Skip to main content
2026-07-15

2026-07-16

CVE-2026-46353 HIGH This Week

Authentication/access-control bypass in BigBlueButton's bbb-web component (versions prior to 3.0.21) lets remote attackers reach protected API endpoints without a valid checksum by supplying the presentationUploadExternalUrl parameter. BigBlueButton's API is normally guarded by a shared-secret checksum, so bypassing it undermines the core authorization mechanism for calls such as CreateMeeting. No public exploit identified at time of analysis, though the fixing commit is public; CVSS is 8.1 and there is no CISA KEV listing or EPSS signal in the provided data.

Authentication Bypass Java Bigbluebutton
NVD GitHub
CVSS 3.1
8.1
CVE-2026-46351 HIGH This Week

Session hijacking in BigBlueButton before 3.0.21 lets an authenticated conference participant predict and reuse other users' session tokens to impersonate them. The bbb-web component generated 16-character sessionToken values (and 12-character auth tokens and internal user IDs) using Apache Commons RandomStringUtils.randomAlphanumeric, a non-cryptographic PRNG, making the token space guessable to anyone who already holds a valid session. Rated CVSS 8.1 with high confidentiality and integrity impact; no public exploit identified at time of analysis.

Java Information Disclosure Bigbluebutton
NVD GitHub
CVSS 3.1
8.1
CVE-2026-15008 HIGH This Week

Arbitrary file deletion in the Uncanny Automator WordPress plugin (all versions through 7.3.1.4) lets unauthenticated attackers delete any file on the server via untrusted PHP object deserialization in the fr_token function, and deleting a critical file such as wp-config.php can pivute WordPress into an installation/setup state that yields remote code execution. Exploitation is gated by a specific setup: a Forminator form must be connected to an Uncanny Automator recipe whose trigger is configured for 'Everyone', which is what exposes the deserialization sink to anonymous form submissions. A self-contained gadget chain via Action_Helpers_Email::__destruct() ships inside the plugin, so no external gadget library is needed; reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

PHP RCE WordPress Deserialization Uncanny Automator Easy Automation Integration Webhooks Workflow Builder Plugin
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-3842 HIGH PATCH This Week

Out-of-bounds heap write in QEMU lets a local attacker operating inside a guest virtual machine corrupt memory in the host emulator process, enabling information disclosure, data-integrity corruption, or denial of service. The flaw stems from cpu_physical_memory_map() returning a shorter buffer length than the caller assumes, so subsequent writes spill past the allocation. Rated CVSS 7.8 (CWE-787); no public exploit identified at time of analysis, but multiple distributions (Red Hat, Ubuntu, SUSE, Debian) have shipped fixes.

Denial Of Service Information Disclosure Buffer Overflow Authentication Bypass Memory Corruption +6
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-46687 HIGH This Week

Local file inclusion in Emlog 2.6.13 and earlier lets an authenticated author supply a path-traversal template value that is stored unvalidated by api_controller.php and later passed to View::getView() in log_controller.php, causing an arbitrary local .php file to be included when the article is viewed. Because included PHP is executed, an attacker who can place or influence a .php file on the host can escalate this to code execution. No public exploit has been identified at time of analysis, and no fixed version currently exists.

PHP Information Disclosure Emlog
NVD GitHub
CVSS 4.0
7.7
CVE-2026-63088 HIGH PATCH This Week

Server-side request forgery in Stoatchat before 0.14.0 lets unauthenticated, network-accessible attackers reach internal services that a DNS-based IP blocklist was meant to protect. The url_is_blacklisted function validates only the first resolved address, while the underlying HTTP client iterates over all cached DNS addresses, so a hostname resolving to both an allowed and an internal/blocked IP slips past the check. No public exploit identified at time of analysis; the issue is fixed in the v0.14.0 release and was reported by VulnCheck.

SSRF Stoatchat
NVD GitHub
CVSS 4.0
7.7
CVE-2026-23538 HIGH PATCH This Week

Denial of service in the Feast Feature Server (the Python feature-store serving component, also shipped within Red Hat OpenShift AI/RHOAI) lets remote unauthenticated attackers exhaust host resources through its `/ws/chat` WebSocket endpoint. Because the endpoint accepts unlimited concurrent connections and unbounded message traffic, opening many simultaneous sockets drains memory, CPU, and file descriptors until legitimate clients are locked out. There is no public exploit identified at time of analysis and this is not listed in CISA KEV; the upstream fix in PR #192 caps connections, message size, and message rate.

Denial Of Service Feast Feature Server Red Hat Openshift Ai Rhoai
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-71388 HIGH PATCH This Week

Webhook token disclosure in stoatchat (the Rust 'delta' backend of the Revolt/stoatchat platform) lets any channel member holding only ViewChannel (read) permission enumerate a channel's webhooks and read their secret tokens. Because a retrieved token authorizes posting, the attacker can then inject arbitrary messages while impersonating a bot or webhook, bypassing the channel's ManageWebhooks and posting permissions. Reported by VulnCheck and fixed in 20250210-1 (0.8.2); no public exploit identified at time of analysis.

Authentication Bypass Stoatchat
NVD GitHub
CVSS 4.0
7.6
CVE-2026-21729 HIGH This Week

Uncontrolled memory allocation in Grafana Loki lets remote unauthenticated users issue queries with excessively large limit values, forcing the service to allocate large amounts of memory and potentially exhausting host resources. The impact is denial of service (CVSS 7.5, A:H only) and varies by deployment topology - a single-binary or under-provisioned deployment is far more exposed than a horizontally scaled microservices setup. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note the input 'Information Disclosure' tag conflicts with the CVSS impact (C:N/I:N/A:H), which indicates an availability-only issue.

Loki Denial Of Service
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-53598 HIGH PATCH This Week

{file:...} expansion resolved paths without confining them to the prompt directory or allowed roots, so absolute paths, ../ traversal, or symlinks could exfiltrate secrets, config, or credentials into the loaded prompt's fields. There is no public exploit identified at time of analysis and it is not in CISA KEV; NVD scores it 7.5 (High), reflecting confidentiality-only impact.

Path Traversal Prompty
NVD GitHub
CVSS 3.1
7.5
CVE-2026-59862 HIGH PATCH This Week

Code injection in Microsoft Kiota's Python client generator (versions prior to 1.32.0) allows an attacker who controls an OpenAPI description to embed arbitrary Python that executes when a developer generates and imports the resulting client. The flaw stems from unsanitized x-ms-enum.values[].description strings being emitted as inline comments; embedded newlines break out of the comment and run at module scope. No public exploit identified at time of analysis, and the issue is not in CISA KEV. The assigned CVSS 3.1 base score is 7.5, though its impact metrics (C:N/I:N/A:H) understate what is functionally full code execution.

Python RCE Code Injection Kiota
NVD GitHub VulDB
CVSS 3.1
7.5
CVE-2026-59861 HIGH PATCH This Week

{expr}, #$var, or #@var markers are treated as live Ruby interpolation inside generated model classes. There is no public exploit identified at time of analysis and it is not in CISA KEV, but a fix is confirmed in release v1.32.0.

RCE Code Injection Kiota
NVD GitHub VulDB
CVSS 3.1
7.5
CVE-2026-12753 HIGH This Week

SQL injection in ThemeHunk's Advance Product Search - Voice & Ajax Search for WooCommerce plugin (all versions ≤ 1.4.4) lets unauthenticated attackers inject arbitrary SQL through the 's' and 'match' search parameters, enabling extraction of sensitive database contents such as user credentials and order data. The flaw stems from unescaped, unprepared query construction in the plugin's AJAX search backend and is remotely exploitable without authentication or user interaction. Reported by Wordfence; no public exploit identified at time of analysis and not listed in CISA KEV.

SQLi WordPress Advance Product Search Voice Ajax Search For Woocommerce
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-48863 HIGH PATCH This Week

Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated package and repository processing by supplying a crafted Ed25519 signature. The flaw is a stack-based buffer overflow (CWE-121) triggered when the EdDSA 's' MPI is copied into a fixed 64-byte stack buffer using an attacker-controlled mismatched length. It affects the libsolv dependency solver embedded in Red Hat Enterprise Linux 7/8/9/10, OpenShift, Satellite, RHUI, openSUSE/SUSE, Ubuntu and Debian; no public exploit identified at time of analysis and it is not in CISA KEV.

Buffer Overflow Stack Overflow Denial Of Service Libsolv Red Hat Enterprise Linux 10 +7
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-46513 HIGH This Week

Sensitive credential exposure in Frogman (an mwtcmi FreePBX module providing headless PBX control via MCP and an HTTP API) before 1.6.2 stores API tokens in cleartext, so any read of the oc_api_tokens database table yields fully reusable, active tokens at their assigned permission level - up to admin. Because Frogman.class.php authenticated the X-Frogman-Token header by directly comparing the presented value against the stored raw string, a leaked or read database directly hands an attacker working credentials. Rated CVSS 7.4 (high); no public exploit identified at time of analysis, and the issue is fixed in version 1.6.2.

PHP Information Disclosure Frogman
NVD GitHub
CVSS 3.1
7.4
CVE-2026-9046 HIGH PATCH This Week

Local code execution in Lenovo Legion Zone and the Lenovo App Store (China-market Windows builds) allows an authenticated local user to run arbitrary code when either application is installed on a non-system partition. The flaw stems from insecure directory/file permissions (CWE-277) that a low-privileged user can abuse to plant or modify executable content later run with higher privilege. No public exploit is identified at time of analysis and it is not listed in CISA KEV; impact is confined to systems where these Chinese-market Lenovo utilities are deployed to a non-default drive.

Lenovo Microsoft RCE Legion Zone App Store
NVD VulDB
CVSS 4.0
7.3
CVE-2026-7543 HIGH This Week

Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Wordfence discovered and reported it.

WordPress XSS Breakdance
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-13042 HIGH This Week

Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-interaction entry point makes it a practical drive-by injection risk.

WordPress XSS Rpb Chessboard
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-46336 HIGH PATCH This Week

Path traversal in Manyfold's file-rename functionality (versions 0.96.0 through 0.139.x) lets an authenticated user move or write files outside the configured 3D-model library directory. The flaw stems from app/models/model_file.rb passing a user-controlled filename straight into File.join(model.path, filename) without stripping '..' sequences, giving low-privileged users write/overwrite primitives on the host filesystem. No public exploit identified at time of analysis, but the upstream fix commit and its test cases plainly demonstrate the traversal, and the issue is resolved in 0.140.0.

Path Traversal Manyfold
NVD GitHub
CVSS 3.1
7.1
CVE-2026-59867 HIGH PATCH This Week

Build-time SSRF, remote file inclusion, and local file inclusion in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description force the `kiota generate` command to fetch arbitrary remote http(s) URLs and read local absolute or out-of-tree file paths while resolving $ref values. Because Kiota inlined those external schemas into generated clients, an attacker could exfiltrate internal endpoints or leak local file contents (e.g. REMOTE_KIOTA_PROP-style properties) into produced code. No public exploit has been identified at time of analysis; the risk is developer/CI-toolchain oriented and requires a developer to run generation against a malicious or influenced description (CVSS 7.1).

SSRF Path Traversal Kiota
NVD GitHub
CVSS 3.1
7.1
CVE-2026-13104 HIGH PATCH This Week

Local privilege escalation to arbitrary code execution affects Lenovo App Store, a software-distribution client shipped exclusively on Lenovo devices in the Chinese market. A local authenticated user who can interact with the application can leverage its excessive privileges (CWE-250) to run arbitrary code at an elevated privilege level, with high confidentiality, integrity, and availability impact on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so no active exploitation is confirmed.

Lenovo Privilege Escalation RCE App Store
NVD VulDB
CVSS 4.0
7.0
CVE-2026-13103 HIGH PATCH This Week

Local code execution in Lenovo App Store (Chinese-market distribution only) lets an authenticated local user abuse a path traversal weakness to write or load files outside intended directories and run arbitrary code. The flaw was self-reported by Lenovo and carries a CVSS 4.0 base score of 7.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality, integrity, and availability of the local system, but exploitation requires existing low-privilege local access plus user interaction.

Lenovo Path Traversal RCE App Store
NVD VulDB
CVSS 4.0
7.0
CVE-2026-59863 HIGH PATCH This Week

Arbitrary file write via path traversal in Microsoft Kiota (OpenAPI HTTP client/plugin code generator) before 1.32.5 allows a malicious repository or pull request to place files outside the workspace root on a developer or CI host. The tool trusts the checked-in .kiota/workspace.json and honors attacker-controlled per-client and per-plugin outputPath values during 'kiota client generate' and 'kiota plugin generate' without validating them. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but exploitation is realistic in CI/pull-request workflows since it only requires a developer to run generation against poisoned config.

Microsoft Path Traversal Kiota
NVD GitHub VulDB
CVSS 4.0
7.0
CVE-2026-59237 MEDIUM PATCH This Month

Cross-tenant IDOR in Roskus Prospero Flow CRM before 5.5.3 allows any authenticated user to read, modify, and delete order and order-item records belonging to other companies (tenants) by supplying sequential integer IDs to five REST API endpoints. The root cause is missing company_id scoping in Eloquent ORM queries across all Order and OrderItem controllers, making every tenant's order data globally accessible to any platform user. No public exploit code or CISA KEV entry exists at time of analysis, but exploitation requires only a valid account and standard HTTP iteration - no special tools or expertise needed.

Authentication Bypass Prospero Flow Crm
NVD GitHub VulDB
CVSS 4.0
6.9
CVE-2026-46404 MEDIUM This Month

Server-side request forgery in BigBlueButton's presentation URL handling allows privileged users to probe internal network resources before version 3.0.23. The presentation URL validation failed to block site-local (RFC 1918) and link-local (169.254.x.x) address ranges, and critically, the redirect-following logic did not pin resolved IP addresses, enabling DNS rebinding attacks that bypass initial validation. No public exploit has been identified at time of analysis, and the EPSS signal is absent from provided data, but the scope-change in the CVSS vector confirms the attack crosses from the BBB application tier into the broader internal network.

SSRF Bigbluebutton
NVD GitHub
CVSS 3.1
6.8
CVE-2026-10589 MEDIUM This Month

Out-of-bounds write in Lenovo BIOS firmware across dozens of consumer and gaming laptop models enables a local attacker with high OS-level privileges to execute arbitrary code in System Management Mode (SMM) - a CPU execution context operating below the operating system and hypervisor with access to all system memory. Successful exploitation allows persistent firmware-level implants that survive OS reinstallation and defeat Secure Boot and standard endpoint detection tools. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, SMM code execution represents one of the highest-impact firmware attack primitives available to an advanced threat actor.

Buffer Overflow Yoga Pro 7 15Iph11 Bios Ideapad Pro 5 16Iph11 Bios Legion 7 16Agp11 Bios Ideapad Pro 5 16Agp11 Bios +54
NVD VulDB
CVSS 4.0
6.8
CVE-2026-10587 MEDIUM This Month

Out-of-bounds write in Lenovo BIOS firmware across dozens of consumer and gaming laptop models enables a local privileged attacker to corrupt power management settings within System Management Mode, a CPU execution context operating below the OS kernel at Ring -2. Successful exploitation could allow persistent firmware-level tampering that survives OS reinstalls and reboots. No public exploit has been identified at time of analysis, and exploitation requires pre-existing high OS-level privileges, substantially limiting real-world risk to post-compromise scenarios.

Buffer Overflow Yoga Pro 7 15Iph11 Bios Ideapad Pro 5 16Iph11 Bios Legion 7 16Agp11 Bios Ideapad Pro 5 16Agp11 Bios +54
NVD VulDB
CVSS 4.0
6.8
CVE-2026-6511 MEDIUM PATCH This Month

Lenovo Smart Connect for Windows exposes an improper access control flaw that permits a local authenticated user to read files belonging to other users on the same machine. Discovered through Lenovo's own internal security assessment and documented under advisory LEN-218281, the flaw carries a CVSS 4.0 score of 6.8 with a local, low-privilege attack vector and high confidentiality impact. No public exploit code and no CISA KEV listing exist at time of analysis, limiting immediate risk to multi-user Windows environments where Lenovo Smart Connect is installed.

Lenovo Authentication Bypass Microsoft Smart Connect
NVD VulDB
CVSS 4.0
6.8
CVE-2026-12379 MEDIUM This Month

Open redirect in Axivion Dashboard's OAuth/OIDC login flow allows an attacker to silently redirect an authenticated user to an arbitrary external URL after successful sign-in. All Axivion versions are affected per the wildcard CPE (cpe:2.3:a:qt:axivion:*). A threat actor can exploit this for phishing - credential harvesting or second-factor theft - by embedding a crafted login URL that terminates on a convincing look-alike site rather than the legitimate dashboard. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Open Redirect Axivion
NVD
CVSS 4.0
6.8
CVE-2026-12907 LOW POC PATCH Monitor

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators.

WordPress Rtmkit Authentication Bypass
NVD WPScan
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-12906 LOW POC PATCH Monitor

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.

WordPress Rtmkit Authentication Bypass
NVD WPScan
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-10590 MEDIUM This Month

Lenovo BIOS firmware across dozens of consumer and gaming laptop models - Legion, IdeaPad, Yoga, ThinkBook, LOQ, and V-series - contains a missing authentication flaw in the WMI-to-SMI interface that permits a local privileged attacker to arbitrarily trigger System Management Interrupt handlers, enabling execution at the SMM firmware level below the operating system security boundary. No public exploit code has been identified at time of analysis, and CISA KEV listing is not confirmed. The practical threat is post-compromise firmware persistence: an attacker already holding OS-level administrative privileges could use this flaw to manipulate firmware behavior in ways invisible to endpoint security tools, bypassing Secure Boot or implanting persistent code in System Management Mode.

Authentication Bypass Yoga Pro 7 15Iph11 Bios Ideapad Pro 5 16Iph11 Bios Legion 7 16Agp11 Bios Ideapad Pro 5 16Agp11 Bios +53
NVD VulDB
CVSS 4.0
6.7
CVE-2026-10588 MEDIUM This Month

SMM memory address disclosure in Lenovo laptop BIOS firmware exposes the location of protected System Management Mode (SMRAM) regions to a local privileged attacker. Dozens of Lenovo consumer, gaming, and business laptop product lines are affected across IdeaPad, Legion, Yoga, ThinkBook, LOQ, and V-series models. While the direct impact is confidentiality-only, SMRAM address disclosure is a classic prerequisite step in firmware-level attack chains that seek to bypass address-space protections and ultimately plant persistent SMM rootkits. No public exploit has been identified at time of analysis, and exploitation is not confirmed in CISA KEV.

Information Disclosure Yoga Pro 7 15Iph11 Bios Ideapad Pro 5 16Iph11 Bios Legion 7 16Agp11 Bios Ideapad Pro 5 16Agp11 Bios +53
NVD VulDB
CVSS 4.0
6.7
CVE-2026-6424 MEDIUM This Month

Use-after-free in ESET's Linux security product kernel components enables a local high-privileged attacker to trigger a kernel panic, causing a complete system crash and denial of service. Both ESET Endpoint Antivirus for Linux and ESET Server Security for Linux are affected across unspecified versions, per ESET's own customer advisory. No public exploit code has been identified and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, server-deployed AV with kernel-level hooks makes the DoS impact operationally significant in production environments.

Eset Use After Free Information Disclosure Linux Memory Corruption +2
NVD VulDB
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-12941 MEDIUM This Month

SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.

SQLi WordPress Multivendorx Woocommerce Multivendor Marketplace Ai Powered Solutions
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13767 MEDIUM This Month

Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.

SQLi WordPress Quiz And Survey Master Qsm Quiz Maker Survey Maker
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-53717 MEDIUM This Month

Uncontrolled memory allocation in Envoy Gateway's OCI image fetcher allows a low-privileged tenant to crash-loop the shared controller cluster-wide. Versions before 1.7.4 and in the 1.8.x pre-release range before 1.8.1 are affected. By submitting an EnvoyExtensionPolicy referencing a malicious OCI registry serving a tar layer with a PAX/GNU-encoded multi-terabyte header size, an attacker triggers an unrecoverable Go runtime OOM in the controller - a single-request, non-volumetric, persistent denial of service that persists across restarts until the CRD is manually deleted. No public exploit identified at time of analysis.

Docker Denial Of Service
NVD GitHub
CVSS 3.1
6.5
CVE-2026-53719 MEDIUM This Month

Deterministic nil-pointer dereference in Envoy Gateway's gatewayapi runner allows a low-privileged tenant to permanently stall controller-wide xDS and Infrastructure IR publishing by submitting a single malformed CRD. Any tenant with namespace-scoped RBAC permission to create SecurityPolicy and TCPRoute resources can trigger a panic on every reconcile cycle by omitting the spec.authorization field, requiring administrator intervention to restore control-plane operations. No exploitation confirmed in the wild (not in CISA KEV); patches are available in versions 1.7.4 and 1.8.1.

Null Pointer Dereference Denial Of Service
NVD GitHub
CVSS 3.1
6.5
CVE-2026-53716 MEDIUM This Month

Unbounded gzip decompression in Envoy Gateway's Wasm HTTP fetch path allows a low-privileged tenant to exhaust memory in the shared controller process via a crafted gzip-bomb URL, causing persistent cross-tenant control-plane outages. Any tenant with RBAC permission to create EnvoyExtensionPolicy resources can trigger approximately 10 GiB of heap allocation from a 10 MiB compressed payload, OOM-killing the controller; because the controller restarts and immediately re-reconciles the malicious custom resource, the crash-loop is self-sustaining and affects all co-tenants until the offending policy is deleted or the controller is patched. No public exploit code has been identified at time of analysis; vendor-released patches are available in versions 1.7.4 and 1.8.1.

Denial Of Service
NVD GitHub
CVSS 3.1
6.5
CVE-2026-46514 MEDIUM This Month

Plaintext credential exposure in Frogman's audit logging pipeline allows any authenticated low-privilege user holding PERM_READ access to recover passwords and extension secrets set by administrative operations. Frogman versions prior to 1.6.2 encode full tool response payloads - including the plaintext password returned by fm_reset_password and the plaintext secret returned by fm_add_extension - directly into the oc_audit_log.detail column via auditOutcome in Frogman.class.php. Because fm_audit_search was gated only at PERM_READ rather than PERM_ADMIN, any read-tier caller could query historical audit entries and extract those credentials. No public exploit code or active exploitation has been identified at time of analysis; the CVSS score of 6.5 reflects the authenticated-but-low-privilege access requirement and high confidentiality impact.

PHP Information Disclosure Frogman
NVD GitHub
CVSS 3.1
6.5
CVE-2026-55440 MEDIUM PATCH This Month

Session-squatting and memory exhaustion in Microsoft UFO's WebSocket server allow any authenticated client to permanently deny legitimate task owners access to their sessions or flood the shared session store with phantom entries. The COMMAND_RESULTS handler in ufo/server/ws/handler.py invoked get_or_create_session with a caller-supplied session_id but omitted the owner_client_id binding, and the message type carried no role gate - meaning any authenticated peer could pre-register arbitrary session IDs before their intended owners. This issue is not in CISA KEV and no public exploit has been identified, though the fix commit's regression tests provide a near-complete exploitation blueprint.

Microsoft Denial Of Service Ufo
NVD GitHub
CVSS 3.1
6.5
CVE-2026-15022 MEDIUM This Month

{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.

SQLi WordPress Tutor Lms Elearning And Online Course Solution
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13754 MEDIUM This Month

SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.

SQLi WordPress Tickera Sell Tickets Manage Events
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-47084 MEDIUM This Month

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-only LOCALDELETE command, bypassing ACL enforcement entirely. Any user with a valid account on an affected server can permanently delete arbitrary mailboxes - including those they have no read, write, or administrative permissions over - simply by issuing the improperly guarded command. No public exploit has been identified at time of analysis, but the attack requires only authentication and knowledge of the command, making it low-complexity for any insider or account-compromised attacker.

Authentication Bypass Cyrus Imap
NVD
CVSS 3.1
6.5
CVE-2026-15021 MEDIUM This Month

Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Wpforo Forum
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-14987 MEDIUM This Month

Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15652 MEDIUM This Month

Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.

WordPress XSS Easy Accordion Ai Powered Faq Accordion Blocks Product Faq
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15099 MEDIUM This Month

Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.

WordPress XSS Wp Delicious Recipe Plugin For Food Bloggers Formerly Delicious Recipes
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-53718 MEDIUM This Month

Cross-namespace authorization bypass in Envoy Gateway allows an authenticated user with HTTPRoute creation rights to route traffic to backend resources in foreign namespaces without the required Gateway API ReferenceGrant consent from the target namespace owner. Affected versions span all releases before 1.7.4 and the 1.8.x line before 1.8.1. The flaw is specific to extension-managed custom backendRefs: standard Gateway API backendRefs are not affected, but when extensions introduce custom backend resource types, the ReferenceGrant enforcement gate is skipped entirely, violating the multi-tenant isolation guarantee the Gateway API cross-namespace model is designed to provide. No public exploit or CISA KEV listing exists at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.4
CVE-2026-13755 MEDIUM This Month

Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.

WordPress XSS Tickera Sell Tickets Manage Events
NVD
CVSS 3.1
6.4
EPSS
0.2%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy