Skip to main content
CVE-2026-12595 HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers hijack any existing account - administrators included - by exploiting the Discord OAuth login handler, which trusts the email returned by Discord without checking Discord's verified flag. An attacker who knows a target's WordPress email registers a Discord account with that same (unverified) email and completes the normal OAuth flow to receive an authenticated session as the victim. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw was reported by Wordfence and is a full account-takeover primitive.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-49213 HIGH PATCH This Week

Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared SSRF validator using the IPv6 unspecified address :: (and its expanded form), which validateIPAddress in packages/lib/src/ssrf/validateHttpReqUrl.ts fails to block. By configuring a server-side HTTP Request block or guarded script fetch, an attacker coerces the Typebot server to reach local HTTP services via safeKy, including flows reachable through startChat and continueChat endpoints. No public exploit identified at time of analysis, but the fix is confirmed in 3.17.2 and the technical root cause is documented in the vendor advisory.

SSRF Typebot Io
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-55377 HIGH PATCH This Week

Authentication step-up bypass in Logto self-hosted auth infrastructure prior to 1.41.0 lets an already-authenticated user manage MFA factors without re-proving their identity. The Account Center accepted any of the user's own verified records - including a self-created WebAuthn passkey-registration record - as proof of identity verification, so an attacker holding only a valid Account API bearer token could forge the logto-verification-id header and satisfy step-up checks. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw is fixed in 1.41.0.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-59796 HIGH PATCH This Week

Improper permission enforcement in JetBrains TeamCity before 2026.1.2 lets authenticated low-privilege users modify CI/CD pipelines they should not control, undermining build integrity and potentially exposing pipeline secrets. Reported by JetBrains itself and carrying a CVSS 8.1, the flaw is a missing-authorization issue (CWE-862) rather than a memory-safety bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Teamcity
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-56668 HIGH PATCH This Week

Privilege escalation in ZITADEL identity platform (before 4.15.3) allows an attacker holding a low-privilege OAuth2 token to exchange it for elevated permissions at a different application, because the token-exchange endpoint fails to bind the subject token to the requesting client and does not constrain requested scopes to the original token's scopes. Any authenticated principal with a valid low-scope token can escalate laterally across relying applications; no public exploit is identified at time of analysis and it is not listed in CISA KEV. A vendor patch (4.15.3) and fixing commit are available.

Authentication Bypass Microsoft Zitadel
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-55809 HIGH PATCH This Week

Object injection in the Drupal contrib module Flag attendance field (all versions up to and including 1.2) lets an authenticated user with low privileges pass attacker-controlled data into a dynamically-determined object attribute (CWE-915), enabling PHP object injection and high-impact compromise of data confidentiality and integrity. The Drupal Security Team published advisory SA-CONTRIB-2026-049 and a fixed release is available. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.17%, 7th percentile).

Code Injection Flag Attendance Field
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-55810 HIGH PATCH This Week

Object injection in the Drupal Plotly.js Graphing contributed module (all releases 0.0.0 through 3.0.2) lets an authenticated attacker with low privileges tamper with dynamically-determined object attributes, undermining both confidentiality and integrity of the site. The flaw stems from improperly controlled modification of object properties (CWE-915), and the network-reachable, low-complexity CVSS 3.1 vector (8.1) reflects meaningful severity; however, EPSS is only 0.16% (6th percentile) and no public exploit identified at time of analysis. It is not listed in CISA KEV.

Code Injection Plotly Js Graphing
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-15293 HIGH This Week

Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-41154 HIGH This Week

Out-of-bounds kernel memory read/write in Imagination Technologies Graphics DDK (the driver kit for PowerVR GPUs) allows a non-privileged local user to corrupt kernel memory through crafted GPU API calls, potentially achieving privilege escalation. The flaw stems from incorrect buffer indexing in the sparse-memory page-freeing path when pages larger than 4kB are handled. Rated CVSS 7.8 (CWE-787); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Buffer Overflow Memory Corruption Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-7639 HIGH This Week

Local memory-corruption escalation in Imagination Technologies' Graphics DDK (the PowerVR GPU driver stack) lets an unprivileged user trigger a use-after-free by issuing an improper sequence of GPU system calls. By forcing a failure path in the MMU mapping logic, an attacker leaves internal driver state incompletely cleaned up, enabling unauthorized read/write access to physical memory from shader code. There is no public exploit identified at time of analysis and EPSS is low (0.15%), but the flaw carries high confidentiality, integrity, and availability impact for local attackers.

Authentication Bypass Denial Of Service Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-34196 HIGH This Week

Local privilege escalation in Imagination Technologies' Graphics DDK (PowerVR GPU driver) lets a non-privileged user trigger a use-after-free by abusing an integer overflow in GPU memory-mapping system calls. The flaw allows two GPU virtual addresses to alias the same physical page; freeing one mapping releases the page while the second dangling mapping retains read/write access, enabling cross-process memory disclosure and corruption. No public exploit is identified at time of analysis and EPSS is low (0.15%), but the local read/write UAF primitive is a strong stepping stone to kernel-level compromise.

Buffer Overflow Use After Free Memory Corruption Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-45196 HIGH This Week

Privilege escalation in Imagination Technologies' Graphics DDK GPU driver allows kernel-level software inside a Host VM to post malformed commands to the GPU firmware, forcing an improper GPU register access that can be leveraged to gain elevated privileges. The flaw (CWE-280, improper handling of permissions) affects multiple DDK release branches from 1.18 through 26.1 and is rated CVSS 7.8 (local, low complexity). There is no public exploit identified at time of analysis, and its EPSS probability is low (0.14%).

Privilege Escalation Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-45203 HIGH This Week

Local privilege escalation and memory corruption in Imagination Technologies Graphics DDK (PowerVR GPU driver kit) lets a malicious kernel driver inside a Host VM issue improper commands to the GPU firmware, causing a memory write outside the host kernel's permitted range. The flaw is a TOCTOU race in which values are altered in memory after the firmware validates them but before it uses them, bypassing the firmware's range enforcement. No public exploit identified at time of analysis, EPSS is low (0.12%, 2nd percentile), and it is not listed in CISA KEV.

Information Disclosure Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-54071 HIGH POC PATCH GHSA This Week

Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.

Deserialization Python Canonical Adobe Microsoft +4
NVD GitHub
CVSS 3.1
7.8
CVE-2026-55659 HIGH PATCH This Week

Stored and reflected cross-site scripting in Grist (grist-core) prior to 1.7.15 lets a document editor inject script into a document's name or description that executes when higher-privileged users open the document, and lets attackers abuse the OAuth2 end-of-flow page's reflected openerOrigin parameter. Because the injected script runs in the victim's authenticated Grist origin, a mere document editor can read or modify data, alter sharing settings and access rules, and escalate to owner-level control. No public exploit identified at time of analysis; the issue is CWE-79 and is fixed upstream in the tagged 1.7.15 release.

XSS Python Grist Core
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-55516 HIGH PATCH This Week

{maintenance_id} endpoint authorizes the original record and asset but trusts an attacker-supplied asset_id without re-checking company scope, breaking multi-tenant isolation (CVSS 7.7, scope-changed). No public exploit identified at time of analysis, but the upstream fix commit and GitHub Security Advisory (GHSA-575r-357h-fhch) are published.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-56689 HIGH PATCH This Week

SQL injection in Dell PowerFlex Manager before 5.1.0.1 lets a low-privileged, remotely authenticated user inject crafted SQL into a backend query, resulting in unauthorized reading of database contents (information exposure). The flaw is fixed in 5.1.0.1 per Dell advisory DSA-2026-066, and there is no public exploit identified at time of analysis. Because exploitation requires a valid low-privilege account, the practical risk is highest in multi-tenant or broadly-provisioned management deployments rather than internet-facing unauthenticated exposure.

Dell SQLi Information Disclosure Powerflex Manager
NVD VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-55175 HIGH PATCH This Week

Remote code execution in Spinnaker's Rosco bakery service allows an authenticated user to run arbitrary code on Rosco pods by supplying a manifest that abuses unsafe YAML tag processing during Kustomize bake operations. The flaw (CWE-502 unsafe deserialization) affects release lines prior to 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4, and grants full compromise of the affected pod (C:H/I:H/A:H). No public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor-published GitHub Security Advisory (GHSA-p68j-q7hf-3qcp) and multiple fix commits confirm the issue is real and patched.

Deserialization RCE Spinnaker
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-13347 HIGH This Week

Arbitrary file read in the Hide My WP Lite WordPress plugin (versions ≤ 1.3) lets unauthenticated attackers disclose any file readable by the web server - including wp-config.php with database credentials and secret keys - by abusing the he_wrapper_js and he_wrapper_css parameters handled by elementor_assets_filter(). Reported by Wordfence and rated CVSS 7.5, the flaw is confidentiality-only but exposes crypto salts and DB secrets that enable deeper compromise. There is no public exploit identified at time of analysis, and exploitation depends on the site also running Elementor with the plugin's 'Hide Elementor' feature enabled.

WordPress Path Traversal Hide My Wp Lite
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-15291 HIGH This Week

{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57220 HIGH PATCH This Week

Memory-exhaustion denial of service in RabbitMQ server prior to 4.2.6 allows an unauthenticated remote client to crash or degrade the broker via its stream protocol listener. Because the stream listener fails to enforce the configured frame-size limit while assembling frames during authentication and before Tune negotiation, an attacker can declare oversized frame lengths and force unbounded memory allocation in rabbit_stream_core. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; risk stems from the trivially reachable, pre-authentication attack surface (CVSS 7.5).

Denial Of Service Rabbitmq Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-15290 HIGH This Week

Blind SQL injection in the Ultimate Member WordPress plugin (all versions through 2.10.1) lets unauthenticated attackers inject arbitrary SQL through the member-directory search parameter, enabling extraction of sensitive database contents such as password hashes and user records. The flaw is a residual gap from the earlier CVE-2025-0308 fix, which was only partially remediated in 2.9.2. No public exploit has been identified at time of analysis, but the plugin's large install base and unauthenticated network reachability make it an attractive target.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55213 HIGH This Week

Remote unauthenticated denial of service in the h2o HTTP server (all versions prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1) allows an attacker to crash the server by sending a crafted QPACK instruction over HTTP/3. The flaw causes lib/http3/qpack.c to allocate an ~800 KB on-stack buffer via alloca, overflowing the default musl libc pthread stack and segfaulting on the guard page. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; impact is limited to availability with no data exposure.

Denial Of Service H2O
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55233 HIGH PATCH This Week

Denial of service in OpenResty 1.29.2.1 through 1.29.2.4 arises from an out-of-bounds write (CWE-787) in the upstream PROXY protocol v2 implementation; when the platform is configured to prepend PROXY protocol v2 headers to upstream connections, header construction in the stream proxy-protocol-v2 patch overruns its allocated buffer and crashes the worker process. Any environment that has explicitly enabled PROXY protocol v2 for upstream connections is affected, degrading availability without any impact to confidentiality or integrity. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; it is resolved in OpenResty 1.29.2.5.

Memory Corruption Denial Of Service Buffer Overflow Openresty
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-15288 HIGH This Week

Payment amount tampering in the SureForms WordPress plugin (versions ≤ 2.2.1) lets unauthenticated attackers submit arbitrary prices when completing Stripe checkout. Because the 'create_payment_intent' and 'create_subscription_intent' handlers trust the amount supplied in user-controlled POST data instead of the form's server-side configured price, an attacker can purchase products or subscriptions for a fraction of their real cost. Reported by Wordfence and fixed in 2.2.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-40006 HIGH PATCH This Week

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the DataNode process when the AirGap pipe receiver is enabled. The receiver's readLength method reads an attacker-controlled 32-bit length field from a raw TCP connection on port 9780 and passes it directly to new byte[length], letting a single connection trigger a heap allocation of up to ~2 GB and exhaust JVM memory. No public exploit has been identified at time of analysis, but exploitation is trivial once the feature is enabled, and Apache has released a fixed version (2.0.10).

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-40452 HIGH PATCH This Week

Authorization bypass in Apache IoTDB's REST API endpoint /rest/v2/fastLastQuery allows authenticated users to access last-value time-series data they are not authorized to view. Affected versions span the 1.3.x branch (1.3.5 through 1.3.7) and the 2.0.x branch (2.0.5 through 2.0.9). No public exploit code or active exploitation has been identified at time of analysis, but the REST interface nature of the flaw means any valid credential holder can attempt unauthorized data retrieval without elevated privilege.

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40454 HIGH PATCH This Week

Denial of service in the Apache IoTDB C++ client (versions 1.3.5 before 1.3.8 and 2.0.5 before 2.0.10) allows a malicious or compromised IoTDB server to crash any connected client by returning malformed TsBlock response data. The client's TsBlock deserializer performs out-of-bounds reads (CWE-125) on attacker-controlled server payloads, terminating the client process. There is no public exploit identified at time of analysis, EPSS probability is low (0.14%), and impact is limited to availability of the client - no confidentiality or integrity effect is claimed.

Apache Buffer Overflow Information Disclosure Apache Iotdb C Client
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40007 HIGH PATCH This Week

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.14%, 4th percentile), consistent with SSVC marking exploitation as 'none' though 'automatable: yes'.

Buffer Overflow Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-55687 HIGH PATCH This Week

Denial of service in Espressif's ESP-IDF JPEG driver (versions 6.0.1, 5.5.4, 5.4.4, 5.3.5 and likely earlier) stems from an out-of-bounds stack write in jpeg_parse_dqt_marker(), where the attacker-controlled DQT marker Tq nibble indexes the qt_tbl array without a 0..3 bounds check. Any application that feeds untrusted JPEG data into the hardware JPEG decode path can be reliably crashed by a single malformed image. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor has released a fix in 6.0.2 with backports pending for the 5.x branches.

Buffer Overflow Denial Of Service Stack Overflow Esp Idf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-70796 HIGH This Week

An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Technology, Inc.) version 3.5.0.r 2024/05/24 00:00:00. An unauthenticated attacker can craft malicious HTTP requests containing traversal sequences to access files outside of the intended web root directory. This may allow disclosure of sensitive system files and configuration data

Path Traversal N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-39244 HIGH This Week

adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.

Denial Of Service N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57574 HIGH PATCH This Week

Authentication replay in Misskey before 2026.6.0 lets an attacker reuse a valid TOTP code that should be single-use, because UserAuthService fails to invalidate a code after its first successful use within the same time step. An adversary who concurrently captures a victim's password and one TOTP value can replay that code to authenticate, enabling unauthorized actions up to account takeover. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the vendor fixed the flaw in release 2026.6.0.

Authentication Bypass Misskey
NVD GitHub
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-53450 HIGH PATCH This Week

Server-side request forgery in coturn TURN/STUN server before 4.13.0 lets an authenticated TURN client bypass the default loopback-peer guard by supplying the IPv4-mapped IPv6 address ::ffff:127.0.0.1 in the XOR-PEER-ADDRESS attribute, relaying traffic to services bound only to the coturn host's localhost. The loopback check evaluates the literal IPv6 loopback shape before IPv4-mapped IPv6 normalization, so good_peer_addr never applies the rejection even when allow-loopback-peers is disabled. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in version 4.13.0.

SSRF Coturn
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-54919 HIGH PATCH This Week

TLS certificate validation bypass in cpp-httplib's Mbed TLS backend (0.31.0-0.46.1) and wolfSSL backend (0.33.0-0.46.1) lets a man-in-the-middle attacker defeat HTTPS/WSS protection when a client connects to an IP-literal host with verification nominally enabled. SSLClient/Client in HTTPS mode skip certificate chain validation and the WebSocketClient on Mbed TLS skips verification entirely, so an intercepting attacker can present a crafted certificate and read or alter traffic. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is fixed in 0.47.0.

Information Disclosure Cpp Httplib
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.3%
CVE-2026-15081 HIGH PATCH This Week

SQL injection in the Drupal Location Selector contributed module (all releases from 0.0.0 up to and including 1.3.0) lets remote attackers inject arbitrary SQL through improperly neutralized input, exposing and modifying database contents. The CVSS 3.1 base score is 7.4 with a network vector but high attack complexity, and the affected products confirm the Drupal 'location_selector' contrib module rather than Drupal core. There is no public exploit identified at time of analysis, and the EPSS score is low at 0.19% (9th percentile), indicating little near-term mass-exploitation pressure.

SQLi Location Selector
NVD
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-56676 HIGH PATCH This Week

Server-side request forgery via DNS rebinding in 9Router (decolua/9router) before 0.5.2 allows an authenticated LLM-proxy user to reach internal-only HTTP services. The image-URL validation resolves the host once to a public IP, but open-sse/translator/concerns/image.js performs the actual server-side fetch with a separate DNS lookup, so an attacker-controlled name can rebind to an internal address between the two resolutions. No public exploit identified at time of analysis; the flaw is fixed in 0.5.2.

Information Disclosure 9Router
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-53448 HIGH PATCH This Week

SQL injection in the Coturn TURN/STUN server's HTTPS admin panel (versions prior to 4.12.0) allows an authenticated administrator to inject arbitrary SQL via the du, ds, and dip query parameters of the delete-user, delete-secret, and delete-IP operations, yielding full backend database control and, on PostgreSQL deployments, OS-level command execution through COPY TO PROGRAM. The admin panel's parameters are interpolated into queries with snprintf while bypassing the is_secure_string filter that guards the STUN protocol path. No public exploit is identified at time of analysis and the flaw is not listed in CISA KEV; fixed in Coturn 4.12.0.

PostgreSQL SQLi Coturn
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.7%
CVE-2026-13430 HIGH This Week

Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.

WordPress PHP RCE File Upload Post Export Import With Media
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2026-56667 HIGH PATCH This Week

Stored cross-site scripting in ZITADEL's Login V2 (versions prior to 4.15.3) lets an organization or instance administrator plant a javascript: or data: URI in the loginSettings.defaultRedirectUri, which is passed to router.push on OIDC and SAML FailedPrecondition error paths without the isSafeRedirectUri validation, executing arbitrary script in a victim user's browser. Because the malicious value must be set by a privileged admin and only fires when a user hits a specific login error path, this is a privilege-escalation/session-compromise vector against the self-hosted identity platform rather than a mass-exploitable flaw. No public exploit identified at time of analysis; not listed in CISA KEV.

XSS Zitadel
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-15298 HIGH This Week

DOM-based cross-site scripting in the TelSender WordPress plugin (all versions through 1.14.14) lets unauthenticated attackers plant a malicious payload inside a Telegram chat title that the plugin renders unsanitized. When an administrator opens the TelSender settings page and clicks the 'Tested' button, the plugin processes the attacker-controlled Telegram API response and executes the injected script in the admin's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the scope-changed CVSS 7.2 reflects execution in the privileged admin context.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-22659 HIGH PATCH This Week

Authorization bypass in FlaskBB through 2.2.0 lets authenticated moderators perform lock, unlock, delete, or hide actions on topics in forums they have no authority over. By anchoring a crafted batch request with a low-ID topic from a permitted forum, the attacker slips past a permission check that is applied only to the first result. No public exploit is identified at time of analysis, and the flaw is fixed in commit acc88cf.

Authentication Bypass Flaskbb
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-1667 HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS Geo Plugin By Squirrly Seo
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-41878 HIGH This Week

Broken object-level authorization in R-SOFT DMS lets any authenticated user download arbitrary files by manipulating the object ID in multiple file-download endpoints, since the application enforces only session authentication and never checks whether the requester owns or may access the requested file. This is an authenticated confidentiality breach (CVSS 4.0 7.1) affecting all versions prior to v3.19-2862 and v3.17-2580. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD VulDB
CVSS 4.0
7.1
EPSS
0.5%
CVE-2026-41482 HIGH PATCH This Week

Local file inclusion in the Frappe Framework's Chrome PDF Generator (versions prior to 16.18.3) allows an authenticated user to abuse the 'secure local resource access' mechanism to traverse the filesystem and read arbitrary local files on the server. The flaw is a CWE-22 path traversal disclosed via GitHub Security Advisory GHSA-234v-jfr8-v2f8 and carries a CVSS 4.0 base score of 7.1 (VC:H - confidentiality-only impact). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network vector with only low privileges makes it a meaningful information-disclosure risk on multi-tenant deployments.

Path Traversal Google Frappe
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-39903 HIGH PATCH This Week

Authorization bypass in Simple Machines Forum (SMF) 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 lets any authenticated low-privileged member manipulate the attachment moderation queue without the required approve_posts permission. A single-character operator mistake in Sources/Actions/AttachmentApprove.php makes the permission check evaluate to true for everyone, so an ordinary user can approve, reject, or delete pending attachments on any board and enumerate other users' unapproved uploads. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by VulnCheck and a vendor patch is available.

Authentication Bypass PHP Smf
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-11321 HIGH PATCH This Week

Authenticated SQL injection in the GLPI DataInjection plugin 2.15.6 (GLPI 11 builds) lets an operator with access to the Data injection feature smuggle SQL into the database by placing expressions in CSV field values, which the import routine concatenates directly into queries without parameterization or escaping (CWE-89). By mapping a payload such as SLEEP() to a field like Serial Number, an attacker performs time-based blind extraction of arbitrary database contents. Reported by VulnCheck and fixed in version 2.15.7; it is not on CISA KEV and no public exploit was identified at time of analysis.

SQLi Datainjection
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-49394 HIGH PATCH This Week

Broken access control in the Frappe framework (all versions prior to 16.19.0) lets a low-privileged authenticated user modify public Workspaces they should not control, because the update_page endpoint failed to enforce the Workspace Manager edit permission on public workspaces. Any user able to reach the endpoint can alter shared workspace layout and content, an integrity-only impact with no data disclosure. No public exploit has been identified, EPSS/KEV data were not provided, and the fix is shipped in Frappe 16.19.0.

Authentication Bypass Frappe
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57214 HIGH PATCH This Week

Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange declaration permissions inject JavaScript that executes in another user's browser when they view the Queues or Exchanges pages. The malicious payload is supplied via the x-internal-purpose queue or exchange argument, which is rendered into an HTML title attribute without escaping. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in RabbitMQ 4.2.5.

XSS Microsoft Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57212 HIGH PATCH This Week

Uncontrolled resource consumption in the RabbitMQ Management plugin's HTTP API lets an authenticated client crash or degrade the broker by submitting oversized-but-valid JSON bodies. The flaw lives in read_complete_body, which validates accumulated body size before the final chunk but never checks the final combined size, so the with_decode and direct_request code paths buffer and decode payloads that exceed intended limits. Affected releases are all versions prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Denial Of Service Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy