Skip to main content
2026-07-15

2026-07-16

CVE-2026-12492 CRITICAL POC PATCH Act Now

Authentication bypass in the Happy Coders OTP Login for WooCommerce WordPress plugin (versions 1.5 through 2.7) lets unauthenticated remote attackers log in as any existing user, including administrators, and create arbitrary accounts. The plugin authenticates a user from a supplied identifier without confirming that the one-time password was ever validated. Publicly available exploit code exists (WPScan) and a vendor patch (2.8) is available; EPSS remains low at 0.15% despite the maximal 9.8 CVSS score.

Authentication Bypass WordPress Happy Coders Otp Login For Woocommerce
NVD WPScan
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-63087 CRITICAL POC Act Now

Authentication bypass in Grafana OnCall through 1.16.11 lets unauthenticated remote attackers mint a valid PluginAuthToken by POSTing to the internal plugin install endpoint with hardcoded default stack_id and org_id values exposed in the public source tree, then use that token to seize full control of the OnCall instance. With the token, an attacker can create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token to lock out operators, and redirect OnCall-to-Grafana API traffic to an attacker host by overwriting grafana_url and api_token. Publicly available exploit code exists (reported by VulnCheck), CVSS 4.0 base 9.3, though there is no public exploit identified as actively exploited - it is not on CISA KEV.

Grafana Authentication Bypass Oncall
NVD GitHub
CVSS 4.0
9.3
CVE-2026-12525 HIGH POC PATCH This Week

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile, on sites where the Redux Framework WordPress plugin before 4.5.13's user-profile (Users extension) feature is enabled.

Privilege Escalation WordPress Redux Framework
NVD WPScan
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-63085 HIGH POC PATCH This Week

Privilege escalation in Axelor Open Platform 8.x before 8.2.2 lets an authenticated non-admin user grant themselves administrative roles and groups by writing to protected User fields through a nested relational save on a related entity, bypassing the USER_RESTRICTED_FIELDS control. The flaw (CWE-863, improper authorization) was reported by VulnCheck and has publicly available exploit code; it is not listed in CISA KEV. With a CVSS 4.0 base score of 8.7 and full compromise of confidentiality, integrity, and availability of the vulnerable system, any low-privileged account can effectively become an administrator.

Authentication Bypass Axelor Open Platform
NVD GitHub
CVSS 4.0
8.7
CVE-2026-12585 HIGH POC PATCH This Week

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled.

WordPress Abandoned Cart Lite For Woocommerce Authentication Bypass
NVD WPScan
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-12978 HIGH POC PATCH This Week

Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.

WordPress XSS Funnelkit
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-63086 MEDIUM POC This Month

Server-side request forgery in HuggingFace text-generation-inference through version 3.3.7 enables unauthenticated remote attackers to coerce the server into issuing arbitrary outbound HTTP GET requests via a crafted image_url value submitted to the OpenAI-compatible multimodal chat completions endpoint. The fetch_image function in router/src/validation.rs applies no destination validation, and the reqwest client's default redirect-following behavior allows attackers to chain redirects to bypass any scheme-level controls, reaching cloud instance-metadata services (e.g., AWS IMDSv1 at 169.254.169.254) to steal IAM credentials or enumerate internal port services. Publicly available exploit code exists (VulnCheck/geo-chen); no KEV listing at time of analysis, but the combination of unauthenticated access, cloud credential theft potential, and working POC makes this a genuine priority for any cloud-hosted TGI deployment.

SSRF Text Generation Inference
NVD GitHub
CVSS 4.0
6.9
CVE-2026-12395 MEDIUM POC PATCH This Month

SQL injection in WP Job Portal WordPress plugin before 2.5.5 enables authenticated subscriber-level users to exfiltrate data from the underlying WordPress database. Because subscriber accounts are explicitly self-registerable (no admin approval required), the practical authentication barrier is near-zero for any external attacker. A publicly available exploit exists per WPScan, though EPSS at 0.18% (7th percentile) indicates limited observed exploitation to date and no CISA KEV listing at time of analysis.

SQLi WordPress Wp Job Portal
NVD WPScan
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-11371 MEDIUM POC PATCH This Month

Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.

WordPress XSS Betterdocs
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12869 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.

WordPress XSS Header Footer Builder For Elementor
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-45336 CRITICAL Act Now

Authentication bypass in HireFlow interview management system (versions 1.2 and earlier) lets unauthenticated remote attackers forge signed session cookies because app.py ships a hard-coded Flask secret_key. Since the key is present in the public source tree, any attacker can mint cookies asserting role=admin and arbitrary user_id values to gain full administrative access. Rated CVSS 10.0; no public exploit is identified at time of analysis, though the flaw is trivially reproducible from the disclosed source value.

Python Authentication Bypass Hireflow
NVD GitHub
CVSS 3.1
10.0
CVE-2026-12510 MEDIUM POC PATCH This Month

Unauthorized access to private chatbot conversations in the AI Engine WordPress plugin before 3.5.5 allows any authenticated subscriber-level user to both read and overwrite other users' chat records when the discussions feature is enabled. The plugin fails to verify that a client-supplied conversation identifier belongs to the requesting user (CWE-639 IDOR), enabling session data theft and record hijacking. Public exploit code is available via WPScan, though EPSS stands at only 0.13% (3rd percentile), suggesting no widespread automated exploitation; active exploitation is not confirmed in the CISA KEV at time of analysis.

Authentication Bypass WordPress Ai Engine
NVD WPScan
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-15013 CRITICAL Act Now

Authentication bypass in the miniOrange SAML Single Sign On - SSO Login plugin for WordPress (all versions through 5.4.3) lets unauthenticated attackers forge SAML assertions and seize any account, including administrator. The plugin trusts the SignatureMethod algorithm declared inside the attacker-supplied SAMLResponse, enabling an RSA-to-HMAC signature confusion attack that yields valid WordPress auth cookies and full admin takeover. Reported by Wordfence; no public exploit identified at time of analysis, but the flaw is trivially exploitable and carries a 9.8 CVSS.

Authentication Bypass WordPress Jwt Attack Saml Single Sign On Sso Login
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-22752 CRITICAL Act Now

Authentication bypass in VMware/Spring's Spring Authorization Server (versions 7.0.0-7.0.4, 1.5.0-1.5.6, 1.4.0-1.4.9, and 1.3.0-1.3.10) allows a low-privileged authenticated actor to circumvent authentication controls and access protected resources across a security boundary. The CVSS 9.6 (Critical) rating reflects a scope change with high confidentiality and integrity impact but no availability effect. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the near-maximum score in a widely deployed OAuth2/OIDC authorization component makes this a high-priority patch.

Authentication Bypass Java Spring Authorization Server
NVD VulDB
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-12979 MEDIUM POC PATCH This Month

Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.

Path Traversal Denial Of Service WordPress Funnelkit
NVD WPScan
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-11866 MEDIUM POC PATCH This Month

Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.

CSRF WordPress Appointment Booking Plugin
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-63082 MEDIUM POC This Month

Broken access control in Perfect Support Ticketing & Document Management System through version 1.7 permits authenticated Agent-level users to manipulate the Support Agent assignment field on tickets beyond their authorized scope, including adding or removing Superadmin accounts. The vulnerability stems from missing server-side authorization checks (CWE-862), allowing role-based access controls to be circumvented entirely by any Agent assigned to a ticket. A publicly available exploit exists per VulnCheck and a GitHub PoC disclosure; no CISA KEV listing is present at time of analysis.

Authentication Bypass Perfect Support Ticketing Document Management System
NVD GitHub
CVSS 4.0
5.3
CVE-2026-54733 CRITICAL PATCH Act Now

Authentication bypass in the Microsoft 365 / Microsoft Entra ID (local_o365) plugin for Moodle allows an unauthenticated attacker to forge a JWT and log in as any Office 365-linked Moodle user before versions 4.5.6, 5.0.5, and 5.1.1. The Teams SSO endpoint sso_login.php base64-decodes the JWT payload and trusts the 'upn' claim without verifying the token signature, so a self-signed or hand-crafted token is accepted as valid. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is trivially exploitable and confirmed by a Microsoft GitHub security advisory (GHSA-hqjh-93qv-47v5).

Microsoft PHP Jwt Attack Information Disclosure O365 Moodle
NVD GitHub
CVSS 4.0
9.3
CVE-2026-59866 CRITICAL PATCH Act Now

Path traversal and code injection in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description write generated source files outside the intended output directory and inject arbitrary text into class/namespace declarations. When a developer runs `kiota generate` without the -c/--class-name flag, Kiota consumes the clientClassName and clientNamespaceName values from the OpenAPI `x-ms-kiota-info` extension without identifier or path sanitization, using them both as code identifiers and as filesystem path components. There is no public exploit identified at time of analysis and no CISA KEV listing, though the fix (SanitizeClientClassName/SanitizeClientNamespaceName) is visible in the merged patch.

Path Traversal Kiota
NVD GitHub
CVSS 4.0
9.3
CVE-2026-59864 CRITICAL PATCH Act Now

Path traversal in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description inject unvalidated `static_template.file` values (via the x-ai-adaptive-card and x-ai-capabilities extensions) into generated Microsoft 365 Copilot and Teams plugin manifests, so a developer who runs `kiota plugin add` or `kiota plugin generate -t APIPlugin` against a malicious spec produces a manifest that resolves files outside its package when deployed. Rated CVSS 4.0 9.3 (Critical) with high confidentiality/integrity/availability impact and no privileges required. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the upstream fix is confirmed in release v1.32.5.

Microsoft Path Traversal Kiota
NVD GitHub
CVSS 4.0
9.3
CVE-2026-59865 CRITICAL PATCH Act Now

Command injection in Microsoft Kiota before 1.32.5 lets a malicious or compromised OpenAPI description dictate the install command that Kiota presents to developers. When a developer runs `kiota info` (or the VS Code extension's `kiota info --json` dependency-install flow) against an attacker-controlled spec, Kiota reads the `x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand` field plus attacker-chosen dependency name/version values and surfaces them as its trusted recommended install command, achieving arbitrary command execution when that command is run. No public exploit has been identified at time of analysis and it is not in CISA KEV, but the fix explicitly removes the untrusted extension field.

Command Injection RCE Code Injection Kiota
NVD GitHub
CVSS 4.0
9.3
CVE-2026-63306 CRITICAL PATCH Act Now

Server-side request forgery in stoatchat before 0.13.5 allows remote unauthenticated attackers to coerce the server into making arbitrary outbound requests through the /proxy and /embed endpoints, which accept attacker-supplied URLs without DNS resolution filtering or private-IP validation. Reported by VulnCheck and carrying a CVSS 4.0 score of 9.2, it lets attackers enumerate internal services, fingerprint applications, and reach cloud instance-metadata endpoints. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF Stoatchat
NVD GitHub VulDB
CVSS 4.0
9.2
CVE-2026-63305 CRITICAL Act Now

OS command injection in WWBN AVideo through version 29.0 allows attackers to execute arbitrary operating-system commands as the web-server user via the ffmpeg.json.php endpoint. The notifyCode and callback request parameters are concatenated into a shell command without escaping, so an attacker able to produce a valid encrypted payload can inject shell metacharacters and achieve remote code execution. No public exploit identified at time of analysis; the flaw carries a CVSS 4.0 base score of 9.2, though successful exploitation is gated by the requirement to forge a valid encrypted payload.

PHP Command Injection Avideo
NVD GitHub
CVSS 4.0
9.2
CVE-2026-63304 CRITICAL Act Now

OS command injection in AVideo (WWBN) through version 29.0 lets remote attackers who can forge a valid encrypted codeToExec payload run arbitrary shell commands as the web-server user via the listFFmpegProcesses() function in the standAlone plugin API. The flaw is unauthenticated (PR:N) but non-trivial to reach because it depends on producing an accepted encrypted parameter, and no public exploit or CISA KEV listing is identified at time of analysis.

PHP Command Injection Avideo
NVD GitHub
CVSS 4.0
9.2
CVE-2026-15925 CRITICAL PATCH Act Now

Improper TLS hostname verification in the Snowflake Connector for Python (versions before 4.7.1) lets an on-path attacker defeat HTTPS certificate validation, accepting any certificate signed by any trusted CA regardless of the requested hostname. An adversary who can intercept traffic can decrypt and tamper with connector sessions, exposing Snowflake credentials, query results, and staged file data, and can inject arbitrary SQL bounded by the victim role's privileges. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the reporting vendor (Snowflake) rates it CVSS 4.0 9.2.

Python Authentication Bypass Snowflake Connector For Python
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-63081 MEDIUM POC This Month

Stored cross-site scripting in Perfect Support Ticketing & Document Management System through version 1.7 allows authenticated Agent-level users to inject persistent malicious scripts into ticket Notes fields. Any user who subsequently views the compromised ticket notes - including Superadmin users - executes the attacker's payload in their browser context, enabling session token theft and unauthorized actions performed on the victim's behalf. No public exploit identified at time of analysis for KEV listing, though a publicly available proof-of-concept exists per VulnCheck and the researcher's GitHub repository.

XSS Perfect Support Ticketing Document Management System
NVD GitHub
CVSS 4.0
5.1
CVE-2026-11386 CRITICAL PATCH Act Now

Root-level remote code execution in Canonical's ubuntu-pro-client (formerly ubuntu-advantage-tools) allows an attacker who can spoof or tamper with the Ubuntu Pro contract server response to inject arbitrary APT source lines and install malicious root-owned packages. The client builds /etc/apt/sources.list.d entries from the server's directives.suites[] and directives.aptURL fields via Python str.format() without escaping or newline filtering, and passes additionalPackages[] positionally into a root-run apt-get install. Because the component is preinstalled on supported Ubuntu Server releases and auto-attaches on cloud Ubuntu Pro images the exposure is broad; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python Ubuntu Canonical RCE Ubuntu Pro Client Ubuntu Advantage Tools +7
NVD VulDB
CVSS 3.1
9.0
CVE-2026-15103 HIGH This Week

Privilege escalation in the WPFunnels (Funnel Builder for WooCommerce) plugin for WordPress lets authenticated users holding the wpf_manage_funnels capability — typically the plugin's Funnel Manager custom role — rewrite the global wp_user_roles option and grant their own role full administrator capabilities. All versions up to and including 3.12.8 are affected, and Wordfence rates it CVSS 8.8 (High). No public exploit has been identified at time of analysis, but the root cause is trivial (an unvalidated option name reaching update_option()), making reliable weaponization straightforward for a low-privileged insider.

Privilege Escalation WordPress Wpfunnels Funnel Builder For Woocommerce With Checkout One Click Upsell
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13741 HIGH This Week

Privilege escalation in the Digits WordPress Mobile Number Signup and Login plugin (all versions through 9.1.0.5) lets authenticated Subscriber-level users promote themselves to Administrator by submitting a forged digits_reg_userrole value during a profile update. The flaw stems from the dig_update_wpwc_custom_fields() function failing to validate the caller's authorization or the requested role. There is no public exploit identified at time of analysis, but the low barrier (any registered user on an affected site with the DIGITS User Role field configured) and full-administrator outcome make this a high-priority patching item.

Privilege Escalation WordPress Digits
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14371 HIGH This Week

PowerShell command injection in Lenovo XClarity Integrator for Microsoft Windows Admin Center (versions 5.1.1 and below) running on the WAC Gateway allows an authenticated low-privileged attacker to inject arbitrary PowerShell commands when the plugin establishes remote PowerShell sessions. Successful exploitation yields high-impact code execution that extends beyond the plugin into subsequent systems (managed hosts), with full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Lenovo Microsoft Command Injection Xclarity Integrator For Microsoft Windows Admin Center
NVD
CVSS 4.0
8.8
CVE-2026-5674 HIGH This Week

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment such as Flatpak load an attacker-controlled library and execute arbitrary code on the host user's session. The flaw (CWE-427) is present in PipeWire as shipped in Red Hat Enterprise Linux 7, 8, 9 and 10 and carries a scope-changing CVSS 3.1 score of 8.8. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

RCE Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
NVD VulDB
CVSS 3.1
8.8
CVE-2026-15005 HIGH This Week

Remote code execution in the Loco Translate WordPress plugin (all versions up to and including 2.8.5) is reachable through a Cross-Site Request Forgery flaw in the execTemplate function, where missing nonce validation lets an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link supply a php://filter stream wrapper as the 'template' parameter, bypassing path validation and reaching a PHP include sink to execute arbitrary code. The chain converts a classic CSRF (CWE-352) into full server compromise, carrying CVSS 8.8 (C:H/I:H/A:H). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

CSRF PHP WordPress Loco Translate
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-58078 HIGH This Week

SQL injection in the Quix Page Builder Pro extension for Joomla lets remote unauthenticated attackers inject arbitrary SQL through a crafted request, enabling database read and write against affected sites. The CVSS 4.0 base score is 8.7 (High), reflecting network vector, low complexity, no privileges, and high impact to confidentiality, integrity, and availability of the vulnerable database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; a third-party disclosure write-up exists on mysites.guru.

SQLi Quix Page Builder Pro Extension For Joomla
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-53597 HIGH PATCH This Week

Arbitrary JavaScript execution in Microsoft's @prompty/core TypeScript loader (2.0.0-alpha.1 through 2.0.0-beta.2) allows an attacker who supplies a crafted .prompty file to run code during prompt loading. The loader passed .prompty markdown to gray-matter without disabling its executable 'js'/'javascript' frontmatter engines, so a '---js' frontmatter block is evaluated as Node.js at parse time. Exploitation requires the victim's application to load the malicious file (UI:P); no public exploit is identified at time of analysis and it is not on CISA KEV, but the fix commit ships a working proof-of-concept test.

RCE Code Injection Prompty
NVD GitHub
CVSS 4.0
8.7
CVE-2026-59859 HIGH PATCH This Week

{...}, $var, or {$obj->prop} are emitted verbatim inside PHP double-quoted literals and interpolated as code when the generated client runs. No public exploit identified at time of analysis, though the fix commit ships a test demonstrating the ${env('HOME')} injection primitive; EPSS and KEV data were not provided.

PHP RCE Code Injection Kiota
NVD GitHub VulDB
CVSS 4.0
8.7
CVE-2026-59860 HIGH PATCH This Week

{}//') demonstrating the break-out.

RCE Code Injection Kiota
NVD GitHub VulDB
CVSS 4.0
8.7
CVE-2025-71377 HIGH PATCH This Week

Denial of service in stoatchat (delta) versions before 20250210-1 (0.8.2) lets a remote unauthenticated attacker exhaust server resources by abusing the 'nearby' message query route. A logic error passes a message limit of zero to the database, which MongoDB interprets as 'no limit', so a single crafted request downloads an entire channel's history; parallelized requests amplify this into resource-exhaustion DoS. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the upstream fix and a VulnCheck advisory are published.

Denial Of Service Stoatchat
NVD GitHub
CVSS 4.0
8.7
CVE-2026-57206 HIGH PATCH This Week

Missing authentication in Microsoft SimpleChat (prior to 0.241.206) lets remote, unauthenticated clients invoke administrative plugin validation, health-check, and repair endpoints that were documented as protected but never enforced authentication at runtime. Any network-reachable attacker can trigger plugin instantiation, health probing, and repair actions without login or admin rights. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Simplechat
NVD GitHub
CVSS 3.1
8.6
CVE-2026-46686 HIGH This Week

Reflected cross-site scripting in Emlog 2.6.13 and earlier lets a remote attacker execute arbitrary JavaScript in an authenticated administrator's backend session by luring the admin to open a crafted link that hits the user-search feature in admin/user.php. The keyword parameter is sanitized with addslashes but never HTML-escaped before it is echoed into a value attribute in admin/views/user.php, so injected markup breaks out of the attribute and runs in the admin's browser. No public exploit identified at time of analysis, and no fixed version currently exists.

PHP XSS Emlog
NVD GitHub
CVSS 4.0
8.5
CVE-2026-6423 HIGH This Week

Local privilege escalation in ESET Inspect Connector for Windows lets a low-privileged local user escalate to elevated (SYSTEM-level) privileges by abusing an improperly authenticated ALPC (Asynchronous Local Procedure Call) IPC channel. The affected component is the endpoint agent that links ESET Inspect (EDR) to protected Windows hosts; a non-privileged process can issue unauthenticated requests to a privileged service endpoint that fails to verify the caller. The issue was reported and fixed by ESET, is not listed in CISA KEV, and has no public exploit identified at time of analysis.

Eset Authentication Bypass Privilege Escalation Eset Inspect Connector
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-14254 HIGH This Week

Brute-force protection bypass in Perforce Delphix Continuous Data lets remote attackers defeat the account lockout mechanism by firing concurrent authentication requests that race the failed-login counter, allowing unlimited password guessing against a targeted account. The flaw is a time-of-check/time-of-use race (CWE-307) rather than a direct code-execution bug, and no public exploit identified at time of analysis. It matters because it silently neutralizes a control administrators rely on to stop credential-stuffing and password-spraying.

Authentication Bypass Delphix Continuous Data
NVD VulDB
CVSS 4.0
8.3
CVE-2026-1609 HIGH PATCH This Week

Access-control bypass in Keycloak (fixed in 26.5.3) lets a disabled user account still obtain valid tokens through the JWT authorization grant preview feature. When that feature is enabled, Keycloak omits the account-enabled check during JWT authorization grant processing, so a low-privileged remote attacker who can present a valid assertion token from an external identity provider can mint a JWT for an account an administrator has explicitly disabled, regaining access to protected resources. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Keycloak Red Hat Jboss Enterprise Application Platform 8 Red Hat Jboss Enterprise Application Platform Expansion Pack
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.5%
CVE-2026-35147 HIGH This Week

Authentication bypass in HCL DFXServer allows remote unauthenticated attackers to reach specific API endpoints directly and perform unauthorized actions without valid credentials, because the application never verifies authentication status on those routes. The primary impact is high confidentiality exposure with limited integrity impact (CVSS 8.2), and the flaw was self-reported by HCL. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dfxserver
NVD VulDB
CVSS 3.1
8.2
CVE-2026-35149 HIGH This Week

Authentication bypass in HCL DFXServer lets an unauthenticated remote attacker intercept and tamper with the server's authentication responses to be granted access as a legitimate user without presenting valid credentials. Rated CVSS 8.2 (high) with CWE-294 (Authentication Bypass by Capture-replay), the flaw exposes confidential application data to any network-reachable attacker. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Dfxserver
NVD VulDB
CVSS 3.1
8.2
CVE-2026-15008 HIGH This Week

Arbitrary file deletion in the Uncanny Automator WordPress plugin (all versions through 7.3.1.4) lets unauthenticated attackers delete any file on the server via untrusted PHP object deserialization in the fr_token function, and deleting a critical file such as wp-config.php can pivute WordPress into an installation/setup state that yields remote code execution. Exploitation is gated by a specific setup: a Forminator form must be connected to an Uncanny Automator recipe whose trigger is configured for 'Everyone', which is what exposes the deserialization sink to anonymous form submissions. A self-contained gadget chain via Action_Helpers_Email::__destruct() ships inside the plugin, so no external gadget library is needed; reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

PHP RCE WordPress Deserialization Uncanny Automator Easy Automation Integration Webhooks Workflow Builder Plugin
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-3842 HIGH PATCH This Week

Out-of-bounds heap write in QEMU lets a local attacker operating inside a guest virtual machine corrupt memory in the host emulator process, enabling information disclosure, data-integrity corruption, or denial of service. The flaw stems from cpu_physical_memory_map() returning a shorter buffer length than the caller assumes, so subsequent writes spill past the allocation. Rated CVSS 7.8 (CWE-787); no public exploit identified at time of analysis, but multiple distributions (Red Hat, Ubuntu, SUSE, Debian) have shipped fixes.

Denial Of Service Information Disclosure Buffer Overflow Authentication Bypass Memory Corruption +6
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-46687 HIGH This Week

Local file inclusion in Emlog 2.6.13 and earlier lets an authenticated author supply a path-traversal template value that is stored unvalidated by api_controller.php and later passed to View::getView() in log_controller.php, causing an arbitrary local .php file to be included when the article is viewed. Because included PHP is executed, an attacker who can place or influence a .php file on the host can escalate this to code execution. No public exploit has been identified at time of analysis, and no fixed version currently exists.

PHP Information Disclosure Emlog
NVD GitHub
CVSS 4.0
7.7
CVE-2026-63088 HIGH PATCH This Week

Server-side request forgery in Stoatchat before 0.14.0 lets unauthenticated, network-accessible attackers reach internal services that a DNS-based IP blocklist was meant to protect. The url_is_blacklisted function validates only the first resolved address, while the underlying HTTP client iterates over all cached DNS addresses, so a hostname resolving to both an allowed and an internal/blocked IP slips past the check. No public exploit identified at time of analysis; the issue is fixed in the v0.14.0 release and was reported by VulnCheck.

SSRF Stoatchat
NVD GitHub
CVSS 4.0
7.7
CVE-2026-23538 HIGH PATCH This Week

Denial of service in the Feast Feature Server (the Python feature-store serving component, also shipped within Red Hat OpenShift AI/RHOAI) lets remote unauthenticated attackers exhaust host resources through its `/ws/chat` WebSocket endpoint. Because the endpoint accepts unlimited concurrent connections and unbounded message traffic, opening many simultaneous sockets drains memory, CPU, and file descriptors until legitimate clients are locked out. There is no public exploit identified at time of analysis and this is not listed in CISA KEV; the upstream fix in PR #192 caps connections, message size, and message rate.

Denial Of Service Feast Feature Server Red Hat Openshift Ai Rhoai
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-71388 HIGH PATCH This Week

Webhook token disclosure in stoatchat (the Rust 'delta' backend of the Revolt/stoatchat platform) lets any channel member holding only ViewChannel (read) permission enumerate a channel's webhooks and read their secret tokens. Because a retrieved token authorizes posting, the attacker can then inject arbitrary messages while impersonating a bot or webhook, bypassing the channel's ManageWebhooks and posting permissions. Reported by VulnCheck and fixed in 20250210-1 (0.8.2); no public exploit identified at time of analysis.

Authentication Bypass Stoatchat
NVD GitHub
CVSS 4.0
7.6
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy