Skip to main content
2026-07-16

2026-07-17

CVE-2026-15380 MEDIUM This Month

Full SYSTEM-level code execution in Broadcom's Symantec IT Management Suite (ITMS) 8.7.3 is reachable by any non-administrator interactive user via a DCOM and Windows Task Scheduler logic chain, requiring no network access and no memory corruption. The attack is confined to the local host, meaning a standard user account with an interactive session on the ITMS server is sufficient to achieve unrestricted SYSTEM privileges. No public exploit has been identified at time of analysis, though Broadcom's advisory carries the highest urgency rating (U:Red) and the CVSS 4.0 supplemental metric AU:Y indicates the exploitation steps can be automated once understood.

RCE Buffer Overflow Symantec Management Suite
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-15379 MEDIUM This Month

Local privilege escalation via a misconfigured WMI provider in Broadcom's Symantec IT Management Suite (Altiris) exposes SYSTEM-readable files to any local standard user. The AltirisAgent_Stream WMI class fails to re-impersonate the calling user when servicing queries, reverting to the LocalSystem context instead - allowing unprivileged local users to bypass filesystem ACLs and read files that are restricted to SYSTEM or Administrator accounts, including configuration files, service logs, and stored secrets. No public exploit has been identified at time of analysis, though the technique is mechanically straightforward for any authenticated local user; the Broadcom advisory (SA 37995) is the authoritative disclosure source.

Authentication Bypass Symantec It Management Suite
NVD VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-15457 MEDIUM This Month

Directory traversal via the unsanitized 'family' parameter in the Kirki plugin for WordPress (all versions up to and including 6.0.13) enables authenticated users holding editor-level access or above to delete arbitrary directories on the server filesystem, risking data loss and site unavailability. Reported by Wordfence, the flaw originates in insufficient path validation within FontService.php and GlobalDataController.php, which process the 'family' parameter without canonicalization or boundary enforcement. No public exploit code exists and no CISA KEV listing is present at time of analysis, but the potential for irreversible filesystem destruction makes this a meaningful risk on any WordPress site granting editor access to untrusted accounts.

Path Traversal WordPress Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2026-62201 MEDIUM PATCH This Month

Network policy bypass via Server-Side Request Forgery (SSRF) in OpenClaw's sandbox exec-server allows lower-trust callers to route HTTP requests to internal network destinations that OpenClaw policy is explicitly configured to block. All OpenClaw installations before version 2026.6.6 are affected. The CVSS 4.0 vector scores subsequent-system confidentiality impact as High (SC:H), reflecting that successfully bypassed network policies expose internal infrastructure - not the OpenClaw host itself - to unauthorized access. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

SSRF Openclaw
NVD GitHub
CVSS 4.0
4.9
EPSS
0.3%
CVE-2026-62227 MEDIUM PATCH This Month

Server-side request forgery in OpenClaw's browser snapshot routes allows lower-privileged authenticated users to bypass the platform's network policy controls and reach internal destinations that should be blocked. Affected versions span 2026.4.14 through 2026.5.25; the fix shipped in 2026.5.26 per the vendor's GitHub security advisory. No public exploit code has been identified and this CVE is not listed in CISA KEV, though the CVSS 4.0 subsequent-system confidentiality rating of High reflects the real potential for lateral access to sensitive internal services.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.2%
CVE-2026-16106 MEDIUM This Month

Unauthorized role removal in Keycloak's admin REST API allows a delegated administrator to strip privileged child roles from composite roles they are not authorized to manage, corrupting the role hierarchy and revoking access for users and administrators who depend on those composite roles. Affected products span Red Hat Build of Keycloak, Red Hat Single Sign-On 7, Red Hat Data Grid 8, and Red Hat JBoss EAP Expansion Pack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog; however, in multi-tenant enterprise deployments where delegated administration is common, the integrity impact to IAM role structures is operationally significant.

Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7 Authentication Bypass
NVD
CVSS 3.1
4.9
CVE-2026-16072 MEDIUM This Month

Broken access control in Keycloak's organization management component allows a delegated administrator holding only organization management permissions to exploit the invitation API to provision new user accounts and inject unauthorized members into organizations. The attacker generates an invitation for a fabricated email address, then retrieves the secret registration link directly via the API - bypassing the email delivery step entirely - and uses it to self-register accounts without possessing user management permissions. No public exploit has been identified at time of analysis; exploitation is gated by the PR:H requirement (delegated administrator credentials), limiting realistic threat actors to insider or compromised-admin scenarios.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7
NVD
CVSS 3.1
4.9
CVE-2026-21760 MEDIUM This Month

Forced browsing vulnerability in HCL DevOps Loop allows authenticated low-privileged users to access restricted administrative endpoints by directly navigating to protected URLs without proper authorization enforcement. The application fails to validate that the requesting user holds sufficient privileges before serving administrative responses, enabling unauthorized access to admin functionality over the network. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
4.6
CVE-2026-15160 MEDIUM This Month

Directory traversal in the Ninja Forms - Excel Export WordPress plugin (versions ≤ 3.3.6) allows authenticated attackers with subscriber-level access to write .xls/.xlsx files to arbitrary server-side locations via the unsanitized 'spreadsheet_export_tmp_name' parameter. The vulnerability is a staging primitive: direct code execution is not possible through the traversal alone, but file placement in web-accessible or sensitive directories can enable follow-on attacks such as information disclosure or overwriting existing files. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Path Traversal WordPress Ninja Forms Excel Export
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-15349 MEDIUM This Month

Authorization bypass in the WP ERP WordPress plugin (versions through 1.17.6) allows authenticated attackers with subscriber-level access to create arbitrary company locations in the ERP database. The flaw stems from a missing authorization check in the plugin's Admin AJAX handler, as identified by Wordfence and corroborated by source code references at includes/Admin/Ajax.php. No public exploit code or CISA KEV listing exists at time of analysis, but the low privilege bar (any registered WordPress user) on a network-accessible endpoint makes opportunistic abuse straightforward on sites with open user registration.

WordPress Authentication Bypass Erp
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-33434 MEDIUM This Month

Rate limit bypass in Wazuh's /events endpoint allows authenticated network users to inject events into analysisd beyond the administrator-configured global rate limit. A logic error in CheckRateLimitsMiddleware.dispatch() causes the endpoint-specific counter (hardcoded at 30 requests/min) to unconditionally overwrite the result of the global rate limit check, meaning the global max_request_per_minute threshold is silently ignored for this endpoint. Versions 4.6.0 through 4.14.4 are affected; no public exploit code has been identified and the issue is not listed in CISA KEV.

Wazuh Code Injection
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15159 MEDIUM This Month

Subscriber-level WordPress users can exfiltrate complete PII datasets from all Ninja Forms submissions site-wide in Ninja Forms - Excel Export versions up to and including 3.3.6 by supplying arbitrary values to the `spreadsheet_export_form_id` parameter, which lacks authorization validation at the export endpoint. The missing access control enables horizontal privilege escalation across all form IDs on the installation, delivering names, email addresses, phone numbers, physical addresses, and any other collected PII as downloadable XLSX files to low-privileged users who should have no cross-form access. No public exploit code has been identified at time of analysis and CISA KEV listing is absent, but the low attack complexity (AC:L, no user interaction required beyond subscriber-level credentials) makes this a meaningful data privacy risk on WordPress sites with open user registration.

WordPress Authentication Bypass Ninja Forms Excel Export
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9656 MEDIUM This Month

OAuth refresh token theft in HubSpot All-In-One Marketing - Forms, Popups, Live Chat (WordPress plugin 'leadin') exposes connected HubSpot tenants to unauthorized access. Authenticated WordPress users at contributor level or above can extract a plaintext HubSpot OAuth refresh token directly from the client-side window.leadinConfig JavaScript object, which is populated server-side via wp_localize_script() after the plugin decrypts the at-rest AES-256-CTR-encrypted token - rendering the encryption entirely ineffective against this attack path. A stolen token can be replayed against the HubSpot OAuth API to access or modify CRM contacts, marketing campaigns, and other tenant data in the connected HubSpot account. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

WordPress Information Disclosure Hubspot All In One Marketing Forms Popups Live Chat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-16104 MEDIUM This Month

Sensitive credential exposure in the keycloak-services authentication configuration endpoint allows view-only administrators to retrieve unmasked third-party service secrets, such as reCAPTCHA secret keys, through the administrative API. Affected deployments include Red Hat Build of Keycloak, Red Hat Single Sign-On 7, Red Hat Data Grid 8, and the JBoss EAP Expansion Pack. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog; however, the confidential nature of the exposed values - functional API credentials for third-party services - elevates the practical impact beyond what the CVSS score of 4.3 might initially suggest.

Information Disclosure Red Hat Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack +1
NVD
CVSS 3.1
4.3
CVE-2026-16103 MEDIUM This Month

Brute-force lockout bypass in Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow allows an attacker holding valid OAuth client credentials to redeem previously approved authentication requests and obtain access and refresh tokens for a user account that has since been locked. This is an incomplete fix for CVE-2026-9798: the brute-force protection check was applied to the CIBA initiation handler but was never added to the token redemption handler, creating a gap that persists after the earlier patch. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Information Disclosure Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7
NVD
CVSS 3.1
4.3
CVE-2026-16108 MEDIUM This Month

Keycloak's default-groups REST endpoint and realm representation expose hidden group names and identifiers to delegated administrators who hold realm-viewing permissions but lack explicit group-viewing authorization. Affected products span Red Hat Build of Keycloak, Red Hat Single Sign-On 7, Red Hat Data Grid 8, and Red Hat JBoss EAP Expansion Pack. No public exploit code exists and CISA KEV listing is absent at time of analysis; the CVSS 4.3 Medium rating accurately reflects constrained impact limited to metadata disclosure.

Information Disclosure Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7
NVD
CVSS 3.1
4.3
CVE-2026-21761 MEDIUM This Month

CORS misconfiguration in HCL DevOps Loop enables authenticated network-adjacent attackers to perform unauthorized cross-origin requests against the application. The improper CORS policy potentially allows untrusted domains to read application responses, exposing session-bound resources to attacker-controlled origins. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the tag 'Authentication Bypass' suggests resource exposure can undermine access control assumptions.

Cors Misconfiguration Authentication Bypass
NVD
CVSS 3.1
4.2
CVE-2026-62211 MEDIUM PATCH This Month

Credential redaction bypass in OpenClaw before version 2026.6.1 allows lower-privileged local users to extract sensitive credentials through the trajectory export feature by exploiting misconfigured input paths or improperly accessible export functionality. The product's redaction controls fail to enforce trust boundaries, causing credentials that should remain opaque to lower-trust callers to surface in export output. No public exploit has been identified at time of analysis; exploitation requires local access, low privileges, and user interaction, which constrains realistic risk despite the high confidentiality impact when conditions are met.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
4.1
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy