Skip to main content
CVE-2026-22095 CRITICAL PATCH Act Now

Remote code execution in the evbee DC-80 EV charging station is possible through a command injection flaw in the network diagnosis endpoint exposed on the web server at TCP port 8090. Because the CVSS 4.0 vector specifies no privileges and no user interaction (AV:N/PR:N/UI:N), a remote unauthenticated attacker who can reach port 8090 can inject operating-system commands and fully compromise the device. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the DIVD coordinated disclosure and 9.3 (Critical) score make it a high-priority defect.

Command Injection Dc 80
NVD
CVSS 4.0
9.3
EPSS
1.0%
CVE-2026-59515 CRITICAL Act Now

Blind SQL injection in the Sergey "AIWU" ai-copilot-content-generator WordPress plugin (all versions through 1.5.4) allows remote attackers to inject arbitrary SQL into backend database queries, per the CVSS:3.1 vector without requiring authentication or user interaction. Because the scope is changed and confidentiality impact is High, an attacker can exfiltrate sensitive database contents (WordPress user credentials, secrets, PII) via time- or boolean-based blind techniques. No public exploit identified at time of analysis and the issue is not on CISA KEV, but its high CVSS (9.3) and the fact that it was catalogued by Patchstack make it a credible risk for exposed WordPress sites.

SQLi Aiwu
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57739 CRITICAL Act Now

Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the finding originates from Patchstack.

SQLi Acymailing Smtp Newsletter
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57726 CRITICAL Act Now

Blind SQL injection in the Themeum Kirki WordPress customizer framework (all versions up to and including 6.0.12) lets remote attackers inject SQL through improperly neutralized special elements, per the CVSS PR:N vector without authentication, to infer and extract database contents. The scope-changed CVSS 3.1 score of 9.3 reflects impact reaching beyond the plugin's own security boundary into the wider WordPress database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

SQLi Kirki
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57714 CRITICAL Act Now

Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input (CWE-89), enabling extraction of database contents via boolean/time-based inference. Reported by Patchstack and rated CVSS 9.3 with a network vector requiring no privileges or user interaction; the changed scope reflects access to the shared WordPress/MySQL database beyond the plugin's own boundary. No public exploit is identified at time of analysis and it is not listed in CISA KEV.

SQLi Latepoint
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57707 CRITICAL Act Now

SQL injection in QuantumCloud's Simple Business Directory Pro WordPress plugin (all versions through 15.9.4) allows remote attackers to inject crafted SQL into backend database queries, enabling extraction of sensitive data such as user credentials and stored directory records. Patchstack rates it critical (CVSS 9.3) with a network attack vector and no authentication indicated in the supplied vector; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The high score and scope-change flag make it a priority for any site running this plugin.

SQLi Simple Business Directory Pro
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57702 CRITICAL Act Now

Blind SQL injection in the Amelia booking plugin for WordPress (Melograno Venture Studio) affects all versions from unknown initial release through 2.4.2, allowing remote attackers to inject crafted SQL into database queries and extract sensitive data via boolean/time-based inference. The CVSS 9.3 vector (AV:N/PR:N) indicates network-reachable exploitation without authentication, though this is a Patchstack-reported issue with no public exploit and no CISA KEV listing at time of analysis. Because the injection is blind, exploitation typically requires automated tooling to reconstruct data one condition at a time.

SQLi Amelia
NVD VulDB
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-4769 CRITICAL PATCH Act Now

Full system compromise of WAGO System I/O-Field series controllers (0765-xxx families) is possible when an unauthenticated remote attacker reaches an undocumented internal diagnostic interface that is briefly exposed during the device's early boot phase. Because the diagnostic capability requires no authentication and grants access to internal system processes, a successful attacker obtains complete control over confidentiality, integrity, and availability. Reported by CERT@VDE (VDE-2026-031); no public exploit code has been identified and it is not listed in CISA KEV at time of analysis.

Information Disclosure 0765 110X 0100 0000 0765 120X 0100 0000 0765 150X 0100 0000 0765 2101 0100 0000 +4
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-61462 CRITICAL PATCH Act Now

GitLab API request redirection in zereight's mcp-gitlab (gitlab-mcp) MCP server lets attackers who control the job_id parameter escape the intended /jobs/ path prefix and reach arbitrary GitLab REST API endpoints under the operator's personal access token. Because the token is a bearer of the operator's full GitLab privileges, a crafted value such as '../../../user' resolves to /api/v4/user (or any other resource), turning a scoped job lookup into broad unauthorized data access. No public exploit was identified at time of analysis, and it is not listed in CISA KEV, but the flaw is trivially triggerable and was reported by VulnCheck with a vendor fix committed.

Gitlab Path Traversal Mcp Gitlab
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-13014 CRITICAL Act Now

Remote unauthenticated code execution in Thales CERT's "Suspicious" email-analysis application (versions 1.3.4 and earlier), dubbed "Matryoshka Mail," lets an attacker abuse path traversal in attachment handling to overwrite writable application files-Python modules, configuration, cron inputs, and runtime artifacts-yielding root-level execution inside the Django container. Because the affected code runs Python and processes attacker-supplied mail, overwriting an imported module effectively converts arbitrary file write into RCE, plus persistent denial of service and possible exposure of application secrets and integrations. No public exploit identified at time of analysis and the issue is not in CISA KEV, but it carries a CVSS 4.0 base score of 9.2 and vendor-credited discovery by Lucien Doustaly (wlayzz).

Denial Of Service Path Traversal RCE Python Suspicious
NVD GitHub
CVSS 4.0
9.2
EPSS
0.7%
CVE-2026-22098 CRITICAL PATCH Act Now

Sensitive-data logging in the Evbee DC-80 DC EV charger writes secrets such as user passwords and charging card (RFID) UIDs in cleartext to log files, per DIVD advisory DIVD-2026-00001. The supplied CVSS 4.0 base score of 9.2 reflects high confidentiality impact to both the vulnerable system and downstream systems that reuse those credentials, so anyone able to read the logs can harvest reusable authentication material. No public exploit identified at time of analysis.

Information Disclosure Dc 80
NVD
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-13221 CRITICAL PATCH Act Now

Silently incorrect regular-expression matching in the Perl interpreter (all versions through 5.43.9) lets an oversized alternation of more than 65,535 fixed-string branches overflow a 16-bit delta field when the branches are optimized into a trie, truncating the match-decision table. The result is both false-positive and false-negative matches, so any Perl program that uses such a pattern to gate access or filter input can make wrong security decisions. There is no public exploit identified at time of analysis, though the fixing commit ships a deterministic reproducer test, and the flaw is not listed in CISA KEV.

Buffer Overflow Integer Overflow Perl
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-58102 CRITICAL PATCH Act Now

Heap out-of-bounds read in the Crypt::OpenSSL::X509 Perl module (versions before 2.1.3) lets a crafted X.509 certificate leak adjacent heap memory to an application that enumerates certificate extensions. When code calls extensions(), extensions_by_long_name(), extensions_by_oid(), or has_extension_oid(), a certificate extension whose textual OID exceeds the fixed 129-byte buffer causes the returned hash key to include bytes read past the allocation, exposing process memory and risking a crash. No public exploit is identified at time of analysis and it is not in CISA KEV, but the fix is confirmed in release 2.1.3 and the flaw is trivially triggerable by any attacker who can supply a certificate.

OpenSSL Buffer Overflow Information Disclosure Crypt
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-58409 CRITICAL Act Now

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.

PHP File Upload RCE Crm
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-51537 CRITICAL Act Now

Out-of-bounds read in the EIPStackGroup OpENer EtherNet/IP stack (version 2.3.0, commit 76b95cf) lets a remote unauthenticated attacker send a crafted ENIP frame carrying a malformed CIP ForwardOpen/LargeForwardOpen request that drives the Connection Manager parser to read past the supplied request buffer, exposing adjacent memory or crashing the stack. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N) it is reachable over the network with no authentication and low complexity, yielding high confidentiality and availability impact. No CISA KEV listing and no EPSS were supplied; no active exploitation is confirmed, though a referenced public gist appears to document the flaw and may contain proof-of-concept material.

Buffer Overflow Information Disclosure N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-51536 CRITICAL Act Now

Stack buffer overflow in the OpENer EtherNet/IP stack (version 2.3.0, commit 76b95cf) lets remote attackers corrupt memory by sending a crafted CIP network packet whose length field is truncated into a negative value, bypassing bounds checks in DecodePaddedEPath. The CVSS vector (AV:N/PR:N/UI:N) indicates unauthenticated remote reachability with high confidentiality and availability impact; no public exploit is identified at time of analysis (not in CISA KEV), though a referenced gist and GitHub issue suggest researcher analysis and possible proof-of-concept material exist. As an OT/ICS protocol stack, exploitation would most plausibly cause denial of service or memory disclosure on embedded industrial devices.

Buffer Overflow Integer Overflow N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-51541 CRITICAL Act Now

OpENer 2.3.0 (commit 76b95cf) has an out-of-bounds read issue in CIP message parsing when handling malformed explicit requests with a forged EPath size. An attacker can send a valid ENIP SendRRData frame carrying a very short CIP payload whose path_size field claims that many more path words are present than are actually available. Because the parser trusts the attacker-controlled path_size and continues decoding path segments without a remaining-length boundary, it reads beyond the end of the stack receive buffer.

Buffer Overflow N A Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-51538 CRITICAL Act Now

Access-control bypass in EIPStackGroup OpENer 2.3.0 (commit 76b95cf) lets any unauthenticated network attacker hijack another client's EtherNet/IP encapsulation session by replaying a valid session_handle, because the stack validates the handle against a global session list but never binds it to the originating TCP socket. Affected industrial devices running this open-source stack can have their EtherNet/IP command channel abused for read/write operations under another client's authority. No CISA KEV listing exists, but a researcher gist referenced in the advisory appears to publish exploit details, and the CVSS 9.1 rating reflects high confidentiality and integrity impact.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-12081 MEDIUM POC PATCH This Month

PHP object injection in the 'Database for Contact Form 7, WPforms, Elementor forms' WordPress plugin (all versions before 1.5.2) permits unauthenticated attackers to embed malicious serialized PHP objects via the entry-editor file-field path, which are instantiated server-side when an administrator views the stored form entry. This is an incomplete remediation of two prior CVEs (CVE-2025-7384 and CVE-2026-2599) - earlier patches hardened other deserialization paths within the same plugin while this specific code route was overlooked. A publicly available exploit exists; no active exploitation is confirmed by CISA KEV at time of analysis.

PHP Deserialization WordPress Database For Contact Form 7 Wpforms Elementor Forms
NVD WPScan
CVSS 3.1
5.0
EPSS
0.2%
CVE-2026-49970 HIGH PATCH This Week

Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. No public exploit has been identified at time of analysis, but a vendor patch (7.0.0) exists and the issue was reported by VulnCheck.

RCE Path Traversal Laravel Mediable
NVD GitHub
CVSS 4.0
8.7
EPSS
0.8%
CVE-2026-57830 HIGH This Week

Arbitrary file deletion in JoomShaper's Helix Ultimate template framework for Joomla allows unauthenticated remote attackers to delete files on the server due to a missing authorization check (CWE-862). Any anonymous user can reach the vulnerable functionality without credentials (PR:N/UI:N), enabling deletion of critical Joomla files to corrupt or take down the site. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Helix Ultimate Extension For Joomla
NVD
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-55771 HIGH This Week

Incorrect equality comparison in CedarJava (cedar-java) versions before 4.9.0 causes EntityIdentifier.equals() to return true when comparing against null and false when comparing an object to itself, due to inverted null/self-reference branches. Cedar's actual authorization decisions are unaffected because they are computed in Rust from JSON, but integrators who call equals() on entity identifiers in their own Java logic may make incorrect trust or access decisions. No public exploit identified at time of analysis; the issue is fixed in 4.9.0.

RCE Code Injection Java Cedar Java
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-57786 HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-57713 HIGH This Week

PHP Object Injection in the WordPress Events Manager plugin (Marcus/@msykes) affects all versions up to and including 7.3.6, letting remote attackers deserialize untrusted data and instantiate arbitrary PHP objects. When paired with a suitable POP gadget chain present in the plugin, WordPress core, or another installed plugin, this can escalate to remote code execution, data theft, or site takeover. Reported by Patchstack with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV, though the network vector combined with only requiring user interaction makes it a serious patch priority.

Deserialization Events Manager
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-57410 HIGH This Week

Privilege escalation in the MailerPress WordPress plugin (versions up to and including 2.0.2) lets an authenticated low-privilege user gain higher privileges through an incorrect privilege assignment flaw. The CVSS 3.1 vector (AV:N/AC:L/PR:L) indicates a network-reachable, low-complexity attack that any authenticated user can perform, yielding full confidentiality, integrity, and availability impact - effectively a takeover of the plugin's protected functionality or the WordPress site. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported through Patchstack.

Privilege Escalation Mailerpress
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-57386 HIGH This Week

Privilege escalation in the aBlocks WordPress plugin (Kodezen LLC) through version 2.9.1 allows an authenticated low-privileged user to elevate their permissions due to incorrect privilege assignment. With a CVSS of 8.8 (AV:N/AC:L/PR:L), a subscriber- or contributor-level account can gain elevated capabilities remotely over the network. No public exploit identified at time of analysis; the issue was disclosed by Patchstack.

Privilege Escalation Ablocks
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-57371 HIGH This Week

PHP Object Injection in the WPJAM Basic WordPress plugin (denishua) affects all versions up to and including 7.0, allowing an authenticated attacker to inject crafted serialized objects that are deserialized by the plugin. Reported by Patchstack and rated CVSS 8.8, it can lead to high-impact compromise (confidentiality, integrity, and availability) of the WordPress site, though exploitation requires at least low-level authenticated access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Wpjam Basic
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-62184 HIGH PATCH This Week

Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the automated IP-blocking engine at an arbitrary victim. Because the awk-based log monitor grabs the first IPv4 address it finds on a log line regardless of field position, an attacker can embed a spoofed IP inside an attacker-controlled field such as a login username; banIP then bans that injected address while the real attacker's source IP is never blocked. Reported by VulnCheck with a vendor patch available; no public exploit code or active exploitation is identified at time of analysis.

Code Injection Luci
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-62328 HIGH This Week

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read every user's AI request logs and full conversation histories by querying the /api/usage/request-logs and /api/usage/request-details endpoints, which ship without authentication middleware. Exposed data includes system prompts, user and assistant messages, tool calls, and user email addresses, and the linked GHSA advisory shows the same missing-auth flaw class also leaks plaintext provider API keys via /api/usage/stats and permits unauthenticated CRUD on /api/providers. This is a network-reachable, no-privilege flaw (CVSS 4.0 8.7) with no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-61458 HIGH This Week

Passphrase brute-force in PasswordPusher before 2.9.2 lets remote attackers who possess a push token recover the passphrase protecting a shared secret by hammering the POST /p/:token/access endpoint. Because that route has no per-route rate limiting and no per-push lockout, an attacker can sustain roughly 120 guesses per minute, making short or dictionary-based passphrases recoverable within hours to days. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Passwordpusher
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62200 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.1 lets a lower-trust authenticated caller abuse Git 'ext' transport through incomplete host-exec environment filtering to execute or persist actions beyond their intended privileges. VulnCheck reported and characterizes it as an authentication bypass via Git ext transport, and a GitHub Security Advisory (GHSA-9969-8g9h-rxwm) is published; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact reachable over the network with only low privileges.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62199 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.6 lets a low-privileged caller inject crafted interpreter startup environment variables through the host exec feature, executing or persisting actions beyond their intended authorization. The flaw stems from incomplete environment-variable filtering (CWE-184) that overlooks interpreter startup variables, and per its CVSS 4.0 vector (VC:H/VI:H/VA:H) yields high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis; the issue is reported by VulnCheck and fixed in 2026.6.6.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62190 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.9 lets a lower-trust caller escape the exec-approval trust boundary through the flock wrapper, executing or persisting privileged actions the caller was never authorized to perform. The CVSS 4.0 vector (PR:L) indicates an authenticated but low-privilege actor can achieve high confidentiality, integrity, and availability impact when the affected feature is enabled. Reported by VulnCheck with a vendor GitHub Security Advisory (GHSA-3fp5-v549-9v66); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-57829 HIGH This Week

Stored cross-site scripting in JoomShaper's Helix Ultimate template framework for Joomla lets unauthenticated attackers persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because injection requires no authentication (PR:N) but relies on a victim rendering the poisoned content (UI:P), an attacker can hijack sessions, steal credentials, or perform actions as high-privilege administrators who visit the page. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Helix Ultimate Extension For Joomla
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62194 HIGH This Week

Privilege escalation in OpenClaw 2026.5.20 through 2026.6.8 lets an already-authenticated, lower-trust caller abuse the plugin install command path to execute or persist actions beyond their intended authorization. The root cause is an incorrect permission assignment (CWE-732) on plugin installation, and the CVSS 4.0 vector (PR:L, UI:N, AV:N) shows a low-privileged remote actor can achieve high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the CVE is not in CISA KEV, but a GitHub Security Advisory (GHSA-7vrr-rp4x-4g76) and a VulnCheck advisory document it.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62196 HIGH This Week

Authorization bypass in OpenClaw (versions 2026.3.22 up to but not including 2026.6.6) lets a lower-trust WhatsApp sender satisfy elevated sender allowlists because WhatsApp group IDs are accepted as if they were privileged individual sender identities. An authenticated but low-privilege attacker can therefore invoke actions gated behind stronger authorization, effectively escalating privilege within the messaging integration. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (high); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-62195 HIGH This Week

Authorization bypass in OpenClaw 2026.5.20 through 2026.6.5 lets a low-privilege caller invoke owner-only tools through the MCP loopback feature, escalating beyond intended permissions to execute or persist privileged actions. The flaw stems from incorrect permission enforcement (CWE-732) on configured input paths reachable over the network. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-57856 HIGH PATCH This Week

Path-traversal privilege escalation in Cockpit CMS Bucket file storage API (before 2.14.0) lets an authenticated low-privileged user bypass per-bucket isolation by supplying a '../' bucket name, granting cross-bucket read, upload, and delete over all files regardless of owner or role. The flaw stems from an incomplete sanitization regex that strips dangerous characters but preserves dot sequences, which Flysystem then normalizes down to the storage root. No public exploit is identified at time of analysis, though a proof-of-concept gist is referenced; the issue was reported by VulnCheck and a vendor patch is available.

PHP Path Traversal Cockpit Cms
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-57855 HIGH PATCH This Week

Broken access control in Cockpit CMS's Bucket file storage API (/system/buckets/api) lets any authenticated user, regardless of assigned role, execute all bucket file operations (list, upload, delete, rename, create folder) against any named bucket - including admin-only buckets. VulnCheck reported the flaw and publicly available exploit code exists (proof-of-concept gist), but there is no evidence of active exploitation. With a CVSS 4.0 score of 8.7 and full confidentiality/integrity/availability impact on stored files, it enables privilege escalation of file-storage capabilities across tenant boundaries within the CMS.

PHP Authentication Bypass Cockpit Cms
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-54065 HIGH PATCH GHSA This Week

Arbitrary file deletion in NukeViet CMS (versions before 4.6.00) allows an authenticated administrator to permanently delete any file within the web application root via a path-traversal payload in the comment Edit function. By padding the POST 'attach' parameter with exactly 26 filler characters followed by '../../<target>', an attacker survives the naive substr() prefix-stripping and stores a traversal path in the database; deleting the comment then removes the referenced file (e.g. config.php), forcing the site into the install wizard and causing a full outage. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c9xg-64p9-f2jj) includes a full working reproduction.

PHP Path Traversal
NVD GitHub
CVSS 3.1
8.7
CVE-2026-54064 HIGH POC PATCH GHSA This Week

Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (&#9;) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.

PHP Privilege Escalation XSS
NVD GitHub
CVSS 3.1
8.7
CVE-2026-61463 HIGH PATCH This Week

Vertical privilege escalation in Shiori (go-shiori), the self-hosted Go bookmark manager, lets any authenticated low-privilege user promote themselves to administrator. By sending a crafted PATCH request to the /api/v1/auth/account update endpoint with owner: true - a field that lacked an authorization check - the user flips their own owner flag, then re-authenticates to receive an admin JWT granting full system access. Disclosed by VulnCheck with a vendor fix committed upstream; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Shiori
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-49259 HIGH POC PATCH GHSA This Week

Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.

PHP Privilege Escalation XSS
NVD GitHub
CVSS 3.1
8.7
CVE-2026-22099 HIGH PATCH This Week

Bluetooth authentication bypass in the Evbee DC-80 DC EV charging station lets an attacker within radio range issue privileged commands without any credentials, enabling sensitive information disclosure, forced reboots, and - most dangerously - the ability to push an arbitrary firmware update URL to the device. Reported by DIVD (DIVD-2026-00001), it carries CVSS 4.0 base 8.7 (High). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Dc 80
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-62185 HIGH This Week

Insecure-default configuration in the Argo CD (argoproj/argo-helm) Helm chart before 10.0.0 ships without any Kubernetes NetworkPolicy, so every pod sharing the cluster can reach the repo-server and other internal Argo CD APIs that are normally meant to be isolated. A low-privileged workload that an attacker already controls can chain this unrestricted intra-cluster access into full cluster compromise and remote code execution. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates real-world impact high (CVSS 4.0 base 8.6).

RCE Argo Helm
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-62188 HIGH This Week

Privilege escalation via broken authorization in the OpenClaw @openclaw/feishu integration (versions 2026.6.6 and earlier) allows a lower-trust, already-authenticated caller to invoke Feishu permission tools that should have been blocked by per-account disablement settings. Because the enforcement gap lets a low-privilege actor perform actions requiring stronger authorization, the flaw carries high confidentiality and integrity impact (CVSS 4.0 base 8.6). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Feishu
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-62187 HIGH This Week

Authorization bypass in the @openclaw/feishu npm package (versions <= 2026.6.6) allows a lower-trust caller - or attacker-influenced input reaching a configured input path - to perform Feishu (Lark) actions that should have required stronger authorization, because per-account disablement can be ignored. Authenticated remote attackers can trigger unauthorized operations affecting confidentiality and integrity; no public exploit has been identified at time of analysis, and the flaw is fixed in version 2026.6.9. Real-world impact is gated by the operator's configuration and whether untrusted input can reach the affected feature.

Authentication Bypass Node.js Feishu
NVD GitHub
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-22100 HIGH PATCH This Week

OS command injection in the EVBEE DC-80 electric-vehicle DC charger lets an actor who can send OCPP messages execute arbitrary commands as root by tampering with the data value of the vendor-specific `ReserveLogin` DataTransfer message. The flaw was reported by DIVD (Dutch Institute for Vulnerability Disclosure) and affects the charger's OCPP handling; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because execution occurs as root, successful exploitation results in full compromise of the charging station.

Command Injection Dc 80
NVD
CVSS 4.0
8.6
EPSS
1.0%
CVE-2026-57709 HIGH This Week

Arbitrary file deletion in WP Swings' Membership For WooCommerce WordPress plugin (all versions up to and including 3.1.0) lets remote attackers delete files outside the intended directory via unsanitized path input. The CVSS vector (PR:N) indicates the flaw is reachable without authentication, and the scope-changed rating reflects that deletion of critical files (e.g., wp-config.php) can break or reset the entire WordPress site. No public exploit has been identified at time of analysis; the issue was reported by Patchstack.

Path Traversal WordPress Membership For Woocommerce
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-57389 HIGH This Week

Path traversal in the Groundhogg WordPress CRM/marketing-automation plugin (versions up to and including 4.4.1) lets remote unauthenticated attackers delete arbitrary files on the server by supplying crafted pathnames that escape the intended directory. Patchstack classifies the concrete impact as arbitrary file deletion, and the CVSS vector (AV:N/PR:N with scope-change and high availability impact) reflects that deleting critical files such as wp-config.php can break or reset the WordPress site. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal Groundhogg
NVD
CVSS 3.1
8.6
EPSS
0.5%
Prev Page 2 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy