Skip to main content
CVE-2026-12582 HIGH POC PATCH This Week

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.

WordPress SQLi Library Management System
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-62240 HIGH POC PATCH This Week

Server-side request forgery in CrewAI's scraping tools before version 1.15.1 lets remote attackers reach internal services and cloud metadata endpoints by abusing a flawed validate_url function. The filter performs a single DNS resolution and blocklist check, then returns the original URL unchanged, so attacker-supplied URLs that HTTP-redirect to internal addresses or exploit DNS rebinding slip past the guard. Publicly available exploit code exists (VulnCheck advisory and issue #6520), but there is no public exploit identified as being used in active attacks.

SSRF Crewai
NVD GitHub
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-11963 HIGH POC PATCH This Week

Privilege escalation in the User Registration & Membership WordPress plugin before 5.2.2 lets any authenticated low-privileged user (e.g. a subscriber) alter another account's WordPress role and membership tier. The membership-upgrade action performs no authorization check and trusts a caller-supplied user identifier instead of the current session, so an attacker can target an arbitrary account - including their own - to gain higher roles up to administrator. Publicly available exploit code exists and a vendor patch is available, but this is not listed in CISA KEV.

Information Disclosure WordPress User Registration Membership
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-62242 HIGH POC PATCH This Week

Server-side request forgery in codecentric Spring Boot Admin Server before 4.1.2 lets unauthenticated remote attackers register a monitored instance with attacker-controlled healthUrl and managementUrl values that are never validated against private IP ranges or cloud metadata endpoints. Because the server then fetches those URLs and exposes the response bodies through its actuator proxy, an attacker can pivot into internal networks and read back sensitive data such as cloud instance-metadata credentials. Publicly available exploit code exists and the flaw was reported by VulnCheck, though there is no public exploit identified as actively exploited (not in CISA KEV).

Java SSRF Spring Boot Admin
NVD GitHub
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-15545 HIGH POC This Week

Out-of-bounds write in the Shibby Tomato router firmware (versions up to and including 1.28.0000) lets authenticated remote users corrupt memory through the apcupsd web component. The flaw sits in the main() function of www/apcupsd/tomatodata.cgi, where crafted input reaches an out-of-bounds write (CWE-787) that can crash the CGI or potentially execute code on the router. Publicly available exploit code exists (via VulDB/Gitee), but there is no confirmed active exploitation; note that this project has been superseded by FreshTomato and is effectively end-of-life.

Memory Corruption Buffer Overflow Tomato
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15544 HIGH POC This Week

Remote authenticated command execution is possible in Shibby Tomato router firmware through version 1.28.0000, where the getupsvar function in the apcupsd CGI handler (www/apcupsd/tomatodata.cgi) fails to bound the Field argument, producing a stack-based buffer overflow (CWE-121). A logged-in user can send a crafted request to corrupt the stack and hijack control flow with full confidentiality, integrity, and availability impact on the device. Publicly available exploit code exists (VulDB), though there is no evidence of active exploitation; the CVSS 4.0 score is 8.7 with an E:P (proof-of-concept) exploit-maturity flag.

Stack Overflow Buffer Overflow Tomato
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15543 HIGH POC This Week

Buffer overflow in the Tenda CH22 router (firmware 1.0.0.1) allows a remote, authenticated attacker to corrupt memory by supplying an overlong 'Name' argument to the formCertListInfo function in the /goform/CertListInfo endpoint. The flaw was disclosed by VulDB with publicly available exploit code, and the CVSS 4.0 score of 8.7 reflects high confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV, so this is a proof-of-concept-stage issue rather than confirmed in-the-wild abuse.

Tenda Buffer Overflow Ch22
NVD VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-12275 HIGH POC PATCH This Week

Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass paid/private-course access controls when the Droip or Kirki page-builder integration is active. Because these integration handlers omit the enrollment, purchase, and private-course capability checks enforced in the core course handler, low-privileged accounts can self-enroll in paid or private courses, read otherwise-restricted content, and mark arbitrary courses complete. Reported by WPScan with publicly available exploit detail and a vendor patch released; no active exploitation is currently listed in CISA KEV.

WordPress Information Disclosure Tutor Lms
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-49970 HIGH PATCH This Week

Arbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destination directory of MediaUploader::toDestination() plant uploaded files outside the intended storage path, culminating in remote code execution. The flaw stems from a weak File::sanitizePath() regex that permits both '.' and '/' characters plus an ineffective trailing trim(), so '../' traversal sequences survive sanitization and files can land in the document root, .env, or config directories. No public exploit has been identified at time of analysis, but a vendor patch (7.0.0) exists and the issue was reported by VulnCheck.

RCE Path Traversal Laravel Mediable
NVD GitHub
CVSS 4.0
8.7
EPSS
0.8%
CVE-2026-57830 HIGH This Week

Arbitrary file deletion in JoomShaper's Helix Ultimate template framework for Joomla allows unauthenticated remote attackers to delete files on the server due to a missing authorization check (CWE-862). Any anonymous user can reach the vulnerable functionality without credentials (PR:N/UI:N), enabling deletion of critical Joomla files to corrupt or take down the site. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Helix Ultimate Extension For Joomla
NVD
CVSS 4.0
8.8
EPSS
0.2%
CVE-2026-55771 HIGH This Week

Incorrect equality comparison in CedarJava (cedar-java) versions before 4.9.0 causes EntityIdentifier.equals() to return true when comparing against null and false when comparing an object to itself, due to inverted null/self-reference branches. Cedar's actual authorization decisions are unaffected because they are computed in Rust from JSON, but integrators who call equals() on entity identifiers in their own Java logic may make incorrect trust or access decisions. No public exploit identified at time of analysis; the issue is fixed in 4.9.0.

RCE Code Injection Java Cedar Java
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-57786 HIGH This Week

Authentication bypass in the WorkScout Core WordPress plugin (versions up to and including 1.7.08) can be triggered through a Cross-Site Request Forgery flaw, letting an off-site attacker perform privileged authentication-related actions in the context of a logged-in victim who visits a malicious page. The issue was reported by Patchstack and carries a CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user into clicking (UI:R), it is high-impact but not point-and-click automatable.

Authentication Bypass CSRF Workscout Core
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-57713 HIGH This Week

PHP Object Injection in the WordPress Events Manager plugin (Marcus/@msykes) affects all versions up to and including 7.3.6, letting remote attackers deserialize untrusted data and instantiate arbitrary PHP objects. When paired with a suitable POP gadget chain present in the plugin, WordPress core, or another installed plugin, this can escalate to remote code execution, data theft, or site takeover. Reported by Patchstack with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV, though the network vector combined with only requiring user interaction makes it a serious patch priority.

Deserialization Events Manager
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-57410 HIGH This Week

Privilege escalation in the MailerPress WordPress plugin (versions up to and including 2.0.2) lets an authenticated low-privilege user gain higher privileges through an incorrect privilege assignment flaw. The CVSS 3.1 vector (AV:N/AC:L/PR:L) indicates a network-reachable, low-complexity attack that any authenticated user can perform, yielding full confidentiality, integrity, and availability impact - effectively a takeover of the plugin's protected functionality or the WordPress site. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported through Patchstack.

Privilege Escalation Mailerpress
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-57386 HIGH This Week

Privilege escalation in the aBlocks WordPress plugin (Kodezen LLC) through version 2.9.1 allows an authenticated low-privileged user to elevate their permissions due to incorrect privilege assignment. With a CVSS of 8.8 (AV:N/AC:L/PR:L), a subscriber- or contributor-level account can gain elevated capabilities remotely over the network. No public exploit identified at time of analysis; the issue was disclosed by Patchstack.

Privilege Escalation Ablocks
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-57371 HIGH This Week

PHP Object Injection in the WPJAM Basic WordPress plugin (denishua) affects all versions up to and including 7.0, allowing an authenticated attacker to inject crafted serialized objects that are deserialized by the plugin. Reported by Patchstack and rated CVSS 8.8, it can lead to high-impact compromise (confidentiality, integrity, and availability) of the WordPress site, though exploitation requires at least low-level authenticated access. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Wpjam Basic
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-62184 HIGH PATCH This Week

Ban-list poisoning in OpenWrt's luci-app-banip (banIP) before 1.8.10 lets an unauthenticated remote attacker steer the automated IP-blocking engine at an arbitrary victim. Because the awk-based log monitor grabs the first IPv4 address it finds on a log line regardless of field position, an attacker can embed a spoofed IP inside an attacker-controlled field such as a login username; banIP then bans that injected address while the real attacker's source IP is never blocked. Reported by VulnCheck with a vendor patch available; no public exploit code or active exploitation is identified at time of analysis.

Code Injection Luci
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-62328 HIGH This Week

Unauthenticated information disclosure in 9Router (decolua/9router) through version 0.4.41 lets remote attackers read every user's AI request logs and full conversation histories by querying the /api/usage/request-logs and /api/usage/request-details endpoints, which ship without authentication middleware. Exposed data includes system prompts, user and assistant messages, tool calls, and user email addresses, and the linked GHSA advisory shows the same missing-auth flaw class also leaks plaintext provider API keys via /api/usage/stats and permits unauthenticated CRUD on /api/providers. This is a network-reachable, no-privilege flaw (CVSS 4.0 8.7) with no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-61458 HIGH This Week

Passphrase brute-force in PasswordPusher before 2.9.2 lets remote attackers who possess a push token recover the passphrase protecting a shared secret by hammering the POST /p/:token/access endpoint. Because that route has no per-route rate limiting and no per-push lockout, an attacker can sustain roughly 120 guesses per minute, making short or dictionary-based passphrases recoverable within hours to days. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Information Disclosure Passwordpusher
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62200 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.1 lets a lower-trust authenticated caller abuse Git 'ext' transport through incomplete host-exec environment filtering to execute or persist actions beyond their intended privileges. VulnCheck reported and characterizes it as an authentication bypass via Git ext transport, and a GitHub Security Advisory (GHSA-9969-8g9h-rxwm) is published; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact reachable over the network with only low privileges.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62199 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.6 lets a low-privileged caller inject crafted interpreter startup environment variables through the host exec feature, executing or persisting actions beyond their intended authorization. The flaw stems from incomplete environment-variable filtering (CWE-184) that overlooks interpreter startup variables, and per its CVSS 4.0 vector (VC:H/VI:H/VA:H) yields high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis; the issue is reported by VulnCheck and fixed in 2026.6.6.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62190 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.9 lets a lower-trust caller escape the exec-approval trust boundary through the flock wrapper, executing or persisting privileged actions the caller was never authorized to perform. The CVSS 4.0 vector (PR:L) indicates an authenticated but low-privilege actor can achieve high confidentiality, integrity, and availability impact when the affected feature is enabled. Reported by VulnCheck with a vendor GitHub Security Advisory (GHSA-3fp5-v549-9v66); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-57829 HIGH This Week

Stored cross-site scripting in JoomShaper's Helix Ultimate template framework for Joomla lets unauthenticated attackers persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because injection requires no authentication (PR:N) but relies on a victim rendering the poisoned content (UI:P), an attacker can hijack sessions, steal credentials, or perform actions as high-privilege administrators who visit the page. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Helix Ultimate Extension For Joomla
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62194 HIGH This Week

Privilege escalation in OpenClaw 2026.5.20 through 2026.6.8 lets an already-authenticated, lower-trust caller abuse the plugin install command path to execute or persist actions beyond their intended authorization. The root cause is an incorrect permission assignment (CWE-732) on plugin installation, and the CVSS 4.0 vector (PR:L, UI:N, AV:N) shows a low-privileged remote actor can achieve high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the CVE is not in CISA KEV, but a GitHub Security Advisory (GHSA-7vrr-rp4x-4g76) and a VulnCheck advisory document it.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62196 HIGH This Week

Authorization bypass in OpenClaw (versions 2026.3.22 up to but not including 2026.6.6) lets a lower-trust WhatsApp sender satisfy elevated sender allowlists because WhatsApp group IDs are accepted as if they were privileged individual sender identities. An authenticated but low-privilege attacker can therefore invoke actions gated behind stronger authorization, effectively escalating privilege within the messaging integration. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (high); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-62195 HIGH This Week

Authorization bypass in OpenClaw 2026.5.20 through 2026.6.5 lets a low-privilege caller invoke owner-only tools through the MCP loopback feature, escalating beyond intended permissions to execute or persist privileged actions. The flaw stems from incorrect permission enforcement (CWE-732) on configured input paths reachable over the network. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-57856 HIGH PATCH This Week

Path-traversal privilege escalation in Cockpit CMS Bucket file storage API (before 2.14.0) lets an authenticated low-privileged user bypass per-bucket isolation by supplying a '../' bucket name, granting cross-bucket read, upload, and delete over all files regardless of owner or role. The flaw stems from an incomplete sanitization regex that strips dangerous characters but preserves dot sequences, which Flysystem then normalizes down to the storage root. No public exploit is identified at time of analysis, though a proof-of-concept gist is referenced; the issue was reported by VulnCheck and a vendor patch is available.

PHP Path Traversal Cockpit Cms
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-57855 HIGH PATCH This Week

Broken access control in Cockpit CMS's Bucket file storage API (/system/buckets/api) lets any authenticated user, regardless of assigned role, execute all bucket file operations (list, upload, delete, rename, create folder) against any named bucket - including admin-only buckets. VulnCheck reported the flaw and publicly available exploit code exists (proof-of-concept gist), but there is no evidence of active exploitation. With a CVSS 4.0 score of 8.7 and full confidentiality/integrity/availability impact on stored files, it enables privilege escalation of file-storage capabilities across tenant boundaries within the CMS.

PHP Authentication Bypass Cockpit Cms
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-54065 HIGH PATCH GHSA This Week

Arbitrary file deletion in NukeViet CMS (versions before 4.6.00) allows an authenticated administrator to permanently delete any file within the web application root via a path-traversal payload in the comment Edit function. By padding the POST 'attach' parameter with exactly 26 filler characters followed by '../../<target>', an attacker survives the naive substr() prefix-stripping and stores a traversal path in the database; deleting the comment then removes the referenced file (e.g. config.php), forcing the site into the install wizard and causing a full outage. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c9xg-64p9-f2jj) includes a full working reproduction.

PHP Path Traversal
NVD GitHub
CVSS 3.1
8.7
CVE-2026-54064 HIGH POC PATCH GHSA This Week

Stored cross-site scripting in the NukeViet CMS News module (versions before 4.6.00) lets any authenticated user with news-posting permission persist arbitrary JavaScript that runs in the browser of every visitor, including administrators. Two independent filter bypasses defeat the built-in anti-XSS routines in NukeViet\Core\Request: a Form Feed (\x0C) prefix slips event-handler attributes past the /^on/ check, and a decimal HTML-entity tab (&#9;) smuggles a javascript: URI past the keyword filter. Publicly available exploit payloads exist in the vendor advisory; there is no evidence of active exploitation and no EPSS figure was supplied.

PHP Privilege Escalation XSS
NVD GitHub
CVSS 3.1
8.7
CVE-2026-61463 HIGH PATCH This Week

Vertical privilege escalation in Shiori (go-shiori), the self-hosted Go bookmark manager, lets any authenticated low-privilege user promote themselves to administrator. By sending a crafted PATCH request to the /api/v1/auth/account update endpoint with owner: true - a field that lacked an authorization check - the user flips their own owner flag, then re-authenticates to receive an admin JWT granting full system access. Disclosed by VulnCheck with a vendor fix committed upstream; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Shiori
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-49259 HIGH POC PATCH GHSA This Week

Stored cross-site scripting in NukeViet CMS 4.x through 4.5.08 lets a low-privileged authenticated member embed a JavaScript payload in their profile display name (first_name/last_name), which then executes when any visitor - including administrators - clicks the Reply/Answer link on that member's comment. The flaw stems from HTML-entity encoding being applied where JavaScript-string escaping is required, so the payload runs in the victim's session context and can drive admin session actions, credential phishing, and data exfiltration. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), though there is no public exploit identified as actively used in the wild.

PHP Privilege Escalation XSS
NVD GitHub
CVSS 3.1
8.7
CVE-2026-22099 HIGH PATCH This Week

Bluetooth authentication bypass in the Evbee DC-80 DC EV charging station lets an attacker within radio range issue privileged commands without any credentials, enabling sensitive information disclosure, forced reboots, and - most dangerously - the ability to push an arbitrary firmware update URL to the device. Reported by DIVD (DIVD-2026-00001), it carries CVSS 4.0 base 8.7 (High). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Dc 80
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-62185 HIGH This Week

Insecure-default configuration in the Argo CD (argoproj/argo-helm) Helm chart before 10.0.0 ships without any Kubernetes NetworkPolicy, so every pod sharing the cluster can reach the repo-server and other internal Argo CD APIs that are normally meant to be isolated. A low-privileged workload that an attacker already controls can chain this unrestricted intra-cluster access into full cluster compromise and remote code execution. Reported by VulnCheck; no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor rates real-world impact high (CVSS 4.0 base 8.6).

RCE Argo Helm
NVD GitHub
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-62188 HIGH This Week

Privilege escalation via broken authorization in the OpenClaw @openclaw/feishu integration (versions 2026.6.6 and earlier) allows a lower-trust, already-authenticated caller to invoke Feishu permission tools that should have been blocked by per-account disablement settings. Because the enforcement gap lets a low-privilege actor perform actions requiring stronger authorization, the flaw carries high confidentiality and integrity impact (CVSS 4.0 base 8.6). No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Feishu
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-62187 HIGH This Week

Authorization bypass in the @openclaw/feishu npm package (versions <= 2026.6.6) allows a lower-trust caller - or attacker-influenced input reaching a configured input path - to perform Feishu (Lark) actions that should have required stronger authorization, because per-account disablement can be ignored. Authenticated remote attackers can trigger unauthorized operations affecting confidentiality and integrity; no public exploit has been identified at time of analysis, and the flaw is fixed in version 2026.6.9. Real-world impact is gated by the operator's configuration and whether untrusted input can reach the affected feature.

Authentication Bypass Node.js Feishu
NVD GitHub
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-22100 HIGH PATCH This Week

OS command injection in the EVBEE DC-80 electric-vehicle DC charger lets an actor who can send OCPP messages execute arbitrary commands as root by tampering with the data value of the vendor-specific `ReserveLogin` DataTransfer message. The flaw was reported by DIVD (Dutch Institute for Vulnerability Disclosure) and affects the charger's OCPP handling; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because execution occurs as root, successful exploitation results in full compromise of the charging station.

Command Injection Dc 80
NVD
CVSS 4.0
8.6
EPSS
1.0%
CVE-2026-57709 HIGH This Week

Arbitrary file deletion in WP Swings' Membership For WooCommerce WordPress plugin (all versions up to and including 3.1.0) lets remote attackers delete files outside the intended directory via unsanitized path input. The CVSS vector (PR:N) indicates the flaw is reachable without authentication, and the scope-changed rating reflects that deletion of critical files (e.g., wp-config.php) can break or reset the entire WordPress site. No public exploit has been identified at time of analysis; the issue was reported by Patchstack.

Path Traversal WordPress Membership For Woocommerce
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-57389 HIGH This Week

Path traversal in the Groundhogg WordPress CRM/marketing-automation plugin (versions up to and including 4.4.1) lets remote unauthenticated attackers delete arbitrary files on the server by supplying crafted pathnames that escape the intended directory. Patchstack classifies the concrete impact as arbitrary file deletion, and the CVSS vector (AV:N/PR:N with scope-change and high availability impact) reflects that deleting critical files such as wp-config.php can break or reset the WordPress site. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal Groundhogg
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-9492 HIGH This Week

Local privilege escalation in the MBStorage DRAM lighting control module of GIGABYTE's Gigabyte Control Center (GCC) lets an authenticated low-privileged local user reach kernel-level privileges by abusing the bundled MyPortIO_x64.sys driver. The driver exposes IOCTL handlers without adequate access control, permitting arbitrary read and write of physical memory. No public exploit identified at time of analysis; the issue was reported by Taiwan's TWCERT and carries a CVSS 4.0 base score of 8.5 (High).

Information Disclosure Mbstorage
NVD VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-45414 HIGH PATCH GHSA This Week

Cross-tenant authentication bypass in Decidim (the Ruby-on-Rails participatory-democracy platform) lets a JWT issued in one organization (tenant) be replayed against a second organization's GraphQL API by simply changing the HTTP Host header. An authenticated Org 1 principal (admin or API user) can then read Org 2's admin-only participantDetails field, harvest Org 2 participant personal data, and reach Org 2's proposal.answer mutation path. Rated CVSS 8.5 with a scope change; the vendor advisory publishes step-by-step reproduction, but no CISA KEV listing and no EPSS score were provided, so widespread active exploitation is not established.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.5
CVE-2026-57810 HIGH This Week

Blind SQL injection in the APIExperts "Square for WooCommerce" (woosquare) WordPress plugin affects all versions up to and including 4.7.4, allowing an authenticated attacker to inject crafted SQL into a database query and infer or extract data via boolean/time-based blind techniques. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the CVSS vector specifies PR:L, exploitation requires an existing low-privileged authenticated session rather than fully anonymous access.

SQLi WordPress Apiexperts Square For Woocommerce
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-57787 HIGH This Week

Authenticated blind SQL injection in the CreativeWS CWS SVGicons WordPress plugin (all versions up to and including 1.5.5) allows a low-privileged authenticated user to inject crafted SQL into a database query, per a Patchstack advisory. Because the CVSS vector reports a scope change with high confidentiality impact, a successful attack can read data beyond the plugin's own tables, exposing the broader WordPress database. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi Cws Svgicons
NVD
CVSS 3.1
8.5
EPSS
0.3%
CVE-2026-57772 HIGH This Week

Blind SQL injection in the WP Inventory Manager WordPress plugin (versions up to and including 2.4.0) lets an authenticated attacker with low privileges inject crafted SQL into database queries, enabling extraction of arbitrary database contents such as user credentials and secrets. Reported by Patchstack, the flaw carries a CVSS 8.5 (scope-changed) rating; no public exploit has been identified at time of analysis and it is not listed in CISA KEV, so risk is currently theoretical but high-impact.

SQLi Wp Inventory Manager
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-57771 HIGH This Week

Blind SQL injection in the GD Rating System WordPress plugin (versions up to and including 3.7) allows authenticated attackers to inject arbitrary SQL into backend database queries. Because the CVSS vector shows PR:L, a low-privileged authenticated user can extract sensitive database contents (CVSS 8.5, scope-changed). No public exploit identified at time of analysis; the flaw was reported by Patchstack via its coordinated disclosure database.

SQLi Gd Rating System
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-57385 HIGH This Week

Blind SQL injection in the appsbd Vitepos (vitepos-lite) WordPress point-of-sale plugin affects all versions up to and including 3.4.2, allowing an authenticated attacker with low privileges to inject crafted SQL into backend database queries and infer data via boolean/time-based responses. The CVSS 3.1 base score of 8.5 reflects a scope change (S:C) with high confidentiality impact, meaning the plugin's SQL context can reach database contents beyond its own security boundary. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.

SQLi Vitepos
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-57432 HIGH PATCH This Week

Out-of-bounds heap read in the Perl interpreter (through version 5.43.10) lets an attacker who controls a pack or unpack template disclose adjacent heap memory back to the calling program. An unchecked integer overflow in S_measure_struct wraps the running size total negative, defeating the signed-length guards on the @, X, and x position codes and walking the buffer pointer outside its bounds. No public exploit is identified at time of analysis; the flaw was reported by CPANSec with vendor patches already committed upstream.

Buffer Overflow Integer Overflow Perl
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-62143 HIGH PATCH This Week

Server-Side Request Forgery bypass in the html_to_markdown expansion module of misp-modules lets an authenticated attacker reach internal, loopback, and link-local services that the module's IP range filtering was meant to block. By supplying an IPv4-mapped IPv6 address such as http://[::ffff:169.254.169.254]/ (or a hostname resolving to one), the attacker defeats the blocked-range checks and can pull back internal content — including cloud instance metadata — rendered back to them as Markdown. No public exploit identified at time of analysis and it is not in CISA KEV, but the underlying IPv4-mapped-IPv6 filter bypass is a well-understood, easily reproduced technique.

SSRF Misp Modules
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-58486 HIGH This Week

Denial of service in HedgeDoc before 1.11.0 lets a user who can store a note crash the instance by embedding a YAML "alias bomb" in the note frontmatter. Because HedgeDoc parsed frontmatter with the unsafe js-yaml v3 load (via @hedgedoc/meta-marked) and resolved anchor aliases, a compact ten-level payload expands into a massive object that blocks the single Node.js event loop for roughly 235 seconds on every request to the publish view (/s/<shortid>) or, under the opengraph key, the editor view (/<noteId>). No public exploit has been identified at time of analysis and the flaw is not in CISA KEV, but the stored payload persists in the database and re-triggers after process restarts, making outages durable until the note is deleted.

Node.js Denial Of Service Hedgedoc
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-58500 HIGH PATCH This Week

Cross-site scripting in appium-mcp (the Appium MCP server) versions <= 1.85.9 lets an attacker who controls the mobile app under test inject arbitrary HTML/JavaScript into the MCP UI resource returned by the generate_locators tool, because createLocatorGeneratorUI interpolates element attributes (text, content-desc, resource-id, selector, strategy) into an HTML template without escaping. When a victim's MCP client renders the resource, the injected script runs and can call arbitrary registered MCP tools via window.parent.postMessage (screenshots, page-source reads, etc.). No public exploit identified at time of analysis, though the fix commit ships XSS test cases; fixed in 1.85.10.

Google XSS Appium Mcp
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy