Website Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6459 MEDIUM This Month

Stored Cross-Site Scripting in Essential Addons for Elementor (versions up to and including 6.6.2) allows authenticated WordPress users with Author-level access or higher to inject persistent malicious JavaScript via event titles rendered through the Event Calendar widget. The injected payload executes in the browsers of any user who visits the affected page, with scope change confirmed by the CVSS:3.1 S:C designation. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low on sites that permit contributor or author registration.

WordPress XSS Essential Addons For Elementor Popular Elementor Templates Widgets
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6742 MEDIUM This Month

Stored Cross-Site Scripting in the Advanced iFrame WordPress plugin (versions through 2026.1) allows authenticated contributors to permanently inject malicious scripts into WordPress pages via the unsanitized 'additional' parameter. Any site visitor loading an affected page will execute the attacker's payload in their browser, enabling session hijacking, credential theft, or defacement. No public exploit has been identified at time of analysis, and a fix has been committed to the WordPress plugin repository per Wordfence reporting.

WordPress XSS Advanced Iframe
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-14785 MEDIUM This Month

Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the `seedprodnestedmenuwidget` shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.

WordPress XSS Website Builder By Seedprod Theme Builder Landing Page Builder Coming Soon Page Maintenance Mode
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-59802 MEDIUM PATCH This Month

Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create URL pushes containing data:text/html payloads that execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher origin. The root cause is the valid_url function accepting data: URI schemes as valid URLs, meaning any attacker with push creation access can craft a link that, when clicked by a recipient, renders attacker-controlled HTML and JavaScript within the trusted application domain - enabling convincing phishing pages or session cookie harvesting. No public exploit has been identified at time of analysis, but a vendor-released patch (2.8.1) is available per the GitHub security advisory.

Information Disclosure Passwordpusher
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-15063 MEDIUM This Month

Unproxied metrics port exposure in the gorch service template of trustyai-service-operator (part of Red Hat OpenShift AI) allows any pod on the cluster network to access orchestrator and detector metrics endpoints while bypassing kube-rbac-proxy authentication. The flaw manifests specifically when authentication is enabled - the configuration that should be protective is the same one under which the bypass exists. CVSS PR:L confirms exploitation requires a pod already running on the cluster network, limiting blast radius to actors with at least minimal cluster access. No public exploit code identified and no CISA KEV listing at time of analysis.

Authentication Bypass Red Hat Openshift Ai Rhoai
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-15044 MEDIUM This Month

Unauthenticated cluster-internal access to TrustyAI Service Operator's gorch and NemoGuardrails deployments is possible when a specific security setting is not explicitly enabled at deployment time. Any workload running within the same Kubernetes or OpenShift cluster can reach these AI guardrail and orchestration service endpoints without presenting credentials, exposing sensitive inference data and enabling limited unauthorized model interactions. No public exploit has been identified at time of analysis, but the low-complexity adjacent attack vector and low-privilege prerequisite make this a realistic lateral movement risk in shared or multi-tenant cluster environments.

Authentication Bypass Information Disclosure
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-39179 MEDIUM This Month

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality.

SQLi
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-39178 MEDIUM This Month

SQL injection in SOGo's allContactSearch endpoint permits authenticated users to inject arbitrary SQL via the unsanitized search parameter, affecting all SOGo releases before 5.12.7. An attacker with a valid SOGo account can manipulate backend SQL queries to read, alter, or partially disrupt contact database contents - confirmed by both the upstream fix commit and the vendor's 5.12.7 release announcement. EPSS sits at the 5th percentile (0.15%) and no CISA KEV listing exists, indicating no public exploit identified at time of analysis despite the straightforward CWE-89 root cause.

SQLi
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-55668 MEDIUM PATCH This Month

Symlink-based path traversal in File Browser prior to 2.63.16 allows an authenticated low-privilege user with Create and Modify permissions to write attacker-controlled files outside their designated scope. The flaw resides in ScopedFs, which validates only the nearest existing ancestor of a dangling symlink - leaving it in-scope - and then follows the symlink during file creation, landing the resulting file in an arbitrary location on the underlying filesystem. No public exploit has been identified at time of analysis, but the scope-change characteristic (S:C in the CVSS vector) means successful exploitation extends impact beyond the web application's permission boundary.

Path Traversal
NVD GitHub
CVSS 3.1
6.3
EPSS
0.3%
CVE-2026-56360 MEDIUM PATCH This Month

Webhook signature bypass in n8n's ZendeskTrigger node allows network-adjacent attackers who possess the webhook URL to inject arbitrary data into n8n workflows by sending unsigned POST requests. The ZendeskTrigger node omits the mandatory HMAC-SHA256 verification step that Zendesk's webhook security model requires, treating any inbound POST as a legitimate Zendesk event. This affects n8n v1.x before 1.123.18 and v2.x before 2.6.2; no public exploit or CISA KEV designation has been identified at time of analysis.

Authentication Bypass N8n
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
Prev Page 4 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy