Skip to main content
CVE-2026-29519 MEDIUM POC This Month

Reflected XSS in Lucee CFML Server (versions 5.3.x, 6.1.x, 6.2.x, and 7.0.x) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by embedding script payloads within the URL request path, which the server reflects in its response without output encoding. The primary high-impact scenario targets the Lucee administrative interface - if an administrator visits the crafted URL, the attacker can hijack the admin session or trigger unauthorized administrative actions. A public proof-of-concept exploit is available on GitHub, materially lowering the barrier to exploitation; no public exploit identified at time of analysis indicating widespread active exploitation, and the vulnerability is not listed in CISA KEV.

XSS Lucee
NVD GitHub
CVSS 4.0
6.2
EPSS
0.4%
CVE-2026-15319 MEDIUM POC PATCH This Month

Improper access control in Sipeed PicoClaw up to version 0.2.9 allows remote unauthenticated attackers to bypass the IP allowlist enforced by the Launcher's web backend middleware. The flaw resides in the IPAllowlist function within web/backend/middleware/access_control.go, which fails to correctly enforce source-address restrictions, permitting unauthorized network access to protected endpoints. A public proof-of-concept exploit exists (GitHub issue #3069), and an upstream patch (PR #3126) has been submitted but a formally released patched version has not been independently confirmed.

Authentication Bypass Picoclaw
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-12276 MEDIUM POC PATCH This Month

Unauthenticated account registration bypass in the LA-Studio Element Kit for Elementor WordPress plugin (all versions before 1.6.1) allows remote, unauthenticated attackers to create WordPress user accounts on sites where site-wide registration has been explicitly disabled by the administrator. The vulnerable component is an unauthenticated AJAX action handler that omits the standard WordPress registration-status check, effectively nullifying an administrative security control. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 1.6.1; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

WordPress Information Disclosure La Studio Element Kit For Elementor
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-42219 MEDIUM PATCH This Month

Path traversal via the download_backups endpoint in Frappe framework exposes arbitrary server-side files to authenticated high-privilege users. Affected versions span the entire v15 branch prior to 15.109.0 and the v16 branch prior to 16.19.0 (CPE: cpe:2.3:a:frappe:frappe:*). An attacker holding administrator-level credentials can craft a traversal payload in the backup download request to read files outside the intended backup directory, achieving high confidentiality impact with no integrity or availability consequence. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Path Traversal Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-58503 MEDIUM PATCH This Month

User enumeration via the reset_password endpoint in Frappe framework exposes valid account usernames to unauthenticated remote attackers across all versions prior to 15.106.0 and 16.16.0. The flaw stems from observable response discrepancies (CWE-203) that allow systematic probing of registered accounts without any credentials. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the zero-barrier network access makes this a realistic reconnaissance primitive for credential stuffing or targeted phishing campaigns against Frappe-based deployments.

Information Disclosure Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-57575 MEDIUM PATCH This Month

Server-Side Request Forgery in Misskey's UrlPreviewService allows remote unauthenticated attackers to coerce the platform's backend into initiating outbound HTTP connections toward loopback addresses, RFC-1918 private ranges, and link-local networks. The root cause is that IP address validation is applied only after the TCP connection has already been established, meaning the outbound request reaches the internal target before the check rejects it. Per vendor disclosure, response data is not believed to be returned to the attacker, limiting the impact to blind SSRF with potential for triggering internal service side effects. No public exploit identified at time of analysis, and a fix is available in version 2026.6.0.

SSRF Misskey
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59155 MEDIUM PATCH This Month

Nezha Monitoring versions prior to 2.2.5 expose stored third-party API credentials in plaintext through two listing API endpoints to any authenticated admin or PAT holder with read-scoped access. The GET /api/v1/ddns and GET /api/v1/notification handlers serialize full database objects - including Cloudflare API tokens, TencentCloud SecretKeys, and Slack, Discord, and Telegram webhook URLs with embedded bot tokens - without any field-level redaction, enabling a single API call to harvest all configured credentials. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v2.2.5.

Information Disclosure Nezha
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-60086 MEDIUM PATCH This Month

Prompt injection defenses in PraisonAI before version 4.6.78 can be bypassed by crafting single or double-vector injections classified at the HIGH threat level, which the protection mechanism silently allows through to the underlying language model. The defense only blocks CRITICAL-classified injections - those matching three or more detector families simultaneously - meaning attackers who deliberately keep their payload below that threshold face no blocking at all. No active exploitation has been confirmed via CISA KEV and no public exploit code has been identified at time of analysis, though the bypass technique is conceptually straightforward given that the classification threshold logic is now publicly disclosed.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-21054 MEDIUM This Month

Improper export of Android application components in Samsung's InputSharing app (prior to version 2.7.01.4) exposes internal sharing data to any co-resident application on the same device. The flaw allows a local attacker - via a malicious app installed on the same Samsung device - to silently access data transiting the InputSharing component without requiring any special Android permissions. No active exploitation has been confirmed (no CISA KEV listing), and a vendor-released patch at version 2.7.01.4 is available per the Samsung Mobile Security advisory.

Information Disclosure Google
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-21041 MEDIUM This Month

Improper access control in SamsungSEAgentService on Samsung Android 15 and 16 devices allows a local attacker to read sensitive information without requiring elevated privileges. The CVSS 4.0 vector (AV:L/PR:N/VC:H) confirms that any local process on the device can trigger the flaw with high confidentiality impact and no integrity or availability loss. No public exploit or CISA KEV listing exists at time of analysis; risk is bounded to the local attack surface of affected Samsung hardware.

Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-21039 MEDIUM This Month

Improper access control in the Samsung Settings application on Android 15 and 16 allows a local attacker to modify Theft Protection configurations without requiring device credentials or elevated privileges. The vulnerability stems from missing or bypassable authorization checks in the Settings component, enabling an attacker with local access - such as someone in possession of a stolen device - to reconfigure the very security controls designed to prevent unauthorized use. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but the local-no-privilege vector makes this particularly relevant to physical device theft scenarios.

Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-21040 MEDIUM This Month

Improper access control in IAFDService on Samsung mobile devices (Android 14, 15, and 16) allows local attackers holding low-level privileges to invoke privileged system APIs that should be restricted to higher-trust callers. The flaw carries a CVSS 4.0 score of 6.9, reflecting high integrity and availability impact on the vulnerable system. No public exploit code or active exploitation confirmed in CISA KEV has been identified at time of analysis; Samsung has released the fix in SMR Jul-2026 Release 1.

Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-57475 MEDIUM PATCH This Month

Deloitte AI Assist for Customer exposed public-facing REST API endpoints that accepted unauthenticated POST requests, enabling remote attackers to inject limited additions into the application's configuration store without credentials. The root cause is CWE-306 (Missing Authentication for Critical Function), and the CVSS 4.0 vector (PR:N/AV:N/AC:L) confirms zero-friction remote exploitation against default deployments. Critically, the vendor states that the injected configuration additions were not consumed or acted upon by the system, substantially constraining real-world operational impact. The vendor remediated the issue on 2026-03-25 by restricting network access and enforcing authentication; no public exploit has been identified at time of analysis.

Authentication Bypass Ai Assist For Customer
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-57474 MEDIUM PATCH This Month

Configuration information disclosure in Deloitte AI Assist for Customer exposed internal system details through unauthenticated, publicly accessible API endpoints, reducing attacker reconnaissance effort. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L) confirms remote, low-complexity, unauthenticated access, though impact is bounded to low confidentiality exposure with no integrity or availability consequence. Deloitte confirmed the fix on 2026-03-25 by restricting network access and enforcing authentication on the affected endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

Information Disclosure Ai Assist For Customer
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59193 MEDIUM PATCH This Month

Disk exhaustion and crash vulnerability in Grav's Direct Install tool allows an authenticated admin.super user to upload a specially crafted ZIP archive that decompresses without bound, filling the server disk or crashing the process. Affecting all Grav releases prior to 2.0.0, the root cause is the Installer::unZip method invoking PHP's ZipArchive::extractTo with no enforced limits on uncompressed size, entry count, or directory depth - a classic zip bomb attack surface. No public exploit code or active exploitation has been identified at time of analysis; a vendor-released fix is available in version 2.0.0.

Denial Of Service Grav
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-59162 MEDIUM PATCH This Month

Panic-triggering denial of service in the Excelize Go library (all versions prior to 2.11.0) allows any actor who can supply a crafted XLSX file to crash the consuming application. The root cause is an integer bounds check that validates only the upper bound of shared-string indices, permitting a cell value of -1 to reach a slice-index operation as a negative integer and cause a Go runtime panic in `GetCellValue` or `GetRows`. No active exploitation has been identified at time of analysis, but the attack is trivially constructable and requires no privileges if the target application exposes XLSX processing to untrusted input.

Microsoft Information Disclosure Excelize
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-61432 MEDIUM PATCH This Month

Path traversal in PraisonAI's FastContext feature (praisonaiagents before 1.6.78) enables low-privileged network attackers to read arbitrary files outside the intended workspace sandbox. FastContextAgent.execute_tool() applies the workspace_path prefix only to relative paths, neither rejecting absolute path arguments nor canonicalizing joined paths before enforcing containment - meaning file-operation tools (grep_search, glob_search, read_file, list_directory) can be exploited with '../' sequences or direct absolute paths to exfiltrate host files. No public exploit has been identified at time of analysis, but the vulnerability is straightforward to trigger given the mechanics, and CVSS 4.0 rates the confidentiality impact on the vulnerable system as High.

Path Traversal Praisonai
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-60091 MEDIUM PATCH This Month

Unauthenticated blind SSRF via DNS rebinding in PraisonAI before 4.6.78 allows remote attackers to reach internal services through the Jobs API /api/v1/runs endpoint without credentials. The webhook_url parameter is validated at request intake but re-resolved at connection time, creating a TOCTOU window exploitable by an attacker who controls a malicious DNS server - flipping the resolved IP from a legitimate external address to an internal target after validation passes. No public exploit code or CISA KEV listing exists at time of analysis; the unauthenticated network vector (AV:N/PR:N) makes this a meaningful risk for any internet-exposed PraisonAI deployment, particularly in cloud environments where internal metadata APIs may be reachable.

SSRF Praisonai
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-60089 MEDIUM PATCH This Month

Path traversal in PraisonAI (pip package praisonaiagents) before version 1.6.78 allows an untrusted checked-out repository to overwrite arbitrary files on a developer's machine by embedding a malicious `.praisonai/config.toml` that sets `defaults.output.output_file` to an absolute or directory-traversal path. When the developer subsequently constructs an Agent and calls `agent.start()` without an explicit output parameter, PraisonAI resolves the attacker-supplied path - creating parent directories as needed - and writes agent output there with the privileges of the running user. No public exploit code or CISA KEV listing has been identified; a vendor patch at version 1.6.78 and an upstream fix commit are available per GitHub Security Advisory GHSA-qjw5-xwrp-xwpq.

Path Traversal Praisonai
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-57994 MEDIUM PATCH This Month

{categoryId}/{faqId}, and title-plus-preview content via the v3.1 and v4.0 tag-based endpoints - all without credentials. No public exploit has been identified and this vulnerability is not in CISA KEV, though the AV:N/PR:N vector makes exploitation trivially simple for anyone who can reach the API.

Information Disclosure Phpmyfaq
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56312 MEDIUM PATCH This Month

Capgo's accept_invitation endpoint creates user accounts before captcha validation is enforced, allowing unauthenticated remote attackers to bypass captcha entirely by submitting POST requests with invalid captcha tokens. This logic-ordering flaw enables automated account creation and exhaustion of invite links against any Capgo instance running versions prior to 12.128.2. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56814 MEDIUM PATCH This Month

Denial of service in Elixir's Plug library (versions 1.4.0 through 1.20.2) allows unauthenticated remote attackers to exhaust filesystem inodes, disk space, and server memory via a single crafted multipart HTTP request. The Plug.Parsers.MULTIPART component charges its configurable :length limit only against part body bytes, meaning part headers are never counted and parts with empty bodies cost exactly zero - yet each such part with a filename triggers creation of a Plug.Upload struct and a real temporary file on disk. No public exploit has been identified at time of analysis, though the technique is trivially reproducible from the description alone against any application exposing a multipart endpoint.

Denial Of Service
NVD GitHub
CVSS 4.0
6.9
EPSS
0.6%
CVE-2026-21052 MEDIUM This Month

Path traversal in Samsung's SemClipboardService exposes arbitrary system-privileged files to local low-privileged attackers on Samsung Mobile Devices running Android 14, 15, and 16. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H) confirms that a local application with minimal privileges can exploit the service to read protected system files, bypassing Android's permission model. No public exploit code or active exploitation has been identified at time of analysis; a vendor patch is available via SMR Jul-2026 Release 1.

Path Traversal
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-21057 MEDIUM This Month

Out-of-bounds memory write in Samsung Pass prior to version 5.2.10.3 enables local privileged attackers to corrupt process memory, producing high integrity and availability impact with limited confidentiality exposure. The root cause is improper input validation - a buffer overflow class defect - confirmed by Samsung's mobile security team and catalogued under EUVD-2026-42827. No public exploit code or CISA KEV listing has been identified; Samsung has released version 5.2.10.3 as the remediation.

Samsung Buffer Overflow
NVD
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-61431 MEDIUM PATCH This Month

Path traversal in PraisonAI's ContextGatherer component (all versions before 4.6.78) allows an attacker who can supply or manipulate .praisoncontext or .praisoninclude files to read arbitrary files outside the intended workspace directory, including sensitive system files accessible to the user running PraisonAI. The vulnerability stems from a complete absence of path validation before file inclusion, permitting both absolute paths and relative traversal sequences. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the attack is conceptually simple and requires no special tooling once an attacker can influence project workspace files.

Path Traversal Praisonai
NVD GitHub
CVSS 4.0
6.8
EPSS
0.3%
CVE-2026-21043 MEDIUM This Month

Path traversal in Samsung Mobile's Wallpaper service exposes arbitrary files readable under the system server privilege to local privileged attackers. Affected devices run Android 14, 15, and 16 with firmware prior to the SMR Jul-2026 Release 1. The CVSS 4.0 vector (AV:L/PR:H/VC:H) confirms a local, high-privilege attack path with confidentiality-only impact and no integrity or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.

Path Traversal
NVD VulDB
CVSS 4.0
6.7
EPSS
0.1%
CVE-2025-11977 MEDIUM This Month

Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.

WordPress LFI RCE PHP Information Disclosure +1
NVD VulDB
CVSS 3.1
6.6
EPSS
0.5%
CVE-2026-13010 MEDIUM This Month

Time-based SQL injection in the JoomSport WordPress plugin (all versions through 5.7.9) enables authenticated contributors to exfiltrate sensitive database contents via unsanitized 'event' shortcode attributes. The flaw exists in at least two code paths - joomsport-shortcodes.php and class-jsport-getplayers.php - where user-supplied shortcode parameters are interpolated into SQL queries without parameterization or adequate escaping. Because WordPress Contributor-level users can embed shortcodes in posts and pages, the effective attacker pool includes any registered user granted that role, broadening realistic exposure beyond typical authenticated-only flaws. No public exploit code or CISA KEV listing identified at time of analysis, but a patch commit (changeset 3594276) is referenced in the plugin repository.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-55469 MEDIUM PATCH This Month

Arbitrary file deletion in Snipe-IT prior to 8.6.2 allows an authenticated attacker holding both import and assets.update permissions to delete any file readable by the server process via a path traversal string injected into the asset image field during CSV import. The vulnerability is triggered in a two-stage pattern: first importing a crafted CSV, then invoking the image deletion action, which follows the unsanitized path without boundary checks. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog. The fix is confirmed in the v8.6.2 release.

Path Traversal Snipe It
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-15287 MEDIUM This Month

Time-based blind SQL injection in the rtMedia for WordPress, BuddyPress and bbPress plugin (versions up to and including 4.6.18) allows authenticated attackers with subscriber-level access or higher to exfiltrate sensitive data from the WordPress database via the `order_by` parameter. The low authentication bar - any registered user qualifies - combined with a network-accessible attack vector and high confidentiality impact makes this a meaningful risk for community or membership sites with open user registration enabled. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique (time-based blind SQLi) is well-understood and requires no specialized tooling.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-15104 MEDIUM This Month

SQL Injection in the BetterDocs WordPress plugin (versions up to and including 4.6.0) enables authenticated attackers holding at minimum a custom-level WordPress role to append arbitrary SQL to existing queries via the unsanitized `lang` parameter, extracting sensitive data from the underlying database. The attack surface is restricted to sites where one of five specific multilingual plugins (WPML, Polylang, qTranslate, Weglot, or TranslatePress) is active, as the vulnerable code path is guarded by `Helper::is_multilingual_active()`. No public exploit identified at time of analysis; EPSS data unavailable, and the CVE is not listed in CISA KEV.

WordPress SQLi Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13242 MEDIUM PATCH This Month

SQL injection in the Drupal Geolocation Field contributed module exposes sites to unauthenticated database read and partial write access across all module versions prior to 3.15.0. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it remotely triggerable against any publicly reachable Drupal installation running the affected module. Impact is bounded by C:L/I:L/A:N - partial data disclosure and modification without availability disruption or full database takeover. No active exploitation has been confirmed (no CISA KEV listing), and EPSS sits at a low 0.16% (5th percentile), indicating minimal current attacker interest. A vendor patch is available.

SQLi Geolocation Field
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13241 MEDIUM PATCH This Month

Missing authorization in the Drupal Paragraphs contributed module (all versions through 1.20.x) enables unauthenticated remote attackers to perform forceful browsing - directly accessing paragraph entity URLs or endpoints without passing any authorization check. The CVSS vector (PR:N/AC:L/AV:N) confirms exploitation requires no credentials against default-configured Drupal sites running the affected module. Despite an automatable attack surface, SSVC rates exploitation as none, EPSS sits at 0.13% (3rd percentile), and no active exploitation is confirmed; a vendor patch is available via Drupal SA-contrib-2026-061.

Authentication Bypass Paragraphs
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13240 MEDIUM PATCH This Month

Forceful Browsing via missing authorization (CWE-862) in the Drupal Paragraphs contributed module allows remote unauthenticated users to access paragraph entities they are not authorized to view or modify, bypassing the CMS access control layer entirely. All Paragraphs releases from 0.0.0 up to but not including 1.21.0 are affected, per vendor advisory SA-CONTRIB-2026-060. Despite being automatable per SSVC analysis and network-exploitable with no privileges required, real-world exploitation risk is low: EPSS sits at 0.13% (3rd percentile), no public exploit code has been identified, and CISA has not added this to KEV.

Authentication Bypass Paragraphs
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13239 MEDIUM PATCH This Month

Missing authorization controls in Drupal WissKI versions prior to 4.2.0 enable unauthenticated remote attackers to perform forceful browsing - directly accessing restricted resources by guessing or enumerating URLs without undergoing proper authorization checks. The affected versions span the entire release history from 0.0.0 through 4.2.0, making all prior deployments vulnerable. SSVC assessment confirms no active exploitation at time of analysis, and the EPSS score of 0.13% (3rd percentile) suggests very low real-world exploitation probability despite the automatable nature of the attack.

Authentication Bypass Wisski
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-40009 MEDIUM PATCH This Month

Privilege escalation in Apache IoTDB 2.0.8 through 2.0.9 allows any authenticated low-privilege user to rename their own account to the reserved '__internal_auditor' identity and thereby inherit full tree-path access across all stored time-series data. The flaw stems from the system trusting a reserved auditor username without protecting it from ordinary user-driven renames, so a normal database user can self-promote to auditor-level authority. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported and fixed by the Apache project in 2.0.10.

Privilege Escalation Apache Apache Iotdb
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-54171 MEDIUM PATCH GHSA This Month

Sensitive HTTP header leakage in the excon Ruby gem's RedirectFollower middleware exposes credentials and tokens to unintended redirect destinations. Applications using the RedirectFollower middleware that include headers such as Authorization or API keys in outbound requests will inadvertently forward those headers to the redirect target - which may be attacker-controlled or a third-party service. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; however, the CVSS 3.1 score of 6.5 reflects high confidentiality impact, and a vendor-released patch is available in v1.5.0.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
CVE-2026-54468 MEDIUM PATCH This Month

Path traversal in Dell Unisphere for PowerMax 10.3.0.5 and prior exposes arbitrary files on the underlying server to remote attackers holding low-privileged credentials. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms high confidentiality impact with no integrity or availability consequence, consistent with a read-only directory traversal flaw. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis, though the low attack complexity raises concern for rapid weaponization if credentials are compromised.

Dell Path Traversal
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13710 MEDIUM This Month

Stored Cross-Site Scripting in Jeg Elementor Kit for WordPress versions through 3.2.6 enables authenticated Contributors to inject persistent malicious scripts via the Image Box widget's description field. The root cause is a deliberate inconsistency in the render_body() method of Image_Box_View: every other attribute is sanitized with esc_attr(), but sg_body_description is concatenated raw into HTML body context. Any user who visits a page containing the injected widget executes the payload, enabling session hijacking and potential escalation to Administrator. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.4%
CVE-2026-13247 MEDIUM This Month

Stored Cross-Site Scripting in the Logo Slider WordPress plugin (all versions through 5.5) allows authenticated contributors to inject persistent JavaScript payloads via the 'lgx_tooltip_position' parameter, executing in the browser of any user who subsequently visits an affected page. The CVSS scope change (S:C) reflects that injected scripts execute in victim browser contexts - enabling session hijacking or privilege escalation against higher-privileged users including site administrators. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and the breadth of contributor-level accounts on WordPress sites make this a realistic risk for multi-author installations.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15284 MEDIUM This Month

Stored Cross-Site Scripting in King Addons for Elementor (WordPress plugin, versions ≤51.1.62) allows authenticated attackers with subscriber-level access to inject persistent JavaScript into the WordPress admin submissions panel. The flaw stems from a two-stage sanitization failure: `sanitize_text_field()` applied during form submission storage preserves double-quote characters in `form_page_id`, and the downstream `king_addons_submissions_custom_column_content()` function then concatenates that stored value into an HTML `href` attribute via `admin_url()` without wrapping the result in `esc_url()`. No public exploit or CISA KEV listing exists at time of analysis; EPSS data was not provided in the input.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-49844 MEDIUM PATCH This Month

Malformed JSON output in Apache Log4j API versions 2.13.1-2.25.4 and 2.26.0 allows a remote attacker who can inject non-finite floating-point values (NaN, Infinity, -Infinity) into a logged MapMessage to corrupt downstream log records and disrupt log ingestion pipelines. This is an incomplete fix follow-on to CVE-2026-34481: the prior patch left code paths in MapMessage.asJson() and MapMessage.getFormattedMessage(["JSON"]) that still emit bare IEEE 754 non-finite tokens prohibited by RFC 8259. No public exploit or active exploitation (CISA KEV) has been identified; the CVSS 4.0 score of 6.3 reflects limited subsequent-system integrity impact rather than direct host compromise.

Information Disclosure Apache Apache Log4J Api
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.8%
CVE-2026-15296 MEDIUM This Month

Stored Cross-Site Scripting in the affiliate-toolkit WP Affiliate Plugin with Amazon (versions through 3.7.0) allows authenticated contributors to inject persistent malicious scripts via the 'atkp_product' shortcode due to unsanitized user-supplied attributes. This represents a bypass of the previously patched CVE-2024-10227, indicating the prior fix was incomplete. Any WordPress user - including administrators - who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session theft, credential harvesting, or unauthorized admin actions. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15285 MEDIUM This Month

Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions through 6.4.11) allows authenticated contributors to inject persistent malicious scripts into pages via the Button widget's `custom_attributes` parameter. The root cause is a bypassable sanitization filter (`tp_senitize_js_input()`) in `modules/widgets/tp_button.php` that fails to properly neutralize HTML/JS content before rendering. When an administrator or other privileged user subsequently views an affected page, the stored payload executes in their browser context, enabling session hijacking or unauthorized administrative actions. No public exploit identified at time of analysis; patch is available in version 6.4.12.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-12123 MEDIUM This Month

Server-Side Request Forgery in the All-in-One Video Gallery WordPress plugin (all versions through 4.8.5) enables a two-stage attack where a subscriber-level authenticated user plants an internal or loopback URL into a video post's mp4 meta field via the XML-RPC wp.newPost method, then any unauthenticated party can trigger the ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body - enabling reconnaissance of internal services including cloud metadata endpoints. The CVSS scope change (S:C) captures the critical decoupling: subscriber-level credentials are needed only for setup, while the actual SSRF trigger requires no authentication at all. No public exploit identified at time of analysis, though the Wordfence advisory documents the complete attack chain with specific code line references.

WordPress SSRF All In One Video Gallery
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15292 MEDIUM This Month

Stored Cross-Site Scripting in the Sudoku Shortcode WordPress plugin (all versions through 1.0.0) allows authenticated Contributors to inject persistent malicious scripts via the unsanitized 'background' parameter of the 'sudoku-sc' shortcode. Once injected into a page or post, the payload executes in the browser of every subsequent visitor, including administrators, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, though Wordfence has catalogued the vulnerability in their threat intelligence database.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12924 MEDIUM This Month

Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped `etn_faq_content` parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and commonly granted contributor role make this a credible insider-threat risk on multi-user WordPress installations.

WordPress XSS Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-3907 MEDIUM This Month

Stored Cross-Site Scripting in the Hostel WordPress plugin (all versions through 1.1.7) permits authenticated Contributor-level users to permanently inject arbitrary JavaScript into WordPress pages via the second attribute of the `wphostel-book` shortcode, which is passed unsanitized to the `$text` variable and rendered raw into an HTML `value` attribute without `esc_attr()` escaping. Any user who subsequently views an injected page will execute the attacker's payload in their browser, enabling session hijacking or privilege escalation against higher-privileged site users. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; the primary risk is to WordPress sites that grant Contributor access to untrusted or semi-trusted users.

WordPress XSS Hostel
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-55370 MEDIUM PATCH This Month

TOTP replay vulnerability in Logto prior to 1.41.0 allows an attacker who holds a victim's first-factor credentials and captures a live TOTP code to replay that code within the same RFC 6238 acceptance window, bypassing multi-factor authentication entirely. The root cause is otplib's stateless verification call with window=1, which validates the time-based OTP cryptographically but does not persist the last-accepted time-step counter - leaving used codes valid for replay until the 30-second window expires. No public exploit or CISA KEV listing exists at time of analysis, but successful exploitation yields full account compromise (C:H, I:H) because MFA is the terminal authentication barrier.

Information Disclosure
NVD GitHub
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15299 MEDIUM This Month

Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions through 2.6.3) enables authenticated attackers with Contributor-level access to permanently inject arbitrary JavaScript into pages using the Weather widget. The payload renders unescaped for every subsequent visitor, enabling session hijacking, credential theft, or admin-context privilege escalation without further attacker interaction. No CISA KEV listing and no public exploit code have been identified at time of analysis, but the low attack complexity combined with scope change to victims' browsers makes this a credible risk for multi-author WordPress deployments running this plugin with the Weather widget actively configured.

WordPress XSS PHP
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy