Skip to main content
CVE-2026-15301 MEDIUM This Month

Stored Cross-Site Scripting in the BuddyHolis TableSearch plugin for WordPress (all versions ≤1.1.0) permits authenticated attackers holding Contributor-level or higher role access to inject persistent JavaScript via the 'placeholder' parameter, which then executes in the browsers of every subsequent visitor to the affected page. The Scope:Changed CVSS metric reflects that payload impact crosses from the WordPress plugin into victims' browser environments, enabling session hijacking, credential theft, or administrative account takeover if an administrator views the injected page. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low authentication bar makes this relevant for any WordPress site permitting open contributor registration.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-3251 MEDIUM This Month

Stored cross-site scripting in Mezunum Satiyorum (versions 1.2.504 through 10072026) allows a low-privileged authenticated attacker to inject persistent malicious scripts into web pages served to other users. The scope change (S:C) in the CVSS vector confirms the payload executes in the victim's browser context, enabling session hijacking, credential theft, or malicious redirects against any user who loads the affected page. No public exploit code has been identified at time of analysis, and the vendor did not respond to TR-CERT's disclosure, leaving the vulnerability unpatched.

XSS Mezunum Satiyorum
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-57476 MEDIUM PATCH This Month

Unauthenticated API endpoints in Deloitte AI Assist for Customer exposed the platform's retrieval-augmented generation corpus to unauthorized read access and content injection by any network-reachable attacker who could discover the required request parameters. The root cause is missing authentication on critical internal API functions (CWE-306), enabling adversaries to exfiltrate proprietary knowledge base content or poison AI-generated responses with injected documents. The vendor applied a server-side fix on 2026-03-25 by restricting network access and enforcing authentication; no public exploit code or CISA KEV listing has been identified, though an independent security advisory has been published.

Authentication Bypass Ai Assist For Customer
NVD
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56373 MEDIUM PATCH This Month

Use-after-free in ImageMagick's PDB decoder (all versions before 7.1.2-15) allows remote attackers supplying crafted Palm Database image files to crash the application or write a single null byte to freed heap memory. The flaw manifests specifically when memory allocation fails during PDB decoding, leaving a stale pointer that is subsequently dereferenced rather than nulled or re-validated. No public exploit or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 6.3 reflects constrained exploitation conditions (AC:H, AT:P) and impact limited strictly to availability.

Memory Corruption Denial Of Service Use After Free Imagemagick
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-55481 MEDIUM PATCH This Month

CSS injection in Snipe-IT's superadmin branding configuration (versions prior to 8.6.2) allows arbitrary stylesheet content to persist in the database and render for all authenticated users on every subsequent page load. The template default.blade.php applies HTML entity encoding to the header_color and related color settings before embedding them inside a CSS style block - encoding that is context-incorrect and insufficient to prevent CSS breakout via constructs such as closing braces or url() references. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector (SC:H/SI:H) reflects that, once injected, the payload affects every authenticated user's session regardless of their privilege level, making this a persistent, cross-user impact from a single privileged action.

XSS PHP Snipe It
NVD GitHub VulDB
CVSS 4.0
6.2
EPSS
0.4%
CVE-2026-55466 MEDIUM PATCH This Month

Stored cross-site scripting in Snipe-IT prior to 8.6.2 enables a low-privilege authenticated user to upload malicious XHTML or XML files that bypass the SVG sanitization gate and execute arbitrary JavaScript in any viewer's browser when the attachment is opened inline. The bypass works because UploadFileRequest only sanitizes SVG content when PHP's finfo extension reports image/svg+xml - uploading XHTML or generic XML evades this check - while UploadedFilesController serves the file same-origin without invoking StorageHelper::allowSafeInline(), completing the injection path. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor released a confirmed fix in version 8.6.2.

XSS PHP Snipe It
NVD GitHub
CVSS 4.0
6.2
EPSS
0.4%
CVE-2026-9838 MEDIUM This Month

Reflected XSS in the ICS Calendar WordPress plugin (all versions ≤ 12.0.9) allows unauthenticated network attackers to inject arbitrary JavaScript into victim browsers by exploiting a missing nonce check and input sanitization failure on the publicly accessible wp_ajax_nopriv_r34ics_ajax AJAX endpoint. The attacker-controlled js_args object is merged over stored shortcode configuration before allowlist validation, enabling the htmltagtitle key to reach the calendar-month.php template unescaped. No public exploit code or CISA KEV listing exists at time of analysis, though the scope-changing CVSS vector (S:C) and zero authentication barrier make socially engineered delivery via crafted URLs a realistic threat to any site running this plugin.

WordPress XSS Ics Calendar
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-59795 MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an unauthenticated attacker persist malicious script through the agent registration flow, which then executes in the browser of any privileged user (e.g. an administrator) who later views the affected agent-management interface. Because agent registration requires no authentication, the entry barrier is minimal, and successful execution in an admin session can lead to session/token theft and pivoting to control of a CI/CD build server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

XSS Teamcity
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15297 MEDIUM This Month

Reflected Cross-Site Scripting in the Brevo (formerly Sendinblue) Newsletter, SMTP, Email marketing and Subscribe forms WordPress plugin allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in victims' browsers through a crafted URL containing a malicious payload in the `page` parameter. All plugin versions up to and including 3.1.77 are affected, with the root flaw traced to insufficient input sanitization and output escaping in `inc/table-forms.php` at line 102. No active exploitation has been confirmed in CISA KEV, and no POC code is identified in the provided data, though the CVSS scope-change rating (S:C) elevates the effective impact beyond the plugin's own context.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-11392 MEDIUM This Month

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. No public exploit has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

WordPress XSS Wp Hotel Booking
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-54714 MEDIUM PATCH This Month

Reflected XSS in Logto's SAML application flow allows unauthenticated remote attackers to inject and execute arbitrary JavaScript on the Logto tenant origin by supplying a crafted RelayState parameter. Versions prior to 1.41.0 of @logto/core reflect the SAML RelayState, SAMLResponse, and actionUrl directly into an auto-submit HTML form without HTML-attribute escaping, meaning a victim who follows a crafted SAML authentication link and completes the login sequence will execute attacker-controlled script within the identity provider's origin context. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a GitHub security advisory and fix commit are publicly available.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-55461 MEDIUM PATCH This Month

Open redirect in Snipe-IT prior to 8.6.2 allows unauthenticated attackers to abuse the application as a trusted redirector against authenticated users. The user edit workflow persists the HTTP Referer header - which an attacker can control - into Laravel's session-stored intended URL, then unconditionally honors it via redirect()->intended() when redirect_option=back is submitted by a legitimate user. No public exploit code and no CISA KEV listing have been identified at time of analysis; the vulnerability is a medium-severity phishing-chain enabler rather than a direct system compromise.

Open Redirect Snipe It
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-58588 MEDIUM PATCH This Month

Cross-site scripting in the Drupal Canvas contributed module enables remote attackers to inject and execute malicious scripts in the browsers of Drupal site visitors. Affecting multiple version branches - 0.0.0 through 1.4.2, 1.5.0 through 1.5.2, 1.6.0 through 1.6.1, and 1.7.0 through 1.7.1 - the flaw (CWE-79) stems from insufficient sanitization of user-supplied input before rendering it in generated web pages. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog; the EPSS score of 0.20% (10th percentile) reflects minimal current exploitation activity.

XSS Drupal Canvas
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-58587 MEDIUM PATCH This Month

Cross-site scripting in the Drupal Canvas contributed module allows unauthenticated remote attackers to inject and execute malicious scripts in victims' browsers across multiple version branches (0.0.0-1.4.2, 1.5.0-1.5.2, 1.6.0-1.6.1, 1.7.0-1.7.1). The scope-changed CVSS vector (S:C) confirms the attack escapes the server context and executes within the victim's browser environment, enabling session theft, credential harvesting, or unauthorized actions on behalf of the victim. No public exploit or CISA KEV listing has been identified, and EPSS at 0.20% (10th percentile) reflects minimal observed exploitation activity at time of analysis.

XSS Drupal Canvas
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-13234 MEDIUM PATCH This Month

Cross-site scripting in the Drupal AI (Artificial Intelligence) contributed module exposes sites to session hijacking and malicious content injection when users interact with unsanitized AI-generated or AI-related output rendered in the browser. The module fails to properly neutralize user-controlled or AI-sourced input before including it in generated web pages, allowing an unauthenticated remote attacker to craft a payload that executes in a victim's browser upon interaction. No active exploitation is confirmed (not in CISA KEV) and EPSS is very low at 0.16% (6th percentile), though the network-accessible, no-privilege attack surface warrants prompt patching on internet-facing Drupal deployments.

XSS Ai Artificial Intelligence
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-13231 MEDIUM PATCH This Month

Stored XSS in the Drupal contributed module Advanced Content Feedback (admin_feedback) affects all releases from 0.0.0 up to 2.8.0, enabling a remote unauthenticated attacker to inject persistent malicious scripts that execute in the browsers of users who subsequently view affected pages. The scope change (S:C) in the CVSS vector indicates the injected payload escapes the application's security context and operates in the victim's browser, potentially enabling session hijacking or unauthorized actions on behalf of privileged users. No public exploit code has been identified and CISA has not added this to KEV; EPSS at 0.16% (6th percentile) and SSVC's 'exploitation: none' classification confirm this is a low-urgency finding with no evidence of active targeting.

XSS Advanced Content Feedback Aka Admin Feedback
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-10770 MEDIUM PATCH This Month

Reflected XSS in the Anti-Spam by CleanTalk Drupal contributed module (versions 0.0.0 through 9.7.1) allows remote unauthenticated attackers to inject and execute malicious JavaScript in a victim's browser by tricking them into visiting a crafted URL. The CVSS Changed scope (S:C) confirms the payload executes in the browser's security context, enabling session theft, credential harvesting, or UI redirection against authenticated Drupal users. No public exploit code and no active exploitation have been identified; EPSS at 0.16% (6th percentile) indicates negligible observed exploitation probability at time of analysis.

XSS Anti Spam By Cleantalk
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-61492 MEDIUM PATCH This Month

Stored XSS in JetBrains YouTrack before 2026.2.17394 allows low-privileged authenticated users to inject malicious scripts into article titles, which are then rendered unsanitized within digest emails delivered to other users. When a recipient opens the digest email in an HTML-capable client and interacts with the affected content, the injected script executes in their browser context, enabling session token or credential theft. No public exploit or active exploitation has been identified; the CVSS score of 3.5 (Low) reflects the constrained impact due to required authentication, mandatory user interaction, and limited confidentiality-only impact.

XSS Youtrack
NVD VulDB
CVSS 3.1
6.1
EPSS
0.4%
CVE-2026-53449 MEDIUM PATCH This Month

Arbitrary file overwrite in Coturn prior to 4.13.0 is possible through the CLI management interface's `psd` (print sessions dump) command, which passes a user-supplied filename directly to `fopen()` without any path validation (CWE-73). An authenticated admin with CLI access can overwrite any file writable by the coturn process, potentially corrupting sensitive system files, certificates, or configuration data to achieve privilege escalation or service disruption. No public exploit identified at time of analysis; exploitation is constrained to local, high-privilege access, limiting realistic threat surface despite the High integrity and availability impact ratings.

Information Disclosure Coturn
NVD GitHub
CVSS 3.1
6.0
EPSS
0.2%
CVE-2026-15289 MEDIUM This Month

Time-based SQL Injection in the Booking Calendar, Appointment Booking System WordPress plugin (versions ≤ 3.2.17) permits unauthenticated remote attackers to extract sensitive database contents via the 'wpdevart_id' parameter. The flaw exists in main_class.php due to insufficient parameter escaping and unprepared SQL queries, but is only triggerable when the Pro version is installed with the 'Delete previous dates' option enabled - a non-default configuration that meaningfully limits the exposed population. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS 5.9 Medium rating reflects both the high confidentiality impact and the high attack complexity imposed by the conditional prerequisites.

WordPress SQLi
NVD
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-15087 MEDIUM This Month

vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.

Clean Restful Authentication Bypass
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-15086 MEDIUM This Month

High-privilege network exploitation of the Drupal Raw Formatter [Meta Tag Formatter] contributed module leads to high confidentiality and integrity impact across all released versions. The vulnerability requires an authenticated user with elevated Drupal permissions and high attack complexity (PR:H, AC:H per CVSS), significantly narrowing the realistic attack surface despite the notable C:H/I:H impact rating. No public exploit has been identified at time of analysis, EPSS sits at 0.24% (15th percentile), and SSVC confirms exploitation status as none - consistent with a narrow, privilege-dependent flaw in a niche contrib module rather than a broadly weaponizable issue.

Information Disclosure Raw Formatter Meta Tag Formatter
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-55804 MEDIUM PATCH This Month

Object injection in Drupal Core through improperly controlled modification of dynamically-determined object attributes (CWE-915) exposes sites to high-severity confidentiality and integrity compromise when triggered by an authenticated user with high privileges. Affected branches include the entire 10.x line before 10.5.12 and 10.6.11, the fully unsupported 11.0.x and 11.1.x trees, and the 11.2.x and 11.3.x lines before 11.2.14 and 11.3.12 respectively. No active exploitation is confirmed (not in CISA KEV) and EPSS sits at just 0.16% (6th percentile), making this a patch-priority rather than emergency-response scenario.

Code Injection Drupal Core
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-55803 MEDIUM PATCH This Month

Object injection via a mass assignment flaw in Drupal Core enables an authenticated administrator to manipulate dynamically-determined PHP object attributes, potentially compromising confidentiality and data integrity of the application. Affected versions span multiple active and end-of-life branches: 10.5.x through 10.5.12, 10.6.0 through 10.6.11, 11.2.0 through 11.2.14, 11.3.0 through 11.3.12, and the entirely unsupported 11.0.x and 11.1.x branches. No public exploit code is identified at time of analysis, and EPSS at 0.16% (6th percentile) signals very low observed exploitation activity despite the C:H/I:H impact potential.

Code Injection Drupal Core
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-11914 MEDIUM This Month

vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.

Information Disclosure Composer
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-11915 MEDIUM This Month

vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.

Information Disclosure Brute Force Attack Protection
NVD VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-55806 MEDIUM PATCH This Month

Open redirect in Drupal Core across multiple major release branches enables phishing and content spoofing attacks by forwarding victims from a trusted Drupal domain to an attacker-controlled site via crafted URLs. The exposure spans the 10.x and 11.x release trains, creating a broad attack surface across the Drupal install base. EPSS probability sits at 0.13% (3rd percentile) and the vulnerability is absent from CISA KEV, indicating low observed exploitation to date despite the wide version coverage.

Open Redirect Drupal Core
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-15146 MEDIUM This Month

GNU Wget's FTP passive mode implementation fails to validate the IP address returned in a server's PASV response, enabling a malicious FTP server - or any HTTP server issuing a redirect to an ftp:// URL - to redirect Wget's data connection to an arbitrary internal IP address and port. All Wget releases through 1.25.0 (prior to upstream commit 4f85853) are affected, exposing any host running Wget to server-side request forgery (SSRF) that can probe or interact with localhost services and internal network resources. No confirmed active exploitation exists (SSVC: exploitation none), and no public POC exploit has been identified at time of analysis; the NVD-provided CVSS attack vector (AV:L) appears inconsistent with the network-based attack mechanism and may be an error.

SSRF Wget
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-21044 MEDIUM This Month

Improper authorization in Samsung's KnoxGuardManager component allows local low-privileged attackers to bypass the application's persistence configuration, potentially undermining enterprise device management and carrier lock enforcement on affected Samsung Mobile Devices. Devices running Android 14, 15, and 16 prior to SMR Jul-2026 Release 1 are affected, making this a notable concern for enterprise MDM deployments and carrier-managed device fleets relying on Knox Guard controls. No public exploit has been identified and no active exploitation is confirmed; Samsung has shipped a patch in the July 2026 Security Maintenance Release.

Authentication Bypass
NVD VulDB
CVSS 4.0
5.8
EPSS
0.1%
CVE-2026-57213 MEDIUM PATCH This Month

Stored cross-site scripting in the RabbitMQ federation management plugin allows any user with federation upstream or policy configuration privileges to execute arbitrary JavaScript in the browser of an administrator viewing the Federation Status page. The rabbitmq_federation_management plugin renders the consumer_tag field without HTML escaping, making it a persistent injection vector that fires passively when a victim navigates to the page. No public exploit code and no CISA KEV listing are identified at time of analysis; the CVSS 4.0 score of 5.7 reflects meaningful but constrained risk due to the high-privilege prerequisite.

XSS Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.3%
CVE-2026-55475 MEDIUM PATCH This Month

Unauthorized modification of import ownership metadata in Snipe-IT prior to version 8.6.1 allows an authenticated user with CSV import capabilities to overwrite the created_by field on import records via the Importer API endpoint. The flaw stems from insufficient authorization enforcement (CWE-863) on the created_by parameter during CSV import operations, enabling a low-privileged API user to falsify asset audit trails and attribution records. No public exploit code has been identified and this vulnerability is absent from CISA KEV; a vendor-released patch is available in v8.6.1.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-15330 MEDIUM This Month

Server-side request forgery in zhayujie CowAgent versions up to 2.1.1 allows remote unauthenticated attackers to manipulate the `image` argument passed to `_build_image_content` or `_download_to_data_url` within the Vision Tool component, forcing the server to issue arbitrary outbound HTTP requests to attacker-specified destinations. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication and no special conditions, making this trivially accessible over the network. Exploit code has been publicly disclosed (CVSS 4.0 E:P per VulDB submission), raising real-world risk; no CISA KEV listing exists at time of analysis, so confirmed mass exploitation is not established.

SSRF
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-15085 MEDIUM PATCH This Month

Stored Cross-Site Scripting in the Drupal AI SEO/GEO Analyzer contrib module (versions 0.0.0 through pre-1.1.3) enables authenticated low-privilege users to persist malicious JavaScript payloads that execute in the browser context of other users - including administrators - who subsequently view the affected content. The scope change (S:C in the CVSS vector) confirms cross-context execution, enabling session hijacking, credential theft, or unauthorized DOM manipulation against victim users. EPSS probability stands at 0.25% (17th percentile) and no active exploitation has been reported in CISA KEV, indicating limited real-world threat at this time. A vendor-released patch is available via the Drupal security advisory SA-contrib-2026-076.

XSS Ai Seo Geo Analyzer
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-15084 MEDIUM PATCH This Month

Stored XSS in the Drupal UI Patterns (SDC in Drupal UI) contributed module allows a low-privileged authenticated attacker to inject persistent malicious scripts into web pages, which execute in the browsers of other users - including administrators - who view the affected content. Versions 2.0.0 through 2.0.17 of the module are affected, with a patch available from the Drupal security team. No public exploit identified at time of analysis, and the EPSS score of 0.25% (17th percentile) signals minimal observed exploitation pressure, though the stored nature of the XSS and potential to target privileged users elevates practical risk for sites using this module.

XSS Ui Patterns Sdc In Drupal Ui
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-11818 MEDIUM This Month

Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. No public exploit or active exploitation has been identified at time of analysis, though the low exploitation complexity makes this a realistic risk on sites with open user registration.

Authentication Bypass WordPress Wpcafe Restaurant Menu Online Food Ordering Table Booking System
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-15079 MEDIUM PATCH This Month

Brute-force credential attacks against Drupal sites running the Login Disable contrib module (versions 0.0.0 through 2.1.4) are enabled by the module's failure to restrict excessive authentication attempts (CWE-307). The module, intended to provide administrators with login-gating controls, paradoxically omits rate-limiting enforcement, allowing a low-privileged attacker to enumerate or compromise user credentials via automated requests. EPSS is low (0.21%, 12th percentile) and no active exploitation is confirmed in CISA KEV, but the network-accessible attack vector and low complexity keep this relevant for sites where the module is deployed.

Information Disclosure Login Disable
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-57230 MEDIUM PATCH This Month

SQL injection in OpenReplay's enterprise session search and analytics API allows an authenticated member to exfiltrate arbitrary ClickHouse table data and disrupt session search for all project viewers. Affected are enterprise editions with multi-tenancy enabled, running versions prior to 1.27.0, where user-controlled input is inserted unsanitized into ClickHouse query strings at two positions. No public exploit has been identified at time of analysis, and the fix was released in version 1.27.0.

SQLi Openreplay
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-58591 MEDIUM PATCH This Month

Cross-site scripting in the Drupal Colorbox module allows an authenticated low-privileged attacker to inject malicious scripts that execute in the browser context of other users. The CVSS scope-change indicator (S:C) confirms this is likely stored XSS, where crafted input persists and executes when victims visit affected pages. No active exploitation is confirmed - EPSS sits at 0.20% (10th percentile) and the vulnerability is not listed in the CISA KEV catalog - but a vendor patch is available via Drupal security advisory SA-CONTRIB-2026-069.

XSS Colorbox
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-15082 MEDIUM PATCH This Month

Cross-site scripting in Drupal's Siteimprove Analytics contributed module (all versions before 2.0.1) allows an authenticated low-privileged attacker to inject malicious scripts that execute in a victim user's browser session. The CVSS scope change (S:C) indicates the attack crosses the application trust boundary, enabling potential session hijacking or privilege escalation against higher-privileged users such as administrators who view attacker-controlled content. No public exploit code exists and EPSS of 0.19% (8th percentile) confirms low real-world exploitation probability; no active exploitation has been identified at time of analysis.

XSS Siteimprove Analytics
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-58590 MEDIUM PATCH This Month

Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.

Authentication Bypass Flowdrop
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-58589 MEDIUM PATCH This Month

Missing authorization in the FlowDrop Drupal contributed module (versions prior to 1.6.0) enables authenticated low-privilege users to perform forceful browsing, accessing URLs and resources that should be restricted to higher-privilege roles. The vulnerability stems from CWE-862, where authorization checks are absent or bypassed on protected endpoints within the module. No public exploit code or CISA KEV listing exists at time of analysis; the EPSS score of 0.18% (8th percentile) reflects low observed exploitation probability, but the low attack complexity and network accessibility make it a meaningful risk on multi-tenant or public Drupal sites with the module installed.

Authentication Bypass Flowdrop
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-5069 MEDIUM This Month

Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-11908 MEDIUM PATCH This Month

Stored cross-site scripting in the Drupal Tagify contributed module allows low-privileged authenticated users to inject persistent malicious scripts that execute in the browsers of subsequent page visitors, including administrators. All Tagify module versions prior to 1.2.52 are affected. No public exploit code has been identified and EPSS sits at the 6th percentile, but the stored nature of the XSS elevates impact relative to reflected variants since payloads persist across all future viewers of the poisoned content.

XSS Tagify
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-10769 MEDIUM PATCH This Month

Stored cross-site scripting in Drupal Commerce Core 3.3.0 through 3.3.5 allows an authenticated low-privilege attacker to inject persistent malicious scripts that execute in other users' browsers when affected pages are viewed. The scope change (S:C in the CVSS vector) confirms the payload breaks out of the application's security context into the victim's browser environment, enabling session hijacking or unauthorized UI manipulation. No active exploitation or public exploit code has been identified; EPSS of 0.16% (6th percentile) reflects low real-world exploitation probability at time of analysis.

XSS Commerce Core
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-55808 MEDIUM PATCH This Month

Cross-site scripting (XSS) in Drupal Core affects a broad swath of the 10.x and 11.x release lines, enabling an authenticated low-privileged attacker to inject malicious client-side script that executes in the browser of a victim who interacts with the crafted content. The CVSS scope-change indicator (S:C) confirms the impact escapes the originating component into the victim's browser context, enabling session hijacking or privilege escalation against higher-privileged users. No public exploit code has been identified and EPSS sits at 0.15% (5th percentile), indicating low automated exploitation probability at time of analysis, though the wide deployment footprint of Drupal still makes patching urgent.

XSS Drupal Core
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-11990 MEDIUM This Month

Authorization bypass in the KiviCare WordPress EHR plugin (all versions through 4.4.0) allows unauthenticated network attackers to confirm arbitrary pending clinic appointments and inject forged payment records into the wp_kc_payments_appointment_mappings table using attacker-supplied payment IDs, completely circumventing the payment collection process. The root defect is a two-part failure: the appointments API controller does not verify user authorization before processing status changes, and the KCPaymentGatewayFactory returns all registered gateways regardless of admin-enabled status - meaning the KCPayLater manual-payment gateway is always selectable, even by unauthenticated callers on default installations. No public exploit or CISA KEV listing exists at time of analysis, though the trivially low attack complexity makes scripted abuse realistic.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.6%
CVE-2026-15302 MEDIUM This Month

Path traversal via the unsanitized 'X-FILENAME' HTTP header in the ARMember WordPress membership plugin allows unauthenticated remote attackers to upload and overwrite files outside the intended 'wp-content/uploads/armember' directory on affected WordPress installations running versions 4.0.27 and earlier. The integrity impact is limited by the plugin's handling of 'certain files (e.g., CSS)' rather than arbitrary file types, capping the CVSS score at 5.3 Medium; however, successful exploitation can enable website defacement or manipulation of frontend assets without any authentication. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress Path Traversal
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-59794 MEDIUM PATCH This Month

Stored cross-site scripting in JetBrains TeamCity before 2026.1.2 lets an attacker who controls a build agent persist a malicious script into agent-reported data that executes when a privileged user opens the cloud profile page. Because it fires in the browser session of an operator with access to CI/CD configuration, it can lead to session/token theft and actions performed as the victim. The issue was reported by JetBrains itself; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Teamcity
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-52761 MEDIUM PATCH This Month

WAF rule bypass in ModSecurity 3.0.0-3.0.15 on i386 architecture allows network-accessible attackers to evade rules that use the t:utf8toUnicode transformation, potentially permitting injection attacks or other malicious payloads to reach protected applications undetected. The root cause is CWE-467 - sizeof() applied to a char pointer in utf8_to_unicode.cc yields the pointer width (4 bytes on i386) rather than the unicode buffer length, corrupting transformation output. No public exploit code or active exploitation has been identified at time of analysis; the fix is available in v3.0.16.

Authentication Bypass Nginx Apache Modsecurity
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-15331 MEDIUM This Month

Path traversal in zhayujie CowAgent versions up to 2.1.0 allows remote low-privilege authenticated attackers to write files outside the intended skill installation directory by manipulating the `Name` argument in the Skill Installation Handler. The flaw resides in the `_add_url` and `_add_package` functions within `agent/skills/service.py`, which fail to sanitize path components before constructing filesystem paths during skill installation. No public exploit or active exploitation confirmed (no CISA KEV listing); a vendor-released patch exists in version 2.1.2.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.4%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy