Skip to main content
CVE-2026-57392 MEDIUM This Month

Tourfic, a WordPress travel booking plugin by Themefic, exposes unauthenticated access control bypass through missing authorization checks on one or more plugin endpoints, affecting all versions through 2.22.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote, unauthenticated exploitation with limited integrity and availability impact. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes opportunistic exploitation straightforward against any WordPress site with the plugin installed.

Authentication Bypass Tourfic
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57391 MEDIUM This Month

Stored cross-site scripting in the Tangible Loops & Logic WordPress plugin (versions through 4.2.3) allows a low-privileged authenticated user to inject persistent malicious scripts into web pages that execute in the browsers of site visitors or administrators. The scope change (S:C in CVSS) confirms the payload escapes the injection context and executes in a victim's browser session, enabling session hijacking, credential theft, or malicious redirects. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforward to exploit once an attacker holds contributor-level access.

XSS Loops Logic
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57390 MEDIUM This Month

Missing authorization in the Extra Product Options Builder for WooCommerce plugin (versions through 1.2.167) permits remote unauthenticated attackers to perform restricted actions without valid credentials, impacting both data integrity and service availability on affected WordPress storefronts. The flaw stems from CWE-862 - the plugin exposes endpoints or AJAX actions that fail to verify whether the caller holds the necessary capability or role before executing sensitive operations. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass WordPress Extra Product Options Builder For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57364 MEDIUM This Month

Unauthenticated remote exploitation of the Better Payment WordPress plugin (versions through 2.2.0) allows attackers to bypass access control restrictions by submitting improperly validated quantity inputs, enabling unauthorized access to functionality protected by ACLs. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the plugin's payment and subscription handling endpoints are reachable without credentials, producing both integrity and availability impact. No active exploitation confirmed; no public exploit identified at time of analysis.

Information Disclosure Better Payment Instant Payments Donations Fundraising With Subscriptions Amp More
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-57375 MEDIUM This Month

Broken access control in FluxBuilder's MStore API WordPress plugin (versions through 4.18.4) allows unauthenticated remote attackers to bypass authorization checks on restricted API endpoints. Rooted in CWE-862 (Missing Authorization), the flaw enables callers to interact with functionality gated behind access control levels that are incorrectly enforced - resulting in limited unauthorized data read and write operations against affected WooCommerce-backed mobile API deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, but the PR:N/AC:L CVSS vector confirms the attack requires no authentication or special conditions.

Authentication Bypass Mstore Api
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57365 MEDIUM This Month

DOM-Based Cross-Site Scripting in the reCAPTCHA (v2 & v3) for Asgaros Forum WordPress plugin (all versions through 1.1.0) enables authenticated low-privilege forum users to inject client-side scripts that execute in victims' browsers. The CVSS Scope:Changed metric (S:C) indicates the injected scripts can affect browser contexts beyond the vulnerable plugin component itself - including the broader WordPress session. No public exploit code or active exploitation has been identified at time of analysis, though the vulnerability was disclosed by Patchstack.

XSS Recaptcha V2 Amp V3 For Asgaros Forum
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57377 MEDIUM This Month

Missing authorization in WPXPO WowAddons WordPress plugin (versions through 1.6.8) enables unauthenticated remote attackers to invoke privileged plugin actions without proper access control checks. Exploitation produces limited integrity and availability impact - unauthorized modification or disruption of plugin-managed content - with no confidentiality exposure confirmed by the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the zero-privileges-required network vector makes this class of flaw attractive for opportunistic automated scanning once a proof-of-concept surfaces.

Authentication Bypass Wowaddons
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-6850 MEDIUM This Month

Catastrophic regex backtracking in Mattermost's client-side markdown parser can be triggered by an authenticated user posting a specially crafted message attachment, causing a denial-of-service condition for every user rendering that channel. Affected builds span versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the low exploitation complexity (AC:L, PR:L) lowers the bar for any authenticated insider or compromised account.

Denial Of Service Mattermost
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-10106 MEDIUM This Month

Incorrect authorization in Mattermost's interactive post action handler allows authenticated users to trigger post actions in private channels they are not members of. The flaw stems from action cookies failing to bind to the specific channel of the target post - a cookie obtained from any accessible channel can be reused against posts in restricted private channels. Affected are Mattermost versions 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19; no public exploit has been identified and the vulnerability is not listed in CISA KEV.

Authentication Bypass Mattermost
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49876 MEDIUM PATCH This Month

Authenticated SSRF in Apache Gravitino's JobManager component (versions 1.0.0 through 1.2.1) enables authenticated users to coerce the server into making arbitrary outbound HTTP requests to internal network hosts and cloud instance metadata services (e.g., AWS IMDS at 169.254.169.254, GCP metadata endpoints) by supplying unvalidated URIs within job templates. In cloud-hosted deployments this is a credential-theft primitive: metadata service access can yield IAM role credentials with blast radius extending well beyond the Gravitino service itself. No public exploit or CISA KEV listing has been identified at time of analysis; vendor labels severity as moderate, though cloud-metadata reachability elevates real-world impact above that rating in typical deployment contexts.

SSRF Apache Gravitino
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12536 MEDIUM This Month

Stored Cross-Site Scripting in the Avada (Fusion) Builder WordPress plugin versions up to 3.15.5 allows authenticated contributors to inject persistent malicious scripts via the 'Module Title' parameter, executing in the browsers of any user who views the affected page. This grants attackers the ability to steal session tokens, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No public exploit or CISA KEV listing has been identified at time of analysis, though the Contributor-level entry bar makes this accessible to a broad attacker pool on sites with open registration.

XSS WordPress Avada Fusion Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-45573 MEDIUM PATCH GHSA This Month

Stored Server-Side Request Forgery in Decidim's push notification subsystem allows any authenticated user to register an arbitrary HTTPS URL as a push subscription endpoint, causing the application server to issue outbound POST requests to that attacker-controlled destination whenever notifications are dispatched. The vulnerability exists in the decidim-core RubyGem across versions below 0.30.9, 0.31.0.rc1 through 0.31.4, and 0.32.0.rc1, and is only exploitable when VAPID push delivery is configured. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, but a vendor-confirmed patch and source-code-level proof of the source-to-sink chain are available via the GHSA advisory.

SSRF
NVD GitHub
CVSS 3.1
6.4
CVE-2026-57413 MEDIUM This Month

Server-Side Request Forgery in bdthemes Instant Image Generator (WordPress plugin ai-image) through version 2.1.4 allows low-privileged authenticated users to coerce the WordPress server into issuing HTTP requests to arbitrary destinations. The scope-changed CVSS vector (S:C) confirms the server can be directed at internal infrastructure beyond the WordPress installation itself, enabling internal network probing or cloud metadata endpoint access. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

SSRF Instant Image Generator
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-62197 MEDIUM This Month

OpenClaw's browser CDP (Chrome DevTools Protocol) discovery component fails to enforce its own URL blocklist, allowing lower-trust authenticated users to reach network destinations that OpenClaw policy should have denied access to. The root cause is a Server-Side Request Forgery variant (CWE-918) where blocked WebSocket URLs submitted through CDP discovery are accepted and proxied without policy enforcement. The CVSS 4.0 vector (SC:H/SI:L) confirms the primary impact lands on downstream or segmented network resources - not OpenClaw itself - making this a network segmentation bypass rather than a direct system compromise. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF Openclaw
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2024-27091 MEDIUM PATCH GHSA This Month

An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

CSRF XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.4%
CVE-2026-45415 MEDIUM PATCH GHSA This Month

Improper authorization in Decidim's CSV census admin controller allows participant managers to read, create, update, and delete CSV census rows they are not permitted to access. The `/admin/csv_census/census_logs` endpoint family in `decidim-verifications` fails to call `enforce_permission_to` before rendering or mutating `Decidim::Verifications::CsvDatum`, granting participant managers the same data-mutation capability as full administrators. Exploitation corrupts the verification dataset that drives Decidim's authorization workflows, potentially invalidating or fabricating eligibility records for all participants. No public exploit code has been identified at time of analysis, but detailed reproduction steps are included in the public security advisory.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.0
CVE-2026-57691 MEDIUM This Month

Reflected cross-site scripting in the Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions through 4.23.89) enables remote unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS scope change (S:C) indicates the attack crosses security boundaries, allowing script execution in the browser context beyond the plugin itself - enabling session theft, credential harvesting, or unauthorized admin actions. No public exploit code or CISA KEV listing has been identified at time of analysis, and the AC:H vector component indicates exploitation requires non-trivial preconditions rather than simple mass exploitation.

XSS Anti Malware Security And Brute Force Firewall
NVD VulDB
CVSS 3.1
5.8
EPSS
0.2%
CVE-2026-15681 MEDIUM This Month

Denial-of-service in AnyDesk allows a local attacker with low-privileged code execution to crash or destabilize the application by abusing improper junction resolution during screen recording file operations. The AnyDesk service fails to validate symbolic link or NTFS junction targets before accessing screen recording files, enabling redirection of privileged file creation to arbitrary filesystem paths. No public exploit code exists and this vulnerability is not listed in CISA KEV; however, the low privilege requirement combined with AnyDesk's common deployment on multi-user systems warrants patching. Note: the provided tag 'RCE' appears to be a mislabeling - the CVE description and CVSS impact metrics consistently describe a DoS-only outcome with no code execution.

RCE Anydesk
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15682 MEDIUM This Month

AnyDesk's 'Send Support Information' feature is exploitable by local low-privileged attackers via a Windows junction (directory reparse point) attack that forces the AnyDesk service to write files to an attacker-chosen path, producing a denial-of-service condition. Affected installations span all tracked AnyDesk versions per the NVD CPE wildcard, with no confirmed fixed version at time of analysis. No public exploit code has been identified and this vulnerability is not listed in CISA's KEV catalog; however, note that the source intelligence tags this as 'RCE,' which directly conflicts with the CVE description and CVSS vector (C:N/I:N/A:H) - the actual confirmed impact is availability-only denial-of-service.

RCE Anydesk
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15514 MEDIUM This Month

SQL injection in Metasoft (美特软件) MetaCRM up to version 6.4.0 Beta06 enables unauthenticated remote attackers to manipulate the `phprpc_args` parameter passed to the `RPCService.query` function at the PHPRPC Remote Call Interface endpoint `/customizemt/xkq/rpc.jsp`, potentially reading, altering, or deleting database contents. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction from any network-reachable position. Publicly available exploit code exists (confirmed by E:P in the CVSS 4.0 supplemental metrics), though this CVE is not currently listed in CISA KEV; the vendor did not respond to disclosure, leaving no official patch available.

SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15551 MEDIUM This Month

Integer overflow in Samsung's open-source rlottie animation rendering library leads to buffer overflow, with high availability impact including potential crash or memory corruption. Exploitation requires local access, low privileges, user interaction, and high attack complexity, making this a lower-urgency finding despite the buffer overflow class. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog. The upstream fix is available as a GitHub pull request (#595), though a formally tagged patched release version has not been independently confirmed.

Integer Overflow Samsung Buffer Overflow Rlottie
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-10085 MEDIUM This Month

Mattermost's channel patch API fails to enforce authorization on the group_constrained flag, permitting any authenticated low-privilege member of a group message or direct message channel to remove all participants from the conversation. All three supported release lines are affected: 11.7.x through 11.7.2, 11.6.x through 11.6.4, and 10.11.x through 10.11.19. No public exploit code has been identified at time of analysis; however, the low attack complexity and minimal privilege requirement make this straightforward to abuse on any reachable Mattermost deployment.

Authentication Bypass Mattermost
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-45086 MEDIUM PATCH GHSA This Month

Unauthorized access to the demographics questionnaire admin editor in Decidim's decidim-demographics module allows any authenticated participant to reach and interact with the `/admin/demographics/questions/edit_questions` route without admin privileges. Affected versions span 0.31.0-0.31.4 and 0.32.0.rc1, with fixes released in 0.31.5 and 0.32.0. The vulnerability is not listed in CISA KEV and no separate public exploit code has been identified; however, the advisory published by Decidim includes step-by-step reproduction instructions, lowering the barrier for exploitation by any registered platform user.

Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
CVE-2026-61968 MEDIUM This Month

Missing Authorization in the myCred WordPress plugin (all versions through 3.1.2) allows authenticated low-privileged users to exploit incorrectly configured access control levels, resulting in unauthorized integrity and availability impacts against the plugin's loyalty points system. The root cause (CWE-862) indicates the plugin performs sensitive operations without verifying that the requesting user holds the requisite permission level. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Mycred
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-61958 MEDIUM This Month

Missing authorization in the License Manager for WooCommerce WordPress plugin (versions through 3.0.17) allows authenticated low-privilege users to perform arbitrary content deletion without proper permission checks. The flaw stems from CWE-862, where sensitive plugin actions are accessible to any authenticated user regardless of their assigned role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress License Manager For Woocommerce
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-9597 MEDIUM This Month

Deactivated guest accounts in Mattermost 11.6.x through 11.6.4 and 11.7.x through 11.7.2 can regain platform access using magic-link tokens issued before deactivation, because the magic-link login path omits an account-status check during session creation. This directly undermines guest account revocation as an access control mechanism - administrators who deactivate a guest account expecting immediate exclusion will find the control is defeatable while any pre-issued token remains valid. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-61501 MEDIUM PATCH This Month

Stored cross-site scripting in Rejetto HTTP File Server 3.0.0-3.2.0 allows an unauthenticated remote attacker to inject persistent JavaScript into the server error log via a crafted username in a failed login attempt. When an administrator views the log panel, the payload executes in their browser session, granting the attacker the ability to create accounts or execute server-side code with full administrative privileges. No public exploit has been identified at time of analysis, but the attack chain is low-complexity and the vendor has confirmed a fix in v3.2.1.

XSS Hfs
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-15529 MEDIUM PATCH This Month

Unsafe deserialization in pyod 3.5.0-3.5.2 exposes the `pyod.utils.persistence.load` function to remote exploitation by authenticated low-privilege users who can manipulate the `path` argument. Rooted in CWE-502 (Deserialization of Untrusted Data), the flaw allows a crafted serialized payload supplied via the path parameter to be deserialized without adequate validation, potentially yielding code execution or data manipulation within the running process. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; an upstream fix is available as GitHub PR #698, though a formally versioned PyPI release incorporating the patch has not been independently confirmed.

Deserialization Pyod
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-49969 MEDIUM PATCH This Month

Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issue arbitrary HTTP requests originating from the server by supplying unvalidated URLs to any application endpoint backed by MediaUploader::fromSource(). The RemoteUrlAdapter class accepts caller-controlled URLs without restricting schemes, IP ranges, or hostnames, allowing requests to RFC-1918 addresses, loopback interfaces, file:// URIs, and cloud instance metadata endpoints such as AWS IMDSv1 at 169.254.169.254. In cloud deployments, successful exploitation can yield IAM temporary credentials, enabling privilege escalation far beyond the base CVSS score of 5.3 would suggest. No public exploit or CISA KEV listing exists at time of analysis.

SSRF Laravel Mediable
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-15552 MEDIUM This Month

Stored XSS in Ragic Enterprise Cloud Database permits unauthenticated remote attackers to inject persistent JavaScript into application data, which then executes in the browsers of any user who loads the affected page. Because the payload is stored server-side, a single injection event affects all subsequent visitors without further attacker interaction. No active exploitation is confirmed in CISA KEV and no public proof-of-concept code has been identified at time of analysis, but the CVSS 4.0 PR:N rating confirms no authentication is needed to plant the payload.

XSS Enterprise Cloud Database
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-49971 MEDIUM PATCH This Month

Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious JavaScript payloads by uploading crafted SVG files containing embedded scripts in onload handlers, script tags, or foreignObject elements. When any authenticated user subsequently opens or previews a poisoned file in their browser, the payload executes with full DOM access, enabling session cookie theft, CSRF token capture, and complete account takeover. No public exploit has been identified at time of analysis, but the attack requires no special privileges and the technique is well-understood; the vendor has classified this as a security release and strongly recommends immediate upgrade to 7.0.0.

XSS CSRF Laravel Mediable
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-14906 MEDIUM This Month

PDF save functionality in Firefox for iOS allows maliciously crafted page titles to manipulate the output file path, enabling overwrites of existing PDF files or bundled application content within the Firefox iOS sandbox. All versions prior to 152.4 on Apple iOS devices are affected. An attacker operating a malicious website can lure a user into saving a page as PDF, causing the crafted title to resolve to an unintended file path within the app sandbox - potentially corrupting application state or stored documents. No public exploit has been identified at time of analysis, though SSVC classifies the vulnerability as automatable with partial technical impact.

Apple File Upload Mozilla Firefox For Ios
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-15598 MEDIUM This Month

Prototype pollution in antv layout 2.0.0 exposes JavaScript runtimes to object prototype manipulation via the `setNestedValue` function in `lib/util/object.js`, where a crafted `path` argument can inject arbitrary properties into the global Object prototype. The CVSS 4.0 vector (AV:N/AC:L/PR:L) indicates network-reachable exploitation requiring low-privilege authentication, with limited but real confidentiality, integrity, and availability impact depending on how downstream application code consumes polluted prototype properties. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor has not responded to the responsible disclosure filed via GitHub issue #292, leaving no patch timeline available.

Information Disclosure Prototype Pollution Layout
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-62198 MEDIUM This Month

Authorization bypass in OpenClaw's native web search component allows authenticated lower-trust callers to invoke operations normally gated behind stronger policy checks. Versions 2026.5.28 through 2026.6.5 are affected, with exploitation requiring crafted input paths targeting misconfigured authorization logic - no special tooling needed given the low attack complexity. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable attack surface and low complexity reduce the barrier for abuse by compromised or malicious low-privilege accounts.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-61985 MEDIUM This Month

Missing authorization controls in the Car Rental Manager WordPress plugin (≤1.3.7) allow unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited integrity impact. The CVSS vector (PR:N/UI:N) confirms exploitation requires no credentials or user interaction against any publicly reachable WordPress site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, keeping real-world risk at a moderate level despite the trivial exploitation conditions.

Authentication Bypass Car Rental Manager
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-61977 MEDIUM This Month

Unauthenticated sensitive data exposure in Crocoblock JetSearch WordPress plugin (all versions through 3.6.1.2) permits remote attackers to retrieve embedded sensitive system information without any credentials or user interaction. The flaw is classified under CWE-497, indicating the plugin surfaces internal system data through an externally accessible vector. With a network-accessible, zero-privilege attack path confirmed by the CVSS:3.1/AV:N/AC:L/PR:N/UI:N vector, any internet-facing WordPress installation running a vulnerable JetSearch version is exposed. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Jetsearch
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-61983 MEDIUM This Month

Missing authorization in the Church Admin WordPress plugin (versions through 5.0.30) allows unauthenticated remote attackers to invoke plugin endpoints and perform unauthorized write operations without authentication. The root cause is incorrectly configured access control security levels (CWE-862), where certain plugin actions omit the required capability or nonce checks. No public exploit code or active exploitation has been identified at time of analysis, though the zero-barrier CVSS vector (PR:N, AC:L, AV:N) means opportunistic abuse is technically straightforward for any attacker who can reach the WordPress instance.

Authentication Bypass Church Admin
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-61976 MEDIUM This Month

Sensitive system information exposure in Crocoblock JetBlocks For Elementor (versions through 1.5.0) allows remote unauthenticated attackers to retrieve embedded sensitive data from affected WordPress installations. The flaw, classified under CWE-497, results in unauthorized disclosure of system-level information that should remain restricted to privileged contexts. No public exploit code or active exploitation has been identified at time of analysis, but the absence of authentication requirements lowers the barrier for opportunistic reconnaissance against any site running the vulnerable plugin version.

Information Disclosure Jetblocks For Elementor
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-61975 MEDIUM This Month

JetReviews WordPress plugin by Crocoblock (versions through 3.0.1) exposes embedded sensitive system information to unauthenticated remote attackers, classified under CWE-497. The vulnerability permits retrieval of sensitive data that should remain internal to the application - likely API keys, configuration values, or credentials embedded in plugin output or REST endpoints - without requiring any authentication, user interaction, or elevated privileges. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-friction CVSS vector (AV:N/AC:L/PR:N/UI:N) means any internet-facing WordPress site running this plugin version is passively exposed.

Information Disclosure Jetreviews
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57782 MEDIUM This Month

Universal Clocks WordPress plugin (≤1.2.0) by PressTigers exposes unauthorized action endpoints due to missing authorization checks, enabling unauthenticated remote attackers to perform integrity-impacting operations without valid credentials. Reported by Patchstack under CWE-862, the flaw stems from incorrectly configured access control security levels that fail to validate caller permissions before executing plugin functionality. No public exploit code or active exploitation (CISA KEV listing) has been identified at time of analysis.

Authentication Bypass Universal Clocks
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57781 MEDIUM This Month

Missing authorization in the MeetingHub WordPress plugin (versions through 1.25.10) allows unauthenticated remote attackers to exploit incorrectly configured access control and perform unauthorized integrity-affecting actions. The CVSS vector (PR:N/AV:N/AC:L/UI:N) confirms no authentication or user interaction is required, making any WordPress installation running an affected version directly exposed from the network. No active exploitation has been confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis.

Authentication Bypass Meetinghub
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57779 MEDIUM This Month

Unauthenticated broken access control in the Fascinate WordPress theme by themebeez (versions through 1.1.5) permits remote attackers to exploit incorrectly configured capability checks, resulting in unauthorized write-level actions on affected WordPress installations. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, with impact limited to integrity (I:L). No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Fascinate
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57778 MEDIUM This Month

Missing authorization in the wpdevart Booking Calendar, Appointment Booking System WordPress plugin (versions through 3.2.36) permits unauthenticated remote attackers to bypass access controls and perform restricted booking-related actions, resulting in unauthorized data modification. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the flaw is trivially reachable over the network with no authentication, though impact is limited to integrity (I:L) with no confidentiality or availability consequence. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Booking Calendar Appointment Booking System
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-57776 MEDIUM This Month

Broken access control in the VW Wedding WordPress theme (vowelweb) allows unauthenticated remote attackers to exploit incorrectly configured authorization checks, resulting in limited availability impact against affected WordPress installations. All versions through 1.3.7 are affected per the CPE string cpe:2.3:a:vowelweb:vw_wedding. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in the lower-urgency tier despite network-level reachability.

Authentication Bypass Vw Wedding
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-57774 MEDIUM This Month

Missing authorization controls in the VW Food Corner WordPress theme (versions through 1.1.0) permit unauthenticated remote attackers to invoke restricted theme functionality without valid access credentials, resulting in availability impact. Reported by Patchstack and classified under CWE-862, the flaw stems from incorrectly configured access control levels that fail to verify caller identity or capability before executing protected actions. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass Vw Food Corner
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-15538 MEDIUM Monitor

Prototype pollution in PrimeReact (all versions through 10.9.8) allows authenticated remote attackers to improperly modify JavaScript object prototype attributes via the ObjectUtils.mutateFieldData API function by crafting malicious Field argument values. Affected deployments face limited confidentiality and integrity exposure at the vulnerable system level. No patch has been issued - the maintainer has not responded to responsible disclosure, and the affected version range is officially end-of-life. No public exploit code or CISA KEV listing has been identified at time of analysis.

Information Disclosure Prototype Pollution Primereact
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-58487 MEDIUM This Month

Stored HTML injection in HedgeDoc prior to 1.11.0 allows low-privileged, registered attackers to inject arbitrary HTML into publish views, slide views, and the collaborative editor by registering an email address with an RFC 5321 quoted-string local-part, which is then rendered as the display name without output encoding. Victims who view affected pages are exposed to content manipulation and attacker-controlled cross-origin iframe embedding; direct JavaScript execution is mitigated by the deployed Content-Security-Policy, but phishing, UI redressing, and resource injection remain viable. No public exploit code has been identified at time of analysis, and no KEV listing exists; the fix is available in version 1.11.0.

XSS Hedgedoc
NVD GitHub
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-61502 MEDIUM PATCH This Month

Rejetto HTTP File Server (HFS) versions 3.0.0 through 3.2.0 performs state-changing administrative operations via HTTP GET requests while exempting GET from its anti-CSRF header validation, enabling two distinct attack paths: a classic CSRF attack requiring a logged-in administrator to visit a crafted URL, and a fully unauthenticated path exploitable from localhost against default installations. Successful exploitation allows account creation, configuration modification, and ultimately remote code execution on the HFS host. Patch version 3.2.1 is available; no public exploit or CISA KEV listing has been identified at time of analysis.

RCE CSRF Hfs
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-61504 MEDIUM PATCH This Month

Stored XSS in Rejetto HFS 3.0.0 through 3.2.0 allows attackers with upload access - or any user on servers configured with publicly writable folders - to inject persistent browser scripts via maliciously named files in the 'basic' web listing mode. Because the basic listing can be forced by any visitor using the ?get=basic URL parameter, the vulnerable rendering path is reachable regardless of whether the default interface is exposed. The vendor's own v3.2.1 release notes state that vulnerabilities addressed in this release collectively enable administrative account compromise; no public exploit or CISA KEV listing has been identified, but a vendor-released patch is available.

XSS Hfs
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-58228 MEDIUM PATCH This Month

URL scheme validation bypass in Phoenix LiveView 1.2.2–1.2.6 allows unauthenticated attackers to inject javascript: URLs that execute in a victim's browser session when clicked. The root cause is a first-byte ASCII letter guard in the internal uri_scheme/1 helper: inputs prefixed with whitespace or C0 control characters bypass scheme detection entirely and are treated as safe relative paths, while WHATWG-compliant browsers silently strip those leading bytes before parsing — converting what LiveView sees as a harmless string into an executable javascript: URL. Applications rendering user-supplied URLs (profile links, redirect targets, external references) via the <.link href={...}> component are directly affected; no public exploit code has been identified at time of analysis, and a patched release (1.2.7) is available.

XSS Phoenix Live View
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.4%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy