Skip to main content
2026-07-16

2026-07-17

CVE-2026-9810 CRITICAL POC PATCH Act Now

Privilege escalation and full site takeover affects the AI Copilot WordPress plugin before 1.5.4, which fails to bind OAuth access tokens to a specific WordPress user and treats any valid token as an administrator session. An unauthenticated attacker who completes the plugin's public OAuth flow can invoke privileged MCP (Model Context Protocol) tools as an administrator, creating new users and escalating roles. Publicly available exploit code exists and the flaw carries a CVSS 9.8; no active exploitation has been confirmed (not in CISA KEV).

WordPress Privilege Escalation Ai Copilot
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-14956 CRITICAL Act Now

Unauthenticated privilege escalation in the Bricksforge WordPress plugin (versions ≤ 3.1.8.6) lets remote attackers create a new administrator account by abusing the Pro Forms User Registration action. The plugin fails to validate the fieldIds parameter, so attacker-supplied field IDs are injected into the trusted form-field whitelist, enabling mass-assignment of a privileged role. No public exploit has been identified at time of analysis, but the flaw is trivially exploitable (CVSS 9.8) on any site exposing a Pro Forms registration element.

Privilege Escalation WordPress Bricksforge
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-15982 CRITICAL Act Now

Privilege escalation in the Aimogen Pro (Aiomatic) all-in-one AI toolkit plugin for WordPress affects all versions through 2.8.4 and lets unauthenticated attackers create administrator accounts. The 'aiomatic_call_google_ai_function' AJAX handler lacks a capability check, allowing the 'aimogen_wp_god_mode' tool to clear function blacklists and invoke arbitrary PHP functions. No public exploit identified at time of analysis, but the pre-auth nature and 9.8 CVSS make this a full-site-takeover risk.

Privilege Escalation WordPress PHP Aimogen Pro All In One Ai Content Writer Editor Chatbot Automation Toolkit
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-12692 CRITICAL Act Now

Authentication bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets a remote, unauthenticated attacker change a victim's password without verifying the existing credential (CWE-620), enabling full account takeover. Reported by Turkey's national CERT (TR-CERT/USOM) and rated CVSS 9.8, the flaw grants complete control over targeted accounts. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Enterprise Video Platform
NVD
CVSS 3.1
9.8
CVE-2026-8297 CRITICAL Act Now

SQL injection in GisLab Laboratory Management System (versions 1.4.03 through 08072026) allows remote unauthenticated attackers to inject arbitrary SQL commands via improperly neutralized special elements, per a TR-CERT advisory (TR-26-0573). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H, 9.8) indicates full compromise of the backend database with no authentication or user interaction. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

SQLi Gislab Laboratory Management System
NVD
CVSS 3.1
9.8
CVE-2026-51080 CRITICAL Act Now

XML External Entity injection in the libpve-storage-perl library (the storage-management Perl backend of Proxmox VE) affects builds identified as libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7, per MITRE. An attacker able to submit crafted XML to an affected storage-handling code path can force the parser to resolve external entities, enabling arbitrary local file disclosure and potential SSRF or denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; EPSS was not provided.

XXE N A
NVD VulDB
CVSS 3.1
9.8
CVE-2026-12693 CRITICAL Act Now

Authorization bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets remote unauthenticated attackers manipulate a user-controlled key (an IDOR-style reference) to reach functionality that should be restricted by access-control lists. Reported to Turkey's national CSIRT (USOM) with a CVSS 9.4, it enables reading and altering other tenants'/users' resources; no public exploit identified at time of analysis and the flaw is not in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
9.4
CVE-2026-9586 CRITICAL Act Now

Unauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrary SQL against the backend PostgreSQL database via the /pa endpoint, which concatenates the attacker-supplied PhoneIP value from a <PolycomIPPhone> XML body into queries without parameterization. Because SQL access on this PostgreSQL deployment can be escalated to command execution, a single crafted, unauthenticated request yields full database compromise and remote code execution on the VoIP appliance. There is no public exploit identified at time of analysis, though vendor SRA published a technical writeup, and the CVSS 4.0 base score is 9.3 (Critical).

RCE SQLi PostgreSQL Switchvox Smb Edition
NVD
CVSS 4.0
9.3
CVE-2026-62241 CRITICAL PATCH Act Now

Session forgery in the clawvet self-hosted API server (apps/api) before 0.7.5 lets a remote unauthenticated attacker fully impersonate any user and steal their secret apiKey. The server ships a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and .env.example, while an unauthenticated GET /api/v1/scans endpoint leaks victim userId values; combining these, an attacker forges a valid HS256 cg_session cookie offline and calls GET /api/v1/auth/me to exfiltrate the victim's email, subscription plan, and API key. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the technique is fully described and trivially reproducible; only the self-hosted API is affected, not the published clawvet npm CLI package.

Authentication Bypass Node.js Clawvet
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-62232 CRITICAL PATCH Act Now

Two-factor authentication bypass in Grav CMS before 2.0.4 lets an attacker who already knows a victim's password overwrite that user's TOTP secret and log in with full 2FA protection stripped away. During the pending TOTP challenge window the login plugin's regenerate2FASecret task verifies only that the user exists — not that the caller is authorized — and requires no CSRF nonce, so the attacker sets an attacker-chosen secret, computes a valid code, and completes login. VulnCheck-reported and CVSS 4.0 scored 9.1; no public exploit identified at time of analysis.

CSRF Authentication Bypass Grav
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.3%
CVE-2026-12694 CRITICAL Act Now

Improper access control in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) allows remote unauthenticated attackers to invoke privileged functionality that is not properly constrained by access control lists. Because the missing authorization check exposes state-changing operations, an attacker can modify or disrupt platform data and availability without credentials. This was reported by Turkey's national CSIRT (USOM); no public exploit has been identified at time of analysis and no EPSS or CISA KEV data is available.

Authentication Bypass
NVD
CVSS 3.1
9.1

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy