Skip to main content
CVE-2026-15286 MEDIUM This Month

Unauthorized post publication in Kadence Blocks (Gutenberg Blocks with AI by Kadence WP) versions up to and including 3.5.32 allows authenticated WordPress contributors to immediately publish posts, pages, and custom post types - entirely bypassing the platform's standard contributor review workflow. The flaw stems from a misconfigured capability check in the `get_items_permission_check` permission callback on the `process_pattern` REST API endpoint (CWE-863: Incorrect Authorization). No active exploitation is confirmed via CISA KEV, no public POC has been identified, and the CVSS score of 4.3 reflects a limited integrity-only impact with no confidentiality or availability consequences.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-55462 MEDIUM PATCH This Month

Incorrect authorization in Snipe-IT's UsersController before version 8.6.2 allows any authenticated user holding only the users.view permission to access restricted inventory and procurement metadata - including assigned licenses, accessories, consumables, and associated cost and order data - from modules their direct permissions would otherwise deny. The flaw exists in both the show() and printInventory() controller methods, which enforce authorization only for the user-viewing scope before eagerly loading and rendering related asset relationships without further permission checks. No public exploit exists and this vulnerability is not listed in the CISA KEV catalog, but the low attack complexity and common assignment of users.view to helpdesk staff makes this a realistic insider access-control bypass in enterprise deployments.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-55664 MEDIUM PATCH This Month

Unauthorized schema disclosure in Grist Core prior to 1.7.15 allows any user with partial read access - explicitly including anonymous public users on publicly viewable documents - to retrieve table and column metadata for any widget by querying the GET /forms endpoint. The endpoint failed both to validate that the requested section was a form widget and to apply the document's configured access rules before returning metadata, meaning hidden schema structure (table names, column names, types) is fully exposed regardless of the restrictions in place. No public exploit has been identified and the vulnerability is not in CISA KEV; a vendor-released patch exists in version 1.7.15.

Python Information Disclosure Grist Core
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12400 MEDIUM This Month

Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass WordPress Flowforms Conversational Form Builder
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15026 MEDIUM This Month

Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Information Disclosure Import And Export Users And Customers
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-1946 MEDIUM This Month

Unauthorized GravityWrite disconnection in the GW AI Website Builder WordPress plugin (versions ≤ 1.0.1) is achievable by any authenticated subscriber-level user due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() AJAX function. The flaw allows low-privilege WordPress accounts to sever the plugin's integration with the GravityWrite AI service, degrading AI-powered site-building functionality for all users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; impact is confined to service integrity disruption rather than data exfiltration or code execution.

Authentication Bypass WordPress Gw Ai Website Builder
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-55472 MEDIUM PATCH This Month

Incorrect authorization enforcement in Snipe-IT's API location creation endpoint allows an authenticated low-privilege user to create a child location under a parent location belonging to a different company, bypassing the intended multi-tenant isolation boundary. The vulnerability affects all Snipe-IT versions prior to 8.6.2 when both Full Multiple Companies Support and the scope_locations_fmcs option are simultaneously enabled. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; real-world risk is constrained by the non-default configuration prerequisites and the requirement for authenticated access.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12955 MEDIUM This Month

Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.

Authentication Bypass WordPress Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-6440 MEDIUM This Month

Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. The practical outcome is complete disabling of the site's Google Meet integration with no data disclosure; no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF Google Goodmeet Google Meet Integration For Webinar Meeting Video Conference
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15080 MEDIUM PATCH This Month

Cross-Site Request Forgery in the Drupal Ray Enterprise Translation contrib module lets a remote attacker forge state-changing requests that are executed with the privileges of an authenticated victim (typically a site administrator), potentially altering translation configuration and integrations. It affects module versions below 4.0.4, below 4.1.4, and below 11.0.4, and carries a vendor CVSS of 8.8. No public exploit has been identified at time of analysis and the EPSS score is very low (0.12%, 2nd percentile), indicating no observed exploitation activity.

CSRF Ray Enterprise Translation
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-49977 MEDIUM POC PATCH GHSA This Month

Cookie deletion via unauthorized class-based invocation in tarteaucitron.js allows an attacker with HTML injection capability to silently delete browser cookies by placing arbitrary elements bearing the purgeBtn CSS class in a page that loads the library. The tarteaucitron.cookie.purge() function responds to any matching DOM element without verifying whether it was created by the library itself or whether the specified cookie belongs to a tarteaucitron-managed service, enabling targeted cookie removal against visitors who interact with the crafted element. No public exploit identified at time of analysis beyond the researcher-published PoC; this vulnerability is not listed in CISA KEV and EPSS data is unavailable.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
CVE-2026-59154 MEDIUM PATCH This Month

Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15083 MEDIUM PATCH This Month

Object injection in the Drupal ECA (Event - Condition - Action) contributed module exposes sites running affected versions to limited confidentiality and integrity compromise by authenticated low-privileged users. The vulnerability stems from improperly controlled modification of dynamically-determined object attributes (CWE-915, a mass-assignment class of flaw), allowing a crafted request to inject object properties and influence internal application logic within ECA's event-driven workflow engine. No confirmed active exploitation exists, and EPSS at 0.20% (10th percentile) reflects low observed threat pressure across the landscape, though a vendor patch has been issued per the Drupal security advisory.

Code Injection Eca
NVD VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13236 MEDIUM PATCH This Month

Missing authorization controls in the Drupal AI Agents contrib module expose protected resources to forceful browsing by authenticated low-privilege users. Affected installations span three version branches - 0.0.0 through 1.1.3, 1.2.0 through 1.2.4, and 1.3.0 - across the Drupal ecosystem. No public exploit has been identified and CISA has not added this to KEV; EPSS at 0.14% (4th percentile) and SSVC's 'none' exploitation status confirm minimal real-world threat at time of analysis.

Authentication Bypass Ai Agents
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-56665 MEDIUM PATCH This Month

Insufficient JWT expiration enforcement in ZITADEL's external JWT Identity Provider integration allows tokens lacking the `exp` claim to be treated as indefinitely valid, bypassing intended session lifetime controls. Versions 3.0.0-rc.1 through 3.4.11 and 4.0.0-rc.1 through 4.15.1 are affected, with the flaw residing in `internal/idp/providers/jwt/session.go`. An attacker who can obtain or craft a JWT from a configured trusted external issuer that omits the `exp` claim can maintain persistent authenticated access without re-authentication. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Information Disclosure Zitadel
NVD GitHub VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-56664 MEDIUM PATCH This Month

Insufficient session expiration in ZITADEL's external JWT Identity Provider allows arbitrarily old tokens from trusted issuers to pass authentication when the token omits the iat (issued-at) claim. ZITADEL versions prior to 3.4.12 (v3 branch) and 4.15.2 (v4 branch) are affected. An attacker holding a previously issued JWT from a trusted external IdP - specifically one lacking the iat claim - can reuse that token indefinitely, bypassing intended session expiry controls and maintaining unauthorized access. No public exploit identified at time of analysis.

Information Disclosure Zitadel
NVD GitHub
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-15028 LOW Monitor

Heap overflow in libarchive's PAX extended header parser allows exploitation via a maliciously crafted tar archive containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation of the affected system could result in a denial of service condition or, in more serious cases, arbitrary code execution under the privileges of the process invoking libarchive. No public exploit code or active exploitation has been confirmed at time of analysis, though a GitHub pull request (#3253) indicating an upstream fix is available suggests the issue is reproducible and patch-ready. The official CVSS score of 3.9 (Low) conflicts materially with the vendor-applied RCE tag, a discrepancy that warrants independent validation.

Denial Of Service RCE Heap Overflow Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
3.9
EPSS
0.3%
CVE-2026-59791 LOW PATCH Monitor

CSS injection via Mermaid diagram rendering in JetBrains YouTrack before version 2026.2.17012 permits authenticated low-privilege users to embed malicious CSS into diagram content that executes in the browsers of other users who view the affected page. The CVSS score of 3.5 (Low) reflects the dual gating conditions of required authentication and victim interaction, substantially constraining real-world impact to UI manipulation rather than data exfiltration or code execution. No public exploit code or active exploitation has been identified at time of analysis.

XSS Youtrack
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2026-13235 LOW PATCH Monitor

Forceful browsing exposure in Drupal's AI (Artificial Intelligence) contributed module permits high-privileged authenticated users to access protected resources without proper authorization checks, affecting versions 0.0.0-1.2.17, 1.3.0-1.3.8, and 1.4.0-1.4.3. The vulnerability stems from CWE-862 (Missing Authorization), where path-level access controls are not enforced on certain AI module endpoints, allowing an authenticated user with high privileges to traverse to unauthorized resources. No public exploit code exists, EPSS sits at 0.14% (4th percentile), and CISA SSVC confirms no active exploitation, placing this firmly in the low-urgency tier despite its network-accessible attack vector.

Authentication Bypass Ai Artificial Intelligence
NVD VulDB
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-13233 LOW PATCH Monitor

Server-Side Request Forgery in the Drupal OpenAI Provider module enables authenticated administrators to force the server to issue HTTP requests to attacker-controlled destinations, potentially reaching internal network resources beyond the intended API boundary. Affected versions span 0.0.0 through 1.1.1 and 1.2.0 through 1.2.2; a vendor patch is available via Drupal security advisory SA-CONTRIB-2026-053. No public exploit code exists, EPSS sits at 0.14% (4th percentile), and SSVC confirms exploitation status as none - all signals converge on a low operational priority despite the network-accessible attack vector.

SSRF Openai Provider
NVD
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-11909 LOW PATCH Monitor

Missing Authorization in Drupal's Examples for Developers module (versions 0.0.0 through 4.0.5) permits forceful browsing by an already highly-privileged authenticated attacker, exposing restricted paths with limited confidentiality and integrity impact. All available signals converge on minimal real-world risk: CVSS scores 3.3 (Low), EPSS sits at 0.14% (4th percentile), SSVC reports no known exploitation and non-automatable attack conditions, and neither active exploitation nor public proof-of-concept code has been identified. A vendor patch is available at version 4.0.6.

Authentication Bypass Examples For Developers
NVD
CVSS 3.1
3.3
EPSS
0.1%
CVE-2026-13232 LOW PATCH Monitor

Incorrect authorization in the Drupal Advanced Content Feedback (admin_feedback) contributed module allows authenticated low-privilege users to perform forceful browsing, accessing restricted feedback resources without proper authorization checks. All module releases from 0.0.0 up to (but not including) 2.8.0 are affected. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 4th percentile, consistent with the SSVC assessment of zero current exploitation.

Authentication Bypass Advanced Content Feedback Aka Admin Feedback
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-55807 LOW PATCH Monitor

Server-Side Request Forgery in Drupal Core allows authenticated low-privilege users to coerce the application server into issuing unauthorized HTTP requests to internal or restricted network destinations. All active 10.6.x and 11.x release branches are affected, along with end-of-life 11.0.x and 11.1.x branches, covering a broad swath of production Drupal deployments. No public exploit code has been identified and EPSS sits at the 3rd percentile, but the large Drupal deployment footprint elevates aggregate exposure even at low per-instance exploitation probability.

SSRF Drupal Core
NVD
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-59180 LOW PATCH Monitor

HTTP redirect handling in Apprise prior to 1.11.0 leaks user-configured secrets - including Authorization headers, bearer tokens, custom headers, and service API keys - by blindly resending them on redirected requests to attacker-controlled endpoints. Any deployment using Apprise's HTTP-based notification plugins or its HTTP attachment and config loaders (apprise/attachment/http.py, apprise/config/http.py) is affected. An on-path attacker or a compromised notification destination can silently harvest these credentials. No public exploit has been identified at time of analysis, and EPSS data is not present in the source intel, but the credential-theft impact on third-party service integrations elevates real-world risk above the Low CVSS score suggests.

Information Disclosure Apprise
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-55782 LOW PATCH Monitor

Memory exhaustion in NanaZip's WebAssembly archive handler (prior to 6.5.1749.0) allows a crafted .wasm file to trigger multi-gigabyte heap allocations by supplying oversized 32-bit NameSize or Information.Size fields that are consumed without bounds validation in NanaZip.Codecs.Archive.WebAssembly.cpp. When a user opens or lists such an archive, NanaZip attempts to satisfy the inflated allocations via std::string or std::vector paths, exhausting process memory and causing a crash. No active exploitation or public exploit code has been identified at time of analysis; the impact is strictly limited to NanaZip process availability with no confidentiality or integrity consequence.

Denial Of Service Microsoft Nanazip
NVD GitHub VulDB
CVSS 4.0
2.4
EPSS
0.1%
CVE-2026-55780 LOW PATCH Monitor

Process crash via uncaught C++ exception in NanaZip's .NET single-file bundle handler affects all versions prior to 6.5.1749.0 on Windows. The extraction buffer is sized from the bundle entry's Size field, which is validated only for sign - not against the actual file content - allowing a crafted archive to trigger an attacker-controlled allocation whose resulting std::bad_alloc or std::length_error propagates across the COM STDMETHODCALLTYPE ABI boundary and terminates the NanaZip process. Impact is limited to denial of service; no public exploit has been identified at time of analysis, and the vendor has released a fix in version 6.5.1749.0.

Denial Of Service Microsoft Nanazip
NVD GitHub
CVSS 4.0
2.4
EPSS
0.1%
CVE-2026-55781 LOW PATCH Monitor

Memory exhaustion in NanaZip's UFS/FFS archive handler (all versions prior to 6.5.1749.0) allows a local low-privilege attacker to terminate the NanaZip process by delivering a crafted disk image that a user opens. The root cause is missing upper-bound validation of the `fs_fsize` fragment size field in the UFS superblock - unlike `fs_bsize`, which is checked against MINBSIZE, `fs_fsize` flows unchecked into indirect-block, directory, and extraction buffer allocation calculations, enabling a tiny image file to trigger multi-gigabyte heap allocation requests. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 2.4 (Low) reflects the constrained local, user-interaction-required attack path with availability-only impact.

Denial Of Service Microsoft Nanazip
NVD GitHub
CVSS 4.0
2.4
EPSS
0.1%
CVE-2026-55783 LOW PATCH Monitor

NULL pointer dereference in NanaZip's custom archive handlers crashes the application when a user tests or extracts archives of seven specific formats. All NanaZip versions prior to 6.5.1749.0 are affected; the seven vulnerable handlers cover WebAssembly, ElectronAsar, Zealfs, Romfs, Ufs, Littlefs, and DotNetSingleFile archive types. Impact is limited to a process crash (denial of service) with no confidentiality or integrity consequence; no public exploit or active exploitation has been identified at time of analysis.

Denial Of Service Microsoft Null Pointer Dereference Nanazip
NVD GitHub
CVSS 4.0
2.4
EPSS
0.1%
CVE-2026-47199 LOW PATCH Monitor

Frappe framework's check_safe_sql_query function fails to block SELECT INTO OUTFILE statements, allowing authenticated low-privileged users to write arbitrary files to the server filesystem on self-hosted MySQL deployments where the database user holds the MySQL FILE privilege. Affected branches are v15 prior to 15.108.0 and v16 prior to 16.18.3; fixes are released at both version targets. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, with a CVSS 4.0 base score of 2.3 reflecting the narrow, non-default exploitation conditions captured by AT:P.

SQLi Frappe
NVD GitHub
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-15332 LOW Monitor

Missing authorization in zhayujie CowAgent up to version 2.1.0 allows remote attackers with low-privilege accounts to bypass access controls at the Message Endpoint defined in channel/channel.py, potentially enabling unauthorized access to or manipulation of messaging data. The CVSS 4.0 vector confirms network-accessible exploitation requiring only low privileges, with low-level confidentiality, integrity, and availability impacts on the vulnerable system. A public proof-of-concept exploit has been released per VulDB, and the project maintainer has not yet responded to the coordinated disclosure filed via GitHub issue #2874.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-56813 LOW PATCH Monitor

Cookie attribute injection in elixir-plug's Plug library allows a remote attacker who can supply values reflected into `Set-Cookie` headers to inject the `;` delimiter and override attributes such as `Domain`, `Path`, `Secure`, and `HttpOnly`. Applications calling `Plug.Conn.put_resp_cookie/4` with user-controlled data - for example, reflecting a username or preference value - are exposed to session fixation and cookie tossing across five supported release lines (0.1.0 through 1.20.2). No public exploit code or CISA KEV listing is present at time of analysis, but the attack is mechanically straightforward wherever the vulnerable code pattern exists.

Code Injection
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-58225 LOW PATCH Monitor

SQL injection in Postgrex.Notifications' reconnect replay path allows an attacker who can supply untrusted input as a PostgreSQL LISTEN channel name to corrupt the shared notification connection, silently dropping all channel subscriptions and causing persistent denial of service of the notification subsystem. Affected versions are postgrex 0.16.0 through 0.22.2 in the Elixir ecosystem. No arbitrary SQL execution is possible due to double-quote escaping, and no public exploit or CISA KEV listing exists; the CVSS 4.0 base score of 2.1 reflects the constrained, precondition-heavy impact.

PostgreSQL SQLi Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-54136 MEDIUM PATCH GHSA This Month

{workspace}/scripts/list_search` handler validates the token's domain and action (`scripts:read`) at the route level but omits per-row filtering against the token's resource/path segment (e.g., `scripts:read:f/allowed/*`), causing the underlying SQL query to return all non-archived workspace scripts regardless of path restrictions. Affects all Windmill deployments up to version 1.714.1; no public exploit or CISA KEV listing at time of analysis, but full reproduction steps are published in the GitHub security advisory.

Authentication Bypass
NVD GitHub
CVE-2026-49865 MEDIUM PATCH GHSA This Month

Server-side request forgery in Kimai 2.56.0 allows authenticated users with write access to Markdown-rendered invoice fields to force the application server to issue outbound HTTP requests to attacker-controlled or internal network destinations. The vulnerability surfaces during invoice PDF preview and generation, where user-controlled Markdown is processed through an md2html filter and handed to mPDF, which fetches embedded image URLs server-side even with safe mode enabled. A proof-of-concept was developed and responsibly disclosed to the vendor - it is not publicly available - and no active exploitation has been confirmed; however, the attack path is mechanically simple for any user with access to customer invoice text fields such as Customer.invoiceText.

SSRF
NVD GitHub
CVE-2026-53363 Awaiting Data

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() iptfs_consume_frags() transfers paged fragments from one socket buffer to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is the same class of bug that was fixed in skb_try_coalesce() for CVE-2026-46300: when fragments backed by read-only page-cache pages are merged, the marker indicating their shared nature must be preserved so that ESP can decide correctly whether in-place encryption is safe. Apply the same two-line fix used in skb_try_coalesce() to iptfs_consume_frags().

Linux Information Disclosure
NVD VulDB
EPSS
0.1%
Prev Page 7 of 7

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy