Skip to main content
2026-07-15

2026-07-16

CVE-2026-63086 MEDIUM POC This Month

Server-side request forgery in HuggingFace text-generation-inference through version 3.3.7 enables unauthenticated remote attackers to coerce the server into issuing arbitrary outbound HTTP GET requests via a crafted image_url value submitted to the OpenAI-compatible multimodal chat completions endpoint. The fetch_image function in router/src/validation.rs applies no destination validation, and the reqwest client's default redirect-following behavior allows attackers to chain redirects to bypass any scheme-level controls, reaching cloud instance-metadata services (e.g., AWS IMDSv1 at 169.254.169.254) to steal IAM credentials or enumerate internal port services. Publicly available exploit code exists (VulnCheck/geo-chen); no KEV listing at time of analysis, but the combination of unauthenticated access, cloud credential theft potential, and working POC makes this a genuine priority for any cloud-hosted TGI deployment.

SSRF Text Generation Inference
NVD GitHub
CVSS 4.0
6.9
CVE-2026-12684 MEDIUM POC PATCH This Month

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.

WordPress Customer Reviews For Woocommerce File Upload
NVD WPScan
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-12395 MEDIUM POC PATCH This Month

SQL injection in WP Job Portal WordPress plugin before 2.5.5 enables authenticated subscriber-level users to exfiltrate data from the underlying WordPress database. Because subscriber accounts are explicitly self-registerable (no admin approval required), the practical authentication barrier is near-zero for any external attacker. A publicly available exploit exists per WPScan, though EPSS at 0.18% (7th percentile) indicates limited observed exploitation to date and no CISA KEV listing at time of analysis.

SQLi WordPress Wp Job Portal
NVD WPScan
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-11371 MEDIUM POC PATCH This Month

Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.

WordPress XSS Betterdocs
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12869 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.

WordPress XSS Header Footer Builder For Elementor
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12510 MEDIUM POC PATCH This Month

Unauthorized access to private chatbot conversations in the AI Engine WordPress plugin before 3.5.5 allows any authenticated subscriber-level user to both read and overwrite other users' chat records when the discussions feature is enabled. The plugin fails to verify that a client-supplied conversation identifier belongs to the requesting user (CWE-639 IDOR), enabling session data theft and record hijacking. Public exploit code is available via WPScan, though EPSS stands at only 0.13% (3rd percentile), suggesting no widespread automated exploitation; active exploitation is not confirmed in the CISA KEV at time of analysis.

Authentication Bypass WordPress Ai Engine
NVD WPScan
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-12979 MEDIUM POC PATCH This Month

Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.

Path Traversal Denial Of Service WordPress Funnelkit
NVD WPScan
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-11866 MEDIUM POC PATCH This Month

Cross-Site Request Forgery in the Appointment Booking Plugin for WordPress (versions before 5.6.3) allows an unauthenticated attacker to perform privileged administrative actions - including overwriting the booking-form configuration and disconnecting the connected payment gateway - by tricking a logged-in administrator into clicking a malicious link or visiting an attacker-controlled page. The root cause is absent CSRF nonce validation across multiple state-changing actions handled by the plugin's central request dispatcher. A publicly available proof-of-concept exists per the WPScan advisory, though EPSS sits at 0.10% (1st percentile), indicating negligible observed exploitation activity and no CISA KEV listing at time of analysis.

CSRF WordPress Appointment Booking Plugin
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-63082 MEDIUM POC This Month

Broken access control in Perfect Support Ticketing & Document Management System through version 1.7 permits authenticated Agent-level users to manipulate the Support Agent assignment field on tickets beyond their authorized scope, including adding or removing Superadmin accounts. The vulnerability stems from missing server-side authorization checks (CWE-862), allowing role-based access controls to be circumvented entirely by any Agent assigned to a ticket. A publicly available exploit exists per VulnCheck and a GitHub PoC disclosure; no CISA KEV listing is present at time of analysis.

Authentication Bypass Perfect Support Ticketing Document Management System
NVD GitHub
CVSS 4.0
5.3
CVE-2026-63081 MEDIUM POC This Month

Stored cross-site scripting in Perfect Support Ticketing & Document Management System through version 1.7 allows authenticated Agent-level users to inject persistent malicious scripts into ticket Notes fields. Any user who subsequently views the compromised ticket notes - including Superadmin users - executes the attacker's payload in their browser context, enabling session token theft and unauthorized actions performed on the victim's behalf. No public exploit identified at time of analysis for KEV listing, though a publicly available proof-of-concept exists per VulnCheck and the researcher's GitHub repository.

XSS Perfect Support Ticketing Document Management System
NVD GitHub
CVSS 4.0
5.1
CVE-2026-59237 MEDIUM PATCH This Month

Cross-tenant IDOR in Roskus Prospero Flow CRM before 5.5.3 allows any authenticated user to read, modify, and delete order and order-item records belonging to other companies (tenants) by supplying sequential integer IDs to five REST API endpoints. The root cause is missing company_id scoping in Eloquent ORM queries across all Order and OrderItem controllers, making every tenant's order data globally accessible to any platform user. No public exploit code or CISA KEV entry exists at time of analysis, but exploitation requires only a valid account and standard HTTP iteration - no special tools or expertise needed.

Authentication Bypass Prospero Flow Crm
NVD GitHub VulDB
CVSS 4.0
6.9
CVE-2026-46404 MEDIUM This Month

Server-side request forgery in BigBlueButton's presentation URL handling allows privileged users to probe internal network resources before version 3.0.23. The presentation URL validation failed to block site-local (RFC 1918) and link-local (169.254.x.x) address ranges, and critically, the redirect-following logic did not pin resolved IP addresses, enabling DNS rebinding attacks that bypass initial validation. No public exploit has been identified at time of analysis, and the EPSS signal is absent from provided data, but the scope-change in the CVSS vector confirms the attack crosses from the BBB application tier into the broader internal network.

SSRF Bigbluebutton
NVD GitHub
CVSS 3.1
6.8
CVE-2026-10589 MEDIUM This Month

Out-of-bounds write in Lenovo BIOS firmware across dozens of consumer and gaming laptop models enables a local attacker with high OS-level privileges to execute arbitrary code in System Management Mode (SMM) - a CPU execution context operating below the operating system and hypervisor with access to all system memory. Successful exploitation allows persistent firmware-level implants that survive OS reinstallation and defeat Secure Boot and standard endpoint detection tools. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, SMM code execution represents one of the highest-impact firmware attack primitives available to an advanced threat actor.

Buffer Overflow Yoga Pro 7 15Iph11 Bios Ideapad Pro 5 16Iph11 Bios Legion 7 16Agp11 Bios Ideapad Pro 5 16Agp11 Bios +54
NVD VulDB
CVSS 4.0
6.8
CVE-2026-10587 MEDIUM This Month

Out-of-bounds write in Lenovo BIOS firmware across dozens of consumer and gaming laptop models enables a local privileged attacker to corrupt power management settings within System Management Mode, a CPU execution context operating below the OS kernel at Ring -2. Successful exploitation could allow persistent firmware-level tampering that survives OS reinstalls and reboots. No public exploit has been identified at time of analysis, and exploitation requires pre-existing high OS-level privileges, substantially limiting real-world risk to post-compromise scenarios.

Buffer Overflow Yoga Pro 7 15Iph11 Bios Ideapad Pro 5 16Iph11 Bios Legion 7 16Agp11 Bios Ideapad Pro 5 16Agp11 Bios +54
NVD VulDB
CVSS 4.0
6.8
CVE-2026-6511 MEDIUM PATCH This Month

Lenovo Smart Connect for Windows exposes an improper access control flaw that permits a local authenticated user to read files belonging to other users on the same machine. Discovered through Lenovo's own internal security assessment and documented under advisory LEN-218281, the flaw carries a CVSS 4.0 score of 6.8 with a local, low-privilege attack vector and high confidentiality impact. No public exploit code and no CISA KEV listing exist at time of analysis, limiting immediate risk to multi-user Windows environments where Lenovo Smart Connect is installed.

Lenovo Authentication Bypass Microsoft Smart Connect
NVD VulDB
CVSS 4.0
6.8
CVE-2026-12379 MEDIUM This Month

Open redirect in Axivion Dashboard's OAuth/OIDC login flow allows an attacker to silently redirect an authenticated user to an arbitrary external URL after successful sign-in. All Axivion versions are affected per the wildcard CPE (cpe:2.3:a:qt:axivion:*). A threat actor can exploit this for phishing - credential harvesting or second-factor theft - by embedding a crafted login URL that terminates on a convincing look-alike site rather than the legitimate dashboard. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Open Redirect Axivion
NVD
CVSS 4.0
6.8
CVE-2026-10590 MEDIUM This Month

Lenovo BIOS firmware across dozens of consumer and gaming laptop models - Legion, IdeaPad, Yoga, ThinkBook, LOQ, and V-series - contains a missing authentication flaw in the WMI-to-SMI interface that permits a local privileged attacker to arbitrarily trigger System Management Interrupt handlers, enabling execution at the SMM firmware level below the operating system security boundary. No public exploit code has been identified at time of analysis, and CISA KEV listing is not confirmed. The practical threat is post-compromise firmware persistence: an attacker already holding OS-level administrative privileges could use this flaw to manipulate firmware behavior in ways invisible to endpoint security tools, bypassing Secure Boot or implanting persistent code in System Management Mode.

Authentication Bypass Yoga Pro 7 15Iph11 Bios Ideapad Pro 5 16Iph11 Bios Legion 7 16Agp11 Bios Ideapad Pro 5 16Agp11 Bios +53
NVD VulDB
CVSS 4.0
6.7
CVE-2026-10588 MEDIUM This Month

SMM memory address disclosure in Lenovo laptop BIOS firmware exposes the location of protected System Management Mode (SMRAM) regions to a local privileged attacker. Dozens of Lenovo consumer, gaming, and business laptop product lines are affected across IdeaPad, Legion, Yoga, ThinkBook, LOQ, and V-series models. While the direct impact is confidentiality-only, SMRAM address disclosure is a classic prerequisite step in firmware-level attack chains that seek to bypass address-space protections and ultimately plant persistent SMM rootkits. No public exploit has been identified at time of analysis, and exploitation is not confirmed in CISA KEV.

Information Disclosure Yoga Pro 7 15Iph11 Bios Ideapad Pro 5 16Iph11 Bios Legion 7 16Agp11 Bios Ideapad Pro 5 16Agp11 Bios +53
NVD VulDB
CVSS 4.0
6.7
CVE-2026-6424 MEDIUM This Month

Use-after-free in ESET's Linux security product kernel components enables a local high-privileged attacker to trigger a kernel panic, causing a complete system crash and denial of service. Both ESET Endpoint Antivirus for Linux and ESET Server Security for Linux are affected across unspecified versions, per ESET's own customer advisory. No public exploit code has been identified and CISA has not added this to the Known Exploited Vulnerabilities catalog; however, server-deployed AV with kernel-level hooks makes the DoS impact operationally significant in production environments.

Eset Use After Free Information Disclosure Linux Memory Corruption +2
NVD VulDB
CVSS 4.0
6.7
EPSS
0.1%
CVE-2026-12941 MEDIUM This Month

SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.

SQLi WordPress Multivendorx Woocommerce Multivendor Marketplace Ai Powered Solutions
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13767 MEDIUM This Month

Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.

SQLi WordPress Quiz And Survey Master Qsm Quiz Maker Survey Maker
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-53717 MEDIUM This Month

Uncontrolled memory allocation in Envoy Gateway's OCI image fetcher allows a low-privileged tenant to crash-loop the shared controller cluster-wide. Versions before 1.7.4 and in the 1.8.x pre-release range before 1.8.1 are affected. By submitting an EnvoyExtensionPolicy referencing a malicious OCI registry serving a tar layer with a PAX/GNU-encoded multi-terabyte header size, an attacker triggers an unrecoverable Go runtime OOM in the controller - a single-request, non-volumetric, persistent denial of service that persists across restarts until the CRD is manually deleted. No public exploit identified at time of analysis.

Docker Denial Of Service
NVD GitHub
CVSS 3.1
6.5
CVE-2026-53719 MEDIUM This Month

Deterministic nil-pointer dereference in Envoy Gateway's gatewayapi runner allows a low-privileged tenant to permanently stall controller-wide xDS and Infrastructure IR publishing by submitting a single malformed CRD. Any tenant with namespace-scoped RBAC permission to create SecurityPolicy and TCPRoute resources can trigger a panic on every reconcile cycle by omitting the spec.authorization field, requiring administrator intervention to restore control-plane operations. No exploitation confirmed in the wild (not in CISA KEV); patches are available in versions 1.7.4 and 1.8.1.

Null Pointer Dereference Denial Of Service
NVD GitHub
CVSS 3.1
6.5
CVE-2026-53716 MEDIUM This Month

Unbounded gzip decompression in Envoy Gateway's Wasm HTTP fetch path allows a low-privileged tenant to exhaust memory in the shared controller process via a crafted gzip-bomb URL, causing persistent cross-tenant control-plane outages. Any tenant with RBAC permission to create EnvoyExtensionPolicy resources can trigger approximately 10 GiB of heap allocation from a 10 MiB compressed payload, OOM-killing the controller; because the controller restarts and immediately re-reconciles the malicious custom resource, the crash-loop is self-sustaining and affects all co-tenants until the offending policy is deleted or the controller is patched. No public exploit code has been identified at time of analysis; vendor-released patches are available in versions 1.7.4 and 1.8.1.

Denial Of Service
NVD GitHub
CVSS 3.1
6.5
CVE-2026-46514 MEDIUM This Month

Plaintext credential exposure in Frogman's audit logging pipeline allows any authenticated low-privilege user holding PERM_READ access to recover passwords and extension secrets set by administrative operations. Frogman versions prior to 1.6.2 encode full tool response payloads - including the plaintext password returned by fm_reset_password and the plaintext secret returned by fm_add_extension - directly into the oc_audit_log.detail column via auditOutcome in Frogman.class.php. Because fm_audit_search was gated only at PERM_READ rather than PERM_ADMIN, any read-tier caller could query historical audit entries and extract those credentials. No public exploit code or active exploitation has been identified at time of analysis; the CVSS score of 6.5 reflects the authenticated-but-low-privilege access requirement and high confidentiality impact.

PHP Information Disclosure Frogman
NVD GitHub
CVSS 3.1
6.5
CVE-2026-55440 MEDIUM PATCH This Month

Session-squatting and memory exhaustion in Microsoft UFO's WebSocket server allow any authenticated client to permanently deny legitimate task owners access to their sessions or flood the shared session store with phantom entries. The COMMAND_RESULTS handler in ufo/server/ws/handler.py invoked get_or_create_session with a caller-supplied session_id but omitted the owner_client_id binding, and the message type carried no role gate - meaning any authenticated peer could pre-register arbitrary session IDs before their intended owners. This issue is not in CISA KEV and no public exploit has been identified, though the fix commit's regression tests provide a near-complete exploitation blueprint.

Microsoft Denial Of Service Ufo
NVD GitHub
CVSS 3.1
6.5
CVE-2026-15022 MEDIUM This Month

{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.

SQLi WordPress Tutor Lms Elearning And Online Course Solution
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13754 MEDIUM This Month

SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.

SQLi WordPress Tickera Sell Tickets Manage Events
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-47084 MEDIUM This Month

Unauthorized mailbox deletion in Cyrus IMAP through 3.12.2 allows any authenticated non-admin user to invoke the admin-only LOCALDELETE command, bypassing ACL enforcement entirely. Any user with a valid account on an affected server can permanently delete arbitrary mailboxes - including those they have no read, write, or administrative permissions over - simply by issuing the improperly guarded command. No public exploit has been identified at time of analysis, but the attack requires only authentication and knowledge of the command, making it low-complexity for any insider or account-compromised attacker.

Authentication Bypass Cyrus Imap
NVD
CVSS 3.1
6.5
CVE-2026-15021 MEDIUM This Month

Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Wpforo Forum
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-14987 MEDIUM This Month

Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15652 MEDIUM This Month

Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.

WordPress XSS Easy Accordion Ai Powered Faq Accordion Blocks Product Faq
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15099 MEDIUM This Month

Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.

WordPress XSS Wp Delicious Recipe Plugin For Food Bloggers Formerly Delicious Recipes
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-53718 MEDIUM This Month

Cross-namespace authorization bypass in Envoy Gateway allows an authenticated user with HTTPRoute creation rights to route traffic to backend resources in foreign namespaces without the required Gateway API ReferenceGrant consent from the target namespace owner. Affected versions span all releases before 1.7.4 and the 1.8.x line before 1.8.1. The flaw is specific to extension-managed custom backendRefs: standard Gateway API backendRefs are not affected, but when extensions introduce custom backend resource types, the ReferenceGrant enforcement gate is skipped entirely, violating the multi-tenant isolation guarantee the Gateway API cross-namespace model is designed to provide. No public exploit or CISA KEV listing exists at time of analysis.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.4
CVE-2026-13755 MEDIUM This Month

Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.

WordPress XSS Tickera Sell Tickets Manage Events
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-55407 MEDIUM PATCH This Month

Uncontrolled heap amplification in Buffa's protobuf decoder allows an unauthenticated remote attacker to crash any network-facing Rust service that decodes untrusted protobuf input under the default code-generation settings, with no exploit code required beyond a well-formed serialized message. The amplification mechanism - roughly 22× for nested StartGroup unknown fields - means a 64 MiB payload can force approximately 1.4 GiB of heap allocation, exhausting process memory and terminating the service. No active exploitation is confirmed (not in CISA KEV), and no public proof-of-concept has been identified at time of analysis, but the attack is trivially constructible from the public advisory.

Denial Of Service Buffa
NVD GitHub
CVSS 4.0
6.3
CVE-2026-59249 MEDIUM PATCH This Month

Response-queue poisoning in the elixir-mint Mint HTTP/1.1 client library (versions 0.1.0 through before 1.9.3) allows a malicious or attacker-influenced HTTP/1 origin server to desynchronize a strict RFC-compliant intermediary from the Mint client on shared keep-alive pooled connections. The root cause is `Mint.HTTP1.decode_body/5` using Elixir's `Integer.parse/2` for chunked transfer-encoding chunk-size parsing, which accepts RFC-forbidden leading `+` or `-` sign prefixes, causing both parties to disagree on where one HTTP response ends and the next begins. No public exploit has been identified at time of analysis, but a vendor-released patch is available in Mint 1.9.3.

Request Smuggling Code Injection Mint
NVD GitHub
CVSS 4.0
6.3
CVE-2026-35148 MEDIUM This Month

Unauthenticated API access in HCL DFXServer exposes application endpoints to any network-reachable user without identity verification. The missing access control allows interactions with protected functionality - including read and write operations - from a browser or client that holds no valid session or credentials. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the CVSS 6.3 medium score and PR:N vector confirm that authentication is not required to reach the affected endpoints.

Authentication Bypass Dfxserver
NVD VulDB
CVSS 3.1
6.3
CVE-2026-35146 MEDIUM This Month

HCL DFXServer permits client connections over plaintext HTTP, exposing all transmitted data to interception by any attacker with a man-in-the-middle position on the network path. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) confirms remote exploitation without authentication, contingent on a user initiating an HTTP session. No public exploit code exists and the vulnerability is not listed in CISA KEV, but the risk is structurally inherent to any deployment where HTTP remains permitted alongside or instead of HTTPS.

Information Disclosure Dfxserver
NVD VulDB
CVSS 3.1
6.3
CVE-2026-15306 MEDIUM This Month

Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

WordPress XSS Product Feed Manager For Woocommerce Sell On 200 Online Marketplaces
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-53535 MEDIUM This Month

Path traversal in Activepieces Enterprise Edition git-sync prior to 0.82.0 allows an authenticated project administrator to overwrite arbitrary files on the host filesystem, with potential impact ranging from data tampering and denial of service to remote code execution. Two distinct weaknesses compound each other: Git's symbolic-link handling was not disabled during repository cloning, and user-supplied identifiers - repository slug and the externalId fields for flows, tables, and connections - were concatenated into filesystem paths without sanitization of directory-traversal sequences. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the patch commit makes exploitation paths derivable by any skilled attacker reviewing the open-source diff.

Denial Of Service Path Traversal RCE
NVD GitHub
CVSS 4.0
5.9
CVE-2026-55406 MEDIUM PATCH This Month

Use-after-free in Buffa's OwnedView<V> type allows safe Rust calling code to hold field references that outlive the backing buffer, enabling read of freed heap memory and information disclosure. Affected are all Buffa releases prior to 0.7.0 (CPE: cpe:2.3:a:anthropics:buffa:*:*:*:*:*:*:*:*). The flaw is a soundness violation - no unsafe code in the caller is required - making it particularly insidious in a memory-safe language context. No public exploit identified at time of analysis and no CISA KEV listing; the CVSS 4.0 score of 5.9 reflects the high-complexity exploitation conditions acknowledged by the vendor.

Buffer Overflow Information Disclosure Buffa
NVD GitHub
CVSS 4.0
5.9
CVE-2026-56454 MEDIUM This Month

TLS protocol downgrade exposure in HCL DFXAnalytics allows network-positioned attackers to intercept and decrypt sensitive communications by exploiting continued support for deprecated TLS 1.0 and TLS 1.1 protocols. All versions of DFXAnalytics are affected per the wildcard CPE string, with high confidentiality impact and no integrity or availability degradation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS AC:H rating reflects the prerequisite man-in-the-middle network position rather than any inherent technical barrier to exploitation once that position is achieved.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
5.9
CVE-2026-15737 MEDIUM PATCH This Month

Unintended sensitive data exposure in AWS Bedrock AgentCore Python SDK versions 1.4.8 and 1.5.0 allows any low-privileged IAM principal with CloudWatch Logs read access to retrieve verbatim user prompts and complete AI agent responses from the aws/spans log group. The SDK's OpenTelemetry instrumentation populates span attributes with raw conversational content on every invocation without filtering or masking, and these spans are automatically exported to CloudWatch, bypassing any application-layer data controls. No public exploit has been identified at time of analysis, but the exposure is systemic and requires no special tooling beyond standard AWS console or CLI access with logs read permissions; vendor-released patch version 1.5.1 is available.

Python Information Disclosure Bedrock Agentcore
NVD GitHub
CVSS 4.0
5.7
CVE-2026-45612 MEDIUM PATCH This Month

Out-of-bounds read in rz-libdemangle's Rust v0 demangler leaks process memory when a caller invokes the demangling routine before the internal rust_v0_t structure is properly initialized. All builds of the library prior to commit 6bf56d3 are affected, putting security analysts and reverse engineers who process untrusted Rust binaries through the Rizin framework at risk of memory disclosure. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis; the fix is available as an upstream commit but a versioned release is not independently confirmed.

Buffer Overflow Information Disclosure Rz Libdemangle
NVD GitHub
CVSS 3.1
5.5
CVE-2026-56453 MEDIUM This Month

Account takeover through HTTP response manipulation in HCL DFXAnalytics enables a network-positioned attacker to intercept and alter server responses before they reach the client, subverting authentication and authorization decisions enforced client-side. The product, identified via CPE cpe:2.3:a:hcl_software:dfxanalytics:*:*:*:*:*:*:*:*, appears to trust server-provided authentication outcomes without cryptographic integrity protection, allowing a low-privileged adversary-in-the-middle to gain unauthorized access to arbitrary user accounts. No public exploit has been identified and no CISA KEV listing is present, but the CVSS scope change (S:C) signals that successful exploitation reaches beyond the attacker's own session to compromise targeted accounts.

Authentication Bypass Dfxanalytics
NVD VulDB
CVSS 3.1
5.5
CVE-2026-9494 MEDIUM PATCH This Month

ubuntu-pro-client (formerly ubuntu-advantage-tools) leaks Ubuntu Pro bearer tokens to unprivileged local users via the Linux /proc filesystem on all supported Ubuntu LTS releases from 14.04 through 26.04. When the client validates APT credentials, it spawns /usr/lib/apt/apt-helper with the secret token embedded in a cleartext URL argument (https://bearer:<token>@esm.ubuntu.com/), which any local low-privileged user can read from /proc/<pid>/cmdline on default-configured systems. The stolen token enables unauthorized access to the victim's Ubuntu Pro ESM repositories. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.

Ubuntu Canonical Authentication Bypass Information Disclosure Ubuntu Pro Client Ubuntu Advantage Tools +7
NVD
CVSS 3.1
5.5
CVE-2026-47082 MEDIUM This Month

Incorrect authorization in Cyrus IMAP through 3.12.2 allows authenticated users to bypass mailbox ACL enforcement via the vacation Sieve script `:fcc` (file carbon copy) feature, enabling unauthorized message injection into any mailbox nameable by the script regardless of insert permissions. The CVSS vector (PR:L, AV:N) confirms network-triggerable exploitation requiring only a valid authenticated account, with low integrity and availability impact (C:N/I:L/A:L). No public exploit code and no CISA KEV listing exist at time of analysis; vendor-released patch version 3.12.3 addresses the flaw.

Authentication Bypass Cyrus Imap
NVD
CVSS 3.1
5.4
CVE-2026-15909 MEDIUM This Month

Authorization bypass in RafyMrX TOKO-ONLINE-ROTI allows a low-privileged remote attacker to manipulate the `kd_cs` parameter in `proses/add.php` to access or modify data belonging to other customers, a classic CWE-639 Insecure Direct Object Reference pattern. The application up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is confirmed affected, with no vendor patch available after the vendor failed to respond to responsible disclosure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity of parameter manipulation makes this trivially reproducible with standard HTTP tooling.

Authentication Bypass PHP Toko Online Roti
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53715 MEDIUM This Month

Envoy Gateway's Wasm extension cache HTTP server (port 18002) can be crashed by a tenant-level attacker, causing a cross-tenant control-plane denial of service. The race condition in httpserver.go causes Go's runtime to call runtime.throw upon detecting an unsynchronized concurrent map access - a fatal signal that net/http's per-connection recover cannot intercept - terminating the entire controller process. While Kubernetes restarts the pod, all tenants sharing the controller lose control-plane availability during the restart window. No public exploit has been identified at time of analysis, but the four-condition precondition set is largely within baseline tenant capabilities.

Information Disclosure Race Condition Kubernetes
NVD GitHub
CVSS 3.1
5.3
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy