Skip to main content
CVE-2026-9492 HIGH This Week

Local privilege escalation in the MBStorage DRAM lighting control module of GIGABYTE's Gigabyte Control Center (GCC) lets an authenticated low-privileged local user reach kernel-level privileges by abusing the bundled MyPortIO_x64.sys driver. The driver exposes IOCTL handlers without adequate access control, permitting arbitrary read and write of physical memory. No public exploit identified at time of analysis; the issue was reported by Taiwan's TWCERT and carries a CVSS 4.0 base score of 8.5 (High).

Information Disclosure Mbstorage
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-45414 HIGH PATCH GHSA This Week

Cross-tenant authentication bypass in Decidim (the Ruby-on-Rails participatory-democracy platform) lets a JWT issued in one organization (tenant) be replayed against a second organization's GraphQL API by simply changing the HTTP Host header. An authenticated Org 1 principal (admin or API user) can then read Org 2's admin-only participantDetails field, harvest Org 2 participant personal data, and reach Org 2's proposal.answer mutation path. Rated CVSS 8.5 with a scope change; the vendor advisory publishes step-by-step reproduction, but no CISA KEV listing and no EPSS score were provided, so widespread active exploitation is not established.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.5
CVE-2026-57810 HIGH This Week

Blind SQL injection in the APIExperts "Square for WooCommerce" (woosquare) WordPress plugin affects all versions up to and including 4.7.4, allowing an authenticated attacker to inject crafted SQL into a database query and infer or extract data via boolean/time-based blind techniques. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the CVSS vector specifies PR:L, exploitation requires an existing low-privileged authenticated session rather than fully anonymous access.

SQLi WordPress Apiexperts Square For Woocommerce
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-57787 HIGH This Week

Authenticated blind SQL injection in the CreativeWS CWS SVGicons WordPress plugin (all versions up to and including 1.5.5) allows a low-privileged authenticated user to inject crafted SQL into a database query, per a Patchstack advisory. Because the CVSS vector reports a scope change with high confidentiality impact, a successful attack can read data beyond the plugin's own tables, exposing the broader WordPress database. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi Cws Svgicons
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-57772 HIGH This Week

Blind SQL injection in the WP Inventory Manager WordPress plugin (versions up to and including 2.4.0) lets an authenticated attacker with low privileges inject crafted SQL into database queries, enabling extraction of arbitrary database contents such as user credentials and secrets. Reported by Patchstack, the flaw carries a CVSS 8.5 (scope-changed) rating; no public exploit has been identified at time of analysis and it is not listed in CISA KEV, so risk is currently theoretical but high-impact.

SQLi Wp Inventory Manager
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-57771 HIGH This Week

Blind SQL injection in the GD Rating System WordPress plugin (versions up to and including 3.7) allows authenticated attackers to inject arbitrary SQL into backend database queries. Because the CVSS vector shows PR:L, a low-privileged authenticated user can extract sensitive database contents (CVSS 8.5, scope-changed). No public exploit identified at time of analysis; the flaw was reported by Patchstack via its coordinated disclosure database.

SQLi Gd Rating System
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-57385 HIGH This Week

Blind SQL injection in the appsbd Vitepos (vitepos-lite) WordPress point-of-sale plugin affects all versions up to and including 3.4.2, allowing an authenticated attacker with low privileges to inject crafted SQL into backend database queries and infer data via boolean/time-based responses. The CVSS 3.1 base score of 8.5 reflects a scope change (S:C) with high confidentiality impact, meaning the plugin's SQL context can reach database contents beyond its own security boundary. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Vitepos
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-57432 HIGH PATCH This Week

Out-of-bounds heap read in the Perl interpreter (through version 5.43.10) lets an attacker who controls a pack or unpack template disclose adjacent heap memory back to the calling program. An unchecked integer overflow in S_measure_struct wraps the running size total negative, defeating the signed-length guards on the @, X, and x position codes and walking the buffer pointer outside its bounds. No public exploit is identified at time of analysis; the flaw was reported by CPANSec with vendor patches already committed upstream.

Buffer Overflow Integer Overflow Perl
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-62143 HIGH PATCH This Week

Server-Side Request Forgery bypass in the html_to_markdown expansion module of misp-modules lets an authenticated attacker reach internal, loopback, and link-local services that the module's IP range filtering was meant to block. By supplying an IPv4-mapped IPv6 address such as http://[::ffff:169.254.169.254]/ (or a hostname resolving to one), the attacker defeats the blocked-range checks and can pull back internal content — including cloud instance metadata — rendered back to them as Markdown. No public exploit identified at time of analysis and it is not in CISA KEV, but the underlying IPv4-mapped-IPv6 filter bypass is a well-understood, easily reproduced technique.

SSRF Misp Modules
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-58486 HIGH This Week

Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "alias bomb" in the note frontmatter. Because HedgeDoc parsed frontmatter with the unsafe js-yaml v3 load (via @hedgedoc/meta-marked) and resolved anchor aliases, a compact ten-level payload expands into a massive object that blocks the single Node.js event loop for roughly 235 seconds on every request to the publish view (/s/<shortid>) or, under the opengraph key, the editor view (/<noteId>). No public exploit has been identified at time of analysis and the flaw is not in CISA KEV, but the stored payload persists in the database and re-triggers after process restarts, making outages durable until the note is deleted.

Node.js Denial Of Service Hedgedoc
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-12397 MEDIUM POC PATCH This Month

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers' private account email addresses by enumerating job identifiers.

WordPress Information Disclosure Wp Job Portal
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-12273 MEDIUM POC PATCH This Month

Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. A publicly available POC from WPScan exists; no CISA KEV listing indicates confirmed mass exploitation, but the low privilege bar and POC availability make this a realistic content-integrity threat.

Authentication Bypass WordPress Tutor Lms
NVD WPScan
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-58500 HIGH PATCH This Week

Cross-site scripting in appium-mcp (the Appium MCP server) versions <= 1.85.9 lets an attacker who controls the mobile app under test inject arbitrary HTML/JavaScript into the MCP UI resource returned by the generate_locators tool, because createLocatorGeneratorUI interpolates element attributes (text, content-desc, resource-id, selector, strategy) into an HTML template without escaping. When a victim's MCP client renders the resource, the injected script runs and can call arbitrary registered MCP tools via window.parent.postMessage (screenshots, page-source reads, etc.). No public exploit identified at time of analysis, though the fix commit ships XSS test cases; fixed in 1.85.10.

Google XSS Appium Mcp
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-48363 HIGH This Week

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases arises from an Uncontrolled Search Path Element weakness that lets attacker-controlled files or libraries be loaded when a victim opens a malicious file, running code in the context of the current user. The bug carries a scope change (S:C), meaning execution can affect resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so real-world risk currently hinges on social-engineering a local user into opening a crafted file.

RCE Coldfusion
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-48364 HIGH This Week

Arbitrary code execution in Adobe ColdFusion 2025.9, 2023.20 and earlier arises from an uncontrolled search path element (library-hijacking-style) flaw that runs attacker code in the context of the current user when a victim opens a malicious file. The CVSS 3.1 base score is 8.2 with a changed scope, and exploitation is gated by user interaction and low-privilege local access. No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

RCE Coldfusion
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-48118 HIGH PATCH GHSA This Week

Reflected cross-site scripting in the Comment module of NukeViet CMS (versions before 4.5.09) lets remote unauthenticated attackers execute arbitrary JavaScript in a victim's browser via a crafted URL. The status_comment parameter carries base64-encoded HTML that is decoded server-side and rendered unescaped, while a second flaw makes the checkss anti-forgery token static and site-wide, removing the only barrier to URL-based delivery. No public exploit identified at time of analysis, though the advisory documents a confirmed proof-of-concept credential-phishing overlay.

PHP XSS
NVD GitHub
CVSS 3.1
8.2
CVE-2026-57768 HIGH This Week

Privilege escalation in the Houzez Login Register WordPress plugin (versions up to and including 3.3.3) lets remote attackers obtain a higher-privileged role than intended due to incorrect privilege assignment (CWE-266). Reported by Patchstack with a CVSS 8.2 (high) score, the flaw carries a network vector with no privileges or user interaction required and a high integrity impact. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Houzez Login Register
NVD
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-61668 HIGH PATCH GHSA This Week

Man-in-the-middle code injection in DIRAC's grid pilot bootstrap affects the DIRACGrid Python distributed-computing framework, where the PilotWrapper explicitly disables TLS certificate validation when fetching the second-stage pilot.tar. Because both the payload and its reference checksum traverse the same unverified HTTPS channel, an attacker positioned on the grid site's network can substitute arbitrary code that runs in the pilot context with access to its proxy/credentials. No public exploit identified at time of analysis; exploitation requires an active network intercept, which the vendor notes is non-trivial, but the CVSS is 8.1 due to full CIA impact.

RCE Python
NVD GitHub
CVSS 3.1
8.1
CVE-2026-59245 HIGH PATCH This Week

Privilege escalation in the Apache Airflow FAB auth manager (apache-airflow-providers-fab before 3.7.2) lets a low-privileged user who is granted per-DAG access to a DAG literally named 'DAGs' silently receive the global all-DAGs permission, gaining read and edit access to every DAG in the deployment. The flaw stems from a resource-name collision in resource_name(), where the reserved global resource string 'DAGs' is indistinguishable from a legitimate dag_id of the same value. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation Apache Apache Airflow Fab Provider
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-58065 HIGH PATCH This Week

Man-in-the-middle interception of Apache Airflow's Git provider (apache-airflow-providers-git before 0.4.1) is possible because git-over-SSH operations run with StrictHostKeyChecking=no by default, so no SSH host-key verification occurs. An attacker positioned on the network path between an Airflow worker and its Git server can impersonate the server to steal the SSH deploy key or inject malicious DAG content, leading to code execution on workers. No public exploit identified at time of analysis, and it is not listed in CISA KEV; CVSS is 8.1 (High) driven by high attack complexity (AC:H) requiring an on-path position.

Code Injection Apache Apache Airflow Git Provider
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.5%
CVE-2026-57743 HIGH This Week

PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.

Information Disclosure LFI PHP Rt Theme 18 Extensions
NVD VulDB
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-49972 HIGH PATCH This Week

Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file such as shell.php.jpg that passes all MIME, extension, and aggregate-type validation because of the trailing .jpg, yet retains an inner .php in its stored basename. On Apache/nginx servers misconfigured to execute any filename containing .php, the stored artifact runs as PHP. Reported by VulnCheck with a vendor patch in 7.0.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

PHP Nginx RCE File Upload Apache +1
NVD GitHub
CVSS 4.0
7.7
EPSS
0.8%
CVE-2026-7162 HIGH NEWS This Week

Local privilege escalation to SYSTEM in WinFsp (Windows File System Proxy) stems from an integer overflow (CWE-190) that a low-privileged local user can trigger to achieve system-level access on the host. The flaw crosses a privilege boundary (CVSS scope change) and is fixed in release v2.2B2. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is theoretical but the SYSTEM-level impact makes it a meaningful local escalation risk.

Integer Overflow Buffer Overflow Winfsp
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-62189 HIGH This Week

Authorization bypass via symlink following in OpenClaw's mirror sync feature (versions before 2026.6.9) lets a lower-privilege caller escalate into actions that should require stronger authorization. By planting or referencing symlink parents on a remote mirror target, an authenticated attacker can trick the sync logic into resolving links that cross policy and trust boundaries, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no CISA KEV listing; no EPSS score was supplied.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.6
EPSS
0.3%
CVE-2026-61955 HIGH This Week

Blind SQL injection in the persian-gravity-forms WordPress plugin (گرویتی فرم فارسی) affects all versions up to and including 3.0.2, allowing a high-privilege authenticated attacker to inject arbitrary SQL through unsanitized input and blindly extract database contents. The flaw was reported by Patchstack and carries a CVSS 7.6 due to a changed scope and high confidentiality impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.4%
CVE-2026-57773 HIGH This Week

Blind SQL injection in the Zorem "Advanced Shipment Tracking for WooCommerce" WordPress plugin (all versions through 4.0) lets an authenticated high-privileged user inject SQL into a backend query and extract database contents inference by inference. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed via Patchstack. Because exploitation requires elevated WordPress privileges (CVSS PR:H), real-world risk is bounded to trusted-but-abusive or compromised admin/shop-manager accounts rather than anonymous internet attackers.

SQLi WordPress Advanced Shipment Tracking For Woocommerce
NVD
CVSS 3.1
7.6
EPSS
0.4%
CVE-2026-15685 HIGH This Week

Denial-of-service in Ollama's downloadBlob function lets remote, unauthenticated attackers crash affected installations by supplying malformed data that triggers an out-of-bounds array access. The flaw (ZDI-CAN-27277 / ZDI-26-403, CWE-129) carries a CVSS 7.5 with an availability-only impact and requires no authentication or user interaction. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Ollama
NVD VulDB
CVSS 3.0
7.5
EPSS
0.4%
CVE-2026-15548 HIGH This Week

Stack-based buffer overflow in Shibby Tomato router firmware (versions up to and including 1.28.0000) allows a remote, low-privileged attacker to corrupt the stack of the embedded web server (/usr/sbin/httpd) via the DNS List Rendering function sub_407220, potentially achieving arbitrary code execution on the router. The flaw is remotely reachable and, per the CVSS 4.0 vector, requires low-level authentication (PR:L) to the web administration interface. VulDB assigns an exploit maturity of Proof-of-Concept, meaning publicly available exploit code exists, though it is not listed in CISA KEV and no active exploitation is confirmed. Notably, the Tomato project by Shibby is discontinued and superseded by FreshTomato, so no first-party fix is expected.

Stack Overflow Buffer Overflow Tomato
NVD VulDB
CVSS 4.0
7.4
EPSS
0.7%
CVE-2026-39042 HIGH This Week

Denial of service in MikroTik RouterOS 7.21.x (before 7.21.4) and 7.22.x (before 7.22.2) allows a remote unauthenticated attacker to crash the core inter-process communication layer by triggering an integer overflow in the unflatten() function of the bundled libumsg.so library. Successfully exploiting it disrupts device availability without touching data confidentiality or integrity. There is no public exploit identified at time of analysis, though a third-party research blog documents the underlying integer overflow; EPSS is low at 0.20% (10th percentile).

Denial Of Service Mikrotik Integer Overflow N A
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-51539 HIGH This Week

A Denial of Service (DoS) vulnerability exists in the receive loop of libmodbus 3.1.12 when running on Windows. The issue stems from improper timeout management during network read operations.

Microsoft Denial Of Service N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-58101 HIGH PATCH This Week

Denial of service in the Crypt::OpenSSL::X509 Perl module before 2.1.3 lets a malformed X.509 certificate crash any Perl process that parses it. Four helper functions (basicC, ia5string, auth_att, keyid_data) dereference NULL pointers returned by OpenSSL's X509V3_EXT_d2i() on unparseable extensions - and keyid_data/auth_att additionally deref an akid->keyid field that is legitimately NULL for an empty Authority Key Identifier (DER 30 00). There is no public exploit identified at time of analysis, but the fix commit and a clear crash mechanism are published; CVSS is 7.5 (availability-only).

OpenSSL Denial Of Service Null Pointer Dereference Crypt
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-15680 HIGH This Week

Remote code execution in the Lorex 2K Indoor Wi-Fi Security Camera lets a network-adjacent, unauthenticated attacker run arbitrary code as root by abusing a CWE-134 format string flaw in the camera's 'sonia' binary. A user-supplied string within a JSON request is passed directly into a format specifier by the CDeviceOperator component, giving full device takeover. Discovered and reported through ZDI (ZDI-26-398 / ZDI-CAN-25884); no public exploit identified at time of analysis.

RCE 2K Indoor Wi Fi Security Camera
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2026-15683 HIGH This Week

Remote code execution affects the Lorex 2K Indoor Wi-Fi Security Camera through improper TLS certificate validation in its device management server, allowing a network-adjacent attacker to impersonate the management server and, when chained with additional flaws, run code as root without any user interaction. The issue was reported through Trend Micro's Zero Day Initiative (ZDI-26-399, formerly ZDI-CAN-26851). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

RCE 2K Indoor Wi Fi Security Camera
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2026-59955 HIGH PATCH GHSA This Week

{appId}/{clusterName}/{namespace} endpoint as the literal string 'raw', so no matching secret is found and the signature check is skipped for the real target app. No public exploit identified at time of analysis; the flaw is fixed in Apollo 2.5.2.

Canonical Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
CVE-2026-59954 HIGH PATCH GHSA This Week

Authentication bypass in Apollo (Ctrip apolloconfig) ConfigService allows an unauthenticated remote attacker to read protected configuration data from /configs and /configfiles endpoints even when AccessKey/management-key authentication is enabled. The flaw stems from ConfigService accepting a non-canonical appId variant (e.g. accented or trailing-space forms) that misses the AccessKey secret cache lookup - causing signature verification to be skipped - while the downstream release lookup still resolves the value to the real, protected app under equivalence-treating database collations. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the confidentiality-only impact drives the CVSS 7.5 (High) rating.

Canonical Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
CVE-2026-45378 HIGH PATCH GHSA This Week

Unauthenticated retrieval of scanned identity documents affects the Decidim participatory-democracy platform (decidim-verifications) when the "Identity documents" verification method is enabled. The admin review UI renders verification_attachment images via variant_url(...), emitting signed /rails/active_storage/disk/ links that bypass Decidim's authorization controllers; because Active Storage service URLs are configured to remain valid for seven days, anyone who obtains such a URL can download the underlying ID scan without any Decidim session. No public exploit identified at time of analysis, though the vendor advisory (GHSA-3mvf-82qp-8qh5) includes step-by-step reproduction; not listed in CISA KEV and EPSS was not provided.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
CVE-2026-15584 HIGH This Week

Privilege escalation in Red Hat OpenShift's incluster-checks diagnostic tool lets any authenticated user holding the standard 'edit' RBAC role escalate to root on the underlying cluster nodes. The tool provisions privileged debug pods with host-filesystem access inside the shared default namespace, so a low-privileged tenant can simply exec into an existing pod and break out to the host. No public exploit identified at time of analysis, and no CISA KEV listing; EPSS data was not provided in the source intelligence.

Privilege Escalation Pen Drive Powered By Red Hat Lightspeed
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-57815 HIGH This Week

Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and including 1.55.0.2, letting remote unauthenticated attackers read files outside the intended directory (CVSS 7.5, confidentiality-only). The Patchstack reference characterizes this as an arbitrary file download flaw, meaning sensitive server files such as wp-config.php could be exfiltrated. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal WordPress Forminator
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57805 HIGH This Week

Local File Inclusion in the Select-Themes "Tonda" WordPress theme (all versions through 2.5) lets an authenticated attacker with low privileges coerce a PHP include/require statement into loading arbitrary local files on the server. Tracked as CVE-2026-57805 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating and enables disclosure of sensitive files such as wp-config.php, with potential escalation to code execution via log/session poisoning. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure LFI PHP Tonda
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57804 HIGH This Week

Local File Inclusion in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin (versions up to and including 5.11.1) lets an authenticated low-privileged attacker coerce the application into including arbitrary local PHP files, exposing sensitive files and potentially executing attacker-influenced code within the site context. Classified as CWE-98 (PHP Remote/Local File Inclusion) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 7.5 with high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and no active exploitation on record.

Information Disclosure LFI PHP Thegem Theme Elements For Elementor
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57803 HIGH This Week

Local File Inclusion in the Select-Themes Struktur Core WordPress plugin (all versions up to and including 2.5.1) lets an authenticated low-privileged user coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive server-side content such as wp-config.php credentials. Reported by Patchstack and classified under CWE-98 (PHP Remote File Inclusion), the flaw carries a CVSS 3.1 score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Depending on server configuration, LFI of attacker-influenced content (e.g., poisoned logs or uploaded files) can escalate to PHP code execution.

Information Disclosure LFI PHP Struktur Core
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57802 HIGH This Week

Local File Inclusion in the Select-Themes "Struktur" WordPress theme (all versions up to and including 2.5.1) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive content such as wp-config.php credentials and, under the right conditions, escalating to code execution. Tracked as CVE-2026-57802 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS vector's PR:L indicates authentication is required and AC:H reflects non-trivial exploitation preconditions.

Information Disclosure LFI PHP Struktur
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57801 HIGH This Week

PHP Local File Inclusion in the Select-Themes SetSail WordPress theme (versions up to and including 2.1) allows an authenticated attacker to coerce the application into including local files via improper control of a filename in an include/require statement. Successful exploitation can disclose sensitive files (e.g., wp-config.php) and, depending on server conditions, escalate to code execution through log poisoning or PHP wrapper abuse. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.

Information Disclosure LFI PHP Setsail
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57800 HIGH This Week

Local File Inclusion in the Edge-Themes 'Overworld' WordPress theme (versions up to and including 1.5) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary server-side files, disclosing sensitive data such as wp-config.php credentials and potentially escalating to code execution via log/session poisoning. The flaw was reported by Patchstack and is classified as CWE-98 (PHP Remote File Inclusion). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.

Information Disclosure LFI PHP Overworld
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57799 HIGH This Week

Local file inclusion in the uxper Nuss WordPress theme (versions up to and including 1.3.6) lets an authenticated attacker with low-privilege access coerce the theme into including arbitrary PHP-parsable files from the server via improperly controlled include/require paths (CWE-98). Successful exploitation can disclose sensitive files and, depending on what can be included, lead to code execution, with high confidentiality, integrity, and availability impact per the CVSS 7.5 rating. No public exploit identified at time of analysis; the flaw was reported through Patchstack.

Information Disclosure LFI PHP Nuss
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57798 HIGH This Week

Local File Inclusion in the NewsPlus Shortcodes WordPress plugin (versions up to and including 4.2.0) allows an authenticated attacker to coerce the plugin into including arbitrary PHP-processable files from the server, enabling disclosure of sensitive files and potential code execution. The flaw stems from improper control of a filename passed to a PHP include/require statement (CWE-98). No public exploit was identified at the time of analysis, and it is not listed in CISA KEV; risk is moderated by high attack complexity and a required privilege level.

Information Disclosure LFI PHP Newsplus Shortcodes
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57796 HIGH This Week

Local File Inclusion in the VLThemes Leedo WordPress theme (versions up to and including 3.0.0) allows authenticated attackers to include and execute arbitrary local files on the server via improper control of a filename passed to a PHP include/require statement. Although classified under PHP Remote File Inclusion (CWE-98), Patchstack characterizes the practical impact as Local File Inclusion, enabling disclosure of sensitive files and potential code execution from locally accessible content. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.

Information Disclosure LFI PHP Leedo
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57795 HIGH This Week

Local File Inclusion in the Kitchor WordPress theme by themelexus (versions up to and including 1.4.3) allows an authenticated attacker to coerce a PHP include/require statement into loading arbitrary local files from the server. Because the theme fails to constrain the filename passed to an include path (CWE-98), an attacker with at least low-level authenticated access can read sensitive files such as wp-config.php and, under the right conditions, escalate to PHP code execution via log poisoning or inclusion of attacker-influenced content. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 3.1 base score is 7.5.

Information Disclosure LFI PHP Kitchor
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57794 HIGH This Week

Local file inclusion in the uxper Golo Framework WordPress plugin (versions up to and including 1.7.3) lets an authenticated attacker abuse an improperly validated include/require path to read arbitrary server-side files and potentially execute embedded PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates network-reachable exploitation requiring low-level authentication and elevated attack complexity, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure LFI PHP Golo Framework
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57793 HIGH This Week

Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenticated attacker abuse an improperly controlled include/require path to read local files and potentially execute PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but low-privilege, high-complexity flaw. No public exploit identified at time of analysis, and it is not listed in CISA KEV; disclosure comes from Patchstack.

Information Disclosure LFI PHP Flow
NVD
CVSS 3.1
7.5
EPSS
0.5%
Prev Page 3 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy