Search the CVE or product
Use lookup or product groups to find whether the advisory touches your CMS, plugin, server, package, or appliance.
Open CVE LookupCVE Intelligence Hub
Find the CVEs that matter to your stack
Ping7 turns new vulnerability reports into owner-facing checks: affected versions, exposed services, log signals, patch notes, and the point where repair help is safer than guessing. Paste your domain -> Am I Affected?
965Tracked CVEs
27CVSS 10.0
278Critical (9.0+)
4CISA KEV
8Actively Exploited
352Public PoC
248This Week
Run the defensive self-check
Check version, exposure, enabled modules, logs, users, files, and vendor patch notes. The guides avoid payloads and unauthorized testing.
See latest guidesEscalate only when evidence says so
Request help when production is affected, patching is blocked, or compromise signs appear in files, accounts, redirects, cron, or logs.
Request repairUpdated coverage
Latest covered CVEs
Newest Ping7 coverage from the current CVE feed. Open a card to check affected versions, exposure, patch status, and signs of compromise.
2026-06-29 CVSS 5.6
CVE-2026-13529
YzmCMS
YzmCMS - installer SQL injection risk
PHP app SQL injection self-check 2026-06-28 CVSS 9.9
CVE-2026-58053
Gitea act_runner
Gitea act_runner - Docker backend container hardening bypass
Gitea act_runner self-check 2026-06-28 CVSS 8.1
CVE-2026-8095
Frontend File Manager Plugin
Frontend File Manager Plugin - authenticated arbitrary file deletion
WordPress June 29 plugin self-check 2026-06-28 CVSS 7.5
CVE-2026-13498
yashpokharna2555 restaurent-management-system
restaurent-management-system - forgot-password SQL injection risk
PHP app SQL injection self-check 2026-06-27 CVSS 9.8
CVE-2026-12415
Invoice Generator
Invoice Generator - unauthenticated privilege escalation
WordPress June 29 plugin self-check 2026-06-27 CVSS 6.4
CVE-2026-11783
Dokan
Dokan - stored XSS via product SKU rendering
WordPress June 29 plugin self-check 2026-06-29 CVSS 5.6
CVE-2026-13529
YzmCMS - installer SQL injection risk
CVE-2026-13529 affects YzmCMS through 7.5 where installer exposure can create SQL injection risk. Owners should remove or restrict installer paths, review install access logs, and check configuration or database changes before returning the site to service.
YzmCMS Public PoC
2026-06-28 CVSS 9.9
CVE-2026-58053
Gitea act_runner - Docker backend container hardening bypass
CVE-2026-58053 affects Gitea act_runner deployments that use the Docker backend through act 0.262.0. Owners should restrict who can run workflows, review Docker runner configuration, isolate runners from production hosts, and apply vendor hardening guidance.
Gitea act_runner Public PoC
2026-06-28 CVSS 8.1
CVE-2026-8095
Frontend File Manager Plugin - authenticated arbitrary file deletion
CVE-2026-8095 affects the Frontend File Manager Plugin for WordPress through 23.6. Sites should patch the plugin, preserve file timestamps, review failed file operations, and check whether critical WordPress files changed during the exposure window.
Frontend File Manager Plugin
2026-06-28 CVSS 7.5
CVE-2026-13498
restaurent-management-system - forgot-password SQL injection risk
CVE-2026-13498 affects the yashpokharna2555 restaurent-management-system project, which does not publish fixed version metadata. Owners should remove public exposure, review forgot-password activity, preserve database logs, and migrate away from the unsupported code path.
yashpokharna2555 restaurent-management-system Public PoC
2026-06-27 CVSS 9.8
CVE-2026-12415
Invoice Generator - unauthenticated privilege escalation
CVE-2026-12415 affects the Invoice Generator plugin for WordPress through 1.0.0. Site owners should patch or disable the plugin, review administrator email changes, password reset events, and new sessions before closing the incident.
Invoice Generator
2026-06-27 CVSS 6.4
CVE-2026-11783
Dokan - stored XSS via product SKU rendering
CVE-2026-11783 affects Dokan for WordPress through 5.0.4. Marketplace owners should patch Dokan, review vendor product SKU changes, storefront search output, cached product fragments, and administrator sessions opened during the exposure window.
Dokan
2026-06-26 CVSS 10.0
CVE-2026-53576
Kestra - authentication boundary risk
CVE-2026-53576 affects Kestra. Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs as the public i... Patch the affected deployment and review workflow and admin logs.
Kestra
2026-06-26 CVSS 10.0
CVE-2026-54350
Budibase - authentication boundary risk
CVE-2026-54350 affects Budibase. Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with... Patch the affected deployment and review workflow and admin logs.
Budibase
2026-06-26 CVSS 9.9
CVE-2026-46386
OpenProject - security boundary risk
CVE-2026-46386 affects OpenProject Docker deployments that inherited an unsafe default application secret configuration. Patch the affected deployment and review workflow and admin logs.
OpenProject
2026-06-26 CVSS 9.9
CVE-2026-56027
Booster for WooCommerce - Customer Arbitrary File Upload
CVE-2026-56027 affects Booster for WooCommerce <= 8.0.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Booster for WooCommerce
2026-06-26 CVSS 9.9
CVE-2026-56058
Quform - Subscriber Arbitrary File Upload
CVE-2026-56058 affects Quform <= 2.23.0. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Quform
2026-06-26 CVSS 9.9
CVE-2026-56059
Travel Booking - Subscriber Arbitrary File Upload
CVE-2026-56059 affects Travel Booking <= 2.2.5. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Travel Booking
2026-06-26 CVSS 9.8
CVE-2026-0685
Genshi Template Engine - remote code execution risk
CVE-2026-0685 affects Genshi Template Engine. Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions. Patch the affected deployment and review web and app logs.
Genshi Template Engine
2026-06-26 CVSS 9.8
CVE-2026-48930
Node.js - authentication boundary risk
CVE-2026-48930 affects Node.js. A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. Patch the affected deployment and review runtime logs.
Node.js
2026-06-26 CVSS 9.8
CVE-2026-56028
Easy Elements for Elementor - Addons and Website Templates - Unauthenticated Privilege Escalation
CVE-2026-56028 affects Easy Elements for Elementor - Addons and Website Templates <= 1.4.9. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Easy Elements for Elementor - Addons and Website Templates
2026-06-26 CVSS 9.8
CVE-2026-56030
Paytium - Unauthenticated Privilege Escalation
CVE-2026-56030 affects Paytium <= 5.0.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Paytium
2026-06-26 CVSS 9.8
CVE-2026-56032
Buddyboss Platform - Subscriber PHP Object Injection
CVE-2026-56032 affects Buddyboss Platform <= 3.0.4. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Buddyboss Platform
2026-06-26 CVSS 9.8
CVE-2026-56033
Dokan Pro - Unauthenticated Privilege Escalation
CVE-2026-56033 affects Dokan Pro <= 5.0.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Dokan Pro
2026-06-26 CVSS 9.8
CVE-2026-56057
Uncanny Automator Pro - Subscriber PHP Object Injection
CVE-2026-56057 affects Uncanny Automator Pro <= 7.3.0.6. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Uncanny Automator Pro
2026-06-26 CVSS 9.8
CVE-2026-57878
GeoVision - authentication boundary risk
CVE-2026-57878 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 9.8
CVE-2026-57879
GeoVision - authentication boundary risk
CVE-2026-57879 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 9.8
CVE-2026-57880
GeoVision - authentication boundary risk
CVE-2026-57880 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 9.8
CVE-2026-57881
GeoVision - authentication boundary risk
CVE-2026-57881 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 9.3
CVE-2026-54820
JetBooking - Unauthenticated SQL Injection
CVE-2026-54820 affects JetBooking <= 4.0.4.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
JetBooking
2026-06-26 CVSS 9.3
CVE-2026-54825
wpDataTables - Unauthenticated SQL Injection
CVE-2026-54825 affects wpDataTables <= 7.4. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
wpDataTables
2026-06-26 CVSS 9.3
CVE-2026-54827
Real Estate 7 - Unauthenticated SQL Injection
CVE-2026-54827 affects Real Estate 7 <= 3.5.9. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Real Estate 7
2026-06-26 CVSS 9.3
CVE-2026-54831
GeoDirectory - Unauthenticated SQL Injection
CVE-2026-54831 affects GeoDirectory <= 2.8.162. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
GeoDirectory
2026-06-26 CVSS 9.3
CVE-2026-56034
Library Management System - Unauthenticated SQL Injection
CVE-2026-56034 affects Library Management System <= 3.5.7. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Library Management System
2026-06-26 CVSS 9.3
CVE-2026-56036
Korean SimplePay WooCommerce plugin - Unauthenticated SQL Injection
CVE-2026-56036 affects Korean SimplePay WooCommerce plugin <= 5.5.6. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Korean SimplePay WooCommerce plugin
2026-06-26 CVSS 9.3
CVE-2026-56062
Quotes llama - Unauthenticated SQL Injection
CVE-2026-56062 affects Quotes llama <= 3.1.5. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Quotes llama
2026-06-26 CVSS 9.3
CVE-2026-56067
JetSmartFilters - Unauthenticated SQL Injection
CVE-2026-56067 affects JetSmartFilters <= 3.8.3. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
JetSmartFilters
2026-06-26 CVSS 9.3
CVE-2026-56068
JetEngine - Unauthenticated SQL Injection
CVE-2026-56068 affects JetEngine <= 3.8.10.2. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
JetEngine
2026-06-26 CVSS 9.3
CVE-2026-56070
Advance Product Search - Unauthenticated SQL Injection
CVE-2026-56070 affects Advance Product Search <= 1.4.4. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Advance Product Search
2026-06-26 CVSS 9.1
CVE-2025-55017
Apache IoTDB - path traversal risk
CVE-2025-55017 affects Apache IoTDB. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. Patch the affected deployment and review trust and service logs.
Apache IoTDB
2026-06-26 CVSS 9.1
CVE-2025-64152
Apache IoTDB - path traversal risk
CVE-2025-64152 affects Apache IoTDB. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. Patch the affected deployment and review trust and service logs.
Apache IoTDB
2026-06-26 CVSS 9.1
CVE-2026-57658
TemplateSpare - Administrator Arbitrary File Upload
CVE-2026-57658 affects TemplateSpare <= 4.2.0. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
TemplateSpare
2026-06-26 CVSS 9.0
CVE-2026-45405
Dokku - authentication boundary risk
CVE-2026-45405 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink travers... Patch the affected deployment and review workflow and admin logs.
Dokku
2026-06-26 CVSS 9.0
CVE-2026-45406
Dokku - security boundary risk
CVE-2026-45406 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into... Patch the affected deployment and review workflow and admin logs.
Dokku
2026-06-26 CVSS 9.0
CVE-2026-45408
Dokku - authentication boundary risk
CVE-2026-45408 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is e... Patch the affected deployment and review workflow and admin logs.
Dokku
2026-06-26 CVSS 9.0
CVE-2026-54636
Dokku - security boundary risk
CVE-2026-54636 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - inclu... Patch the affected deployment and review workflow and admin logs.
Dokku
2026-06-26 CVSS 8.8
CVE-2025-68052
Eagle Booking - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2025-68052 affects Eagle Booking <= 1.3.4.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Eagle Booking
2026-06-26 CVSS 8.8
CVE-2026-56008
Fusion Builder - Contributor Privilege Escalation
CVE-2026-56008 affects Fusion Builder <= 3.15.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Fusion Builder
2026-06-26 CVSS 8.8
CVE-2026-56010
Abandoned Cart Pro for WooCommerce - Subscriber Privilege Escalation
CVE-2026-56010 affects Abandoned Cart Pro for WooCommerce <= 10.4.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Abandoned Cart Pro for WooCommerce
2026-06-26 CVSS 8.8
CVE-2026-56038
Frisbii Pay - Contributor Privilege Escalation
CVE-2026-56038 affects Frisbii Pay <= 1.8.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Frisbii Pay
2026-06-26 CVSS 8.8
CVE-2026-56055
RealHomes - Subscriber PHP Object Injection
CVE-2026-56055 affects RealHomes <= 4.5.3. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
RealHomes
2026-06-26 CVSS 8.8
CVE-2026-57518
Pagekit CMS - privilege escalation risk
CVE-2026-57518 affects Pagekit CMS. Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated users with the 'user: manage users' permission to escalate privileges by assigning arbitrary custom roles to themselves due to mi... Patch the affected deployment and review web and app logs.
Pagekit CMS
2026-06-26 CVSS 8.8
CVE-2026-57659
Paid Memberships Pro - Add Member From Admin - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2026-57659 affects Paid Memberships Pro - Add Member From Admin <= 0.7.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Paid Memberships Pro - Add Member From Admin
2026-06-26 CVSS 8.7
CVE-2026-55069
Kestra - privilege escalation risk
CVE-2026-55069 affects Kestra. Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains... Patch the affected deployment and review workflow and admin logs.
Kestra
2026-06-26 CVSS 8.6
CVE-2026-56035
BitFire Security - Unauthenticated Multiple Vulnerabilities
CVE-2026-56035 affects BitFire Security <= 5.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
BitFire Security
2026-06-26 CVSS 8.6
CVE-2026-57877
GeoVision - authentication boundary risk
CVE-2026-57877 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 8.5
CVE-2026-56064
Tourfic - Subscriber SQL Injection
CVE-2026-56064 affects Tourfic <= 2.22.5. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Tourfic
2026-06-26 CVSS 8.5
CVE-2026-57315
Blocksy Companion Pro - Contributor Remote Code Execution (remote code execution)
CVE-2026-57315 affects Blocksy Companion Pro <= 2.1.45. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Blocksy Companion Pro
2026-06-26 CVSS 8.5
CVE-2026-57636
wpForo Forum - Contributor SQL Injection
CVE-2026-57636 affects wpForo Forum <= 3.0.9. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
wpForo Forum
2026-06-26 CVSS 8.5
CVE-2026-57642
Gallery - Contributor SQL Injection
CVE-2026-57642 affects Gallery <= 4.7.8. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Gallery
2026-06-26 CVSS 8.5
CVE-2026-57643
WP Post Author - Contributor SQL Injection
CVE-2026-57643 affects WP Post Author <= 3.9.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WP Post Author
2026-06-26 CVSS 8.5
CVE-2026-57644
Restaurant Menu by MotoPress - Contributor SQL Injection
CVE-2026-57644 affects Restaurant Menu by MotoPress <= 2.4.10. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Restaurant Menu by MotoPress
2026-06-26 CVSS 8.5
CVE-2026-57653
WP Job Portal - Contributor SQL Injection
CVE-2026-57653 affects WP Job Portal <= 2.5.2. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WP Job Portal
2026-06-26 CVSS 8.5
CVE-2026-57662
Contest Gallery - Contributor SQL Injection
CVE-2026-57662 affects Contest Gallery <= 30.0.0. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Contest Gallery
2026-06-26 CVSS 8.5
CVE-2026-57663
Recipe Maker For Your Food Blog from Zip Recipes - Contributor SQL Injection
CVE-2026-57663 affects Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Recipe Maker For Your Food Blog from Zip Recipes
2026-06-26 CVSS 8.5
CVE-2026-57667
Groundhogg - Sales Representative SQL Injection
CVE-2026-57667 affects Groundhogg <= 4.5. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Groundhogg
2026-06-26 CVSS 8.5
CVE-2026-8797
ExpressUpdate Agent - security boundary risk
CVE-2026-8797 affects ExpressUpdate Agent. An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges. Patch the affected deployment and review component presence.
ExpressUpdate Agent
2026-06-26 CVSS 8.3
CVE-2026-56063
MailChimp Block - Unauthenticated Broken Access Control
CVE-2026-56063 affects MailChimp Block <= 1.1.15. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
MailChimp Block
2026-06-26 CVSS 8.2
CVE-2026-52783
OpenProject - authentication boundary risk
CVE-2026-52783 affects OpenProject. OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the d... Patch the affected deployment and review workflow and admin logs.
OpenProject
2026-06-26 CVSS 8.2
CVE-2026-57655
Child Theme Wizard - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2026-57655 affects Child Theme Wizard <= 1.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Child Theme Wizard
2026-06-26 CVSS 8.1
CVE-2026-56031
Uncanny Automator - Unauthenticated PHP Object Injection
CVE-2026-56031 affects Uncanny Automator <= 7.3.1.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Uncanny Automator
2026-06-26 CVSS 8.1
CVE-2026-57645
Newsletters - newsletters_subscribers Broken Access Control
CVE-2026-57645 affects Newsletters <= 4.13. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Newsletters
2026-06-26 CVSS 7.7
CVE-2026-48618
Node.js - authentication boundary risk
CVE-2026-48618 affects Node.js. A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. Patch the affected deployment and review runtime logs.
Node.js
2026-06-26 CVSS 7.6
CVE-2026-54826
SupportCandy - Subscriber Insecure Direct Object References (IDOR)
CVE-2026-54826 affects SupportCandy <= 3.4.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
SupportCandy
2026-06-26 CVSS 7.6
CVE-2026-57628
WP All Import - Administrator SQL Injection
CVE-2026-57628 affects WP All Import <= 4.0.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WP All Import
2026-06-26 CVSS 7.6
CVE-2026-57631
Popup box - Administrator SQL Injection
CVE-2026-57631 affects Popup box <= 6.0.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Popup box
2026-06-26 CVSS 7.5
CVE-2025-68063
Splash - Sport Club WordPress Theme for Basketball, Football, Hockey - Contributor Local File Inclusion
CVE-2025-68063 affects Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Splash - Sport Club WordPress Theme for Basketball, Football, Hockey
2026-06-26 CVSS 7.5
CVE-2025-68064
Goya Core - Contributor Local File Inclusion
CVE-2025-68064 affects Goya Core < 1.0.9.4. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Goya Core
2026-06-26 CVSS 7.5
CVE-2026-48615
Node.js - sensitive data exposure risk
CVE-2026-48615 affects Node.js. A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. Patch the affected deployment and review runtime logs.
Node.js
2026-06-26 CVSS 7.5
CVE-2026-48619
Node.js - availability risk
CVE-2026-48619 affects Node.js. A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. Patch the affected deployment and review runtime logs.
Node.js
2026-06-26 CVSS 7.5
CVE-2026-48933
Node.js - security boundary risk
CVE-2026-48933 affects Node.js. A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. Patch the affected deployment and review runtime logs.
Node.js
2026-06-26 CVSS 7.5
CVE-2026-49486
Apache Airflow FTP provider - sensitive data exposure risk
CVE-2026-49486 affects Apache Airflow FTP provider. The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext.... Patch the affected deployment and review workflow and admin logs.
Apache Airflow FTP provider
2026-06-26 CVSS 7.5
CVE-2026-54824
Ads by WPQuads - Unauthenticated Sensitive Data Exposure
CVE-2026-54824 affects Ads by WPQuads <= 3.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Ads by WPQuads
2026-06-26 CVSS 7.5
CVE-2026-54832
Gutenverse Companion - Unauthenticated Broken Access Control
CVE-2026-54832 affects Gutenverse Companion <= 2.5.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Gutenverse Companion
2026-06-26 CVSS 7.5
CVE-2026-54834
Object Cache 4 everyone - Unauthenticated Sensitive Data Exposure
CVE-2026-54834 affects Object Cache 4 everyone <= 2.3.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Object Cache 4 everyone
2026-06-26 CVSS 7.5
CVE-2026-54835
Five Star Restaurant Menu - Unauthenticated Broken Access Control
CVE-2026-54835 affects Five Star Restaurant Menu <= 2.5.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Five Star Restaurant Menu
2026-06-26 CVSS 7.5
CVE-2026-54837
Intranet and Private Site - All-In-One Intranet - Unauthenticated Broken Access Control
CVE-2026-54837 affects Intranet and Private Site - All-In-One Intranet <= 1.8.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Intranet and Private Site - All-In-One Intranet
2026-06-26 CVSS 7.5
CVE-2026-54839
Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups - Unauthenticated Sensitive Data Exposure
CVE-2026-54839 affects Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups <= 2.0.9. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups
2026-06-26 CVSS 7.5
CVE-2026-54846
Syncee Premium Dropshipping and Wholesale - Unauthenticated Broken Access Control
CVE-2026-54846 affects Syncee Premium Dropshipping and Wholesale <= 1.0.27. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Syncee Premium Dropshipping and Wholesale
2026-06-26 CVSS 7.5
CVE-2026-54847
Stylish Cost Calculator - Unauthenticated Broken Access Control
CVE-2026-54847 affects Stylish Cost Calculator <= 8.3.9. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Stylish Cost Calculator
2026-06-26 CVSS 7.5
CVE-2026-56025
Paymob for WooCommerce - Unauthenticated Broken Access Control
CVE-2026-56025 affects Paymob for WooCommerce <= 4.1.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Paymob for WooCommerce
2026-06-26 CVSS 7.5
CVE-2026-56029
CorvusPay WooCommerce Payment Gateway - Unauthenticated Broken Authentication
CVE-2026-56029 affects CorvusPay WooCommerce Payment Gateway <= 2.7.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
CorvusPay WooCommerce Payment Gateway
2026-06-26 CVSS 7.5
CVE-2026-56060
Print Invoice & Delivery Notes for WooCommerce - Unauthenticated Sensitive Data Exposure
CVE-2026-56060 affects Print Invoice & Delivery Notes for WooCommerce <= 7.1.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Print Invoice & Delivery Notes for WooCommerce
2026-06-26 CVSS 7.5
CVE-2026-56061
Subscriptions for WooCommerce - Unauthenticated Broken Access Control
CVE-2026-56061 affects Subscriptions for WooCommerce <= 1.9.5. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Subscriptions for WooCommerce
2026-06-26 CVSS 7.5
CVE-2026-56069
Toolset Forms - Unauthenticated Insecure Direct Object References (IDOR)
CVE-2026-56069 affects Toolset Forms <= 2.6.24. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Toolset Forms
2026-06-26 CVSS 7.5
CVE-2026-57647
Panorama Viewer 360 Degree Image + Video Viewer - Contributor Local File Inclusion
CVE-2026-57647 affects Panorama Viewer 360 Degree Image + Video Viewer <= 1.6.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Panorama Viewer 360 Degree Image + Video Viewer
2026-06-26 CVSS 7.5
CVE-2026-57872
GeoVision - authentication boundary risk
CVE-2026-57872 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 7.5
CVE-2026-57873
GeoVision - authentication boundary risk
CVE-2026-57873 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 7.5
CVE-2026-57874
GeoVision - authentication boundary risk
CVE-2026-57874 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 7.5
CVE-2026-57875
GeoVision - authentication boundary risk
CVE-2026-57875 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 7.5
CVE-2026-57876
GeoVision - authentication boundary risk
CVE-2026-57876 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 7.4
CVE-2026-54833
Enable CORS - Unauthenticated Backdoor
CVE-2026-54833 affects Enable CORS <= 2.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Enable CORS
2026-06-26 CVSS 7.3
CVE-2026-54840
Newsletters - Unauthenticated Broken Access Control
CVE-2026-54840 affects Newsletters <= 4.13. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Newsletters
2026-06-26 CVSS 7.3
CVE-2026-57915
Apache Kerby - authentication boundary risk
CVE-2026-57915 affects Apache Kerby. It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue. Patch the affected deployment and review trust and service logs.
Apache Kerby
2026-06-26 CVSS 7.1
CVE-2026-56011
MapPress Maps for WordPress - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56011 affects MapPress Maps for WordPress <= 2.97.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
MapPress Maps for WordPress
2026-06-26 CVSS 7.1
CVE-2026-56039
Quick Interest Slider - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56039 affects Quick Interest Slider <= 3.1.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Quick Interest Slider
2026-06-26 CVSS 7.1
CVE-2026-56040
Gutenverse Form - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56040 affects Gutenverse Form <= 2.4.7. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Gutenverse Form
2026-06-26 CVSS 7.1
CVE-2026-56041
Responsive Lightbox - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56041 affects Responsive Lightbox <= 2.7.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Responsive Lightbox
2026-06-26 CVSS 7.1
CVE-2026-56043
Customer Reviews for WooCommerce - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56043 affects Customer Reviews for WooCommerce <= 5.110.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Customer Reviews for WooCommerce
2026-06-26 CVSS 7.1
CVE-2026-56044
Blog2Social - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56044 affects Blog2Social <= 8.9.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Blog2Social
2026-06-26 CVSS 7.1
CVE-2026-56045
Automatic - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56045 affects Automatic < 3.135.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Automatic
2026-06-26 CVSS 7.1
CVE-2026-56047
perfmatters - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56047 affects perfmatters <= 2.6.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
perfmatters
2026-06-26 CVSS 7.1
CVE-2026-56072
WoodMart - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56072 affects WoodMart <= 8.5.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
WoodMart
2026-06-26 CVSS 7.1
CVE-2026-57312
Everest Forms - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57312 affects Everest Forms <= 3.4.8. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Everest Forms
2026-06-26 CVSS 7.1
CVE-2026-57314
SureCart - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57314 affects SureCart <= 4.3.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
SureCart
2026-06-26 CVSS 7.1
CVE-2026-57317
Simply Schedule Appointments - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57317 affects Simply Schedule Appointments <= 1.6.12.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Simply Schedule Appointments
2026-06-26 CVSS 7.1
CVE-2026-57319
FOX - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57319 affects FOX <= 1.4.8. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
FOX
2026-06-26 CVSS 7.1
CVE-2026-57321
H5P - Contributor Arbitrary File Deletion
CVE-2026-57321 affects H5P <= 1.17.7. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
H5P
2026-06-26 CVSS 7.1
CVE-2026-57322
weMail - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57322 affects weMail <= 2.1.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
weMail
2026-06-26 CVSS 7.1
CVE-2026-57325
NanoMag - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57325 affects NanoMag <= 1.8. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
NanoMag
2026-06-26 CVSS 6.5
CVE-2026-1869
User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder - unauthorized modification of data due to missing validation checks in the confirm_payment() function in all versions up to, and including, 5
CVE-2026-1869 affects User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder vendor-fixed release. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
2026-06-26 CVSS 6.5
CVE-2026-52701
User Registration - Unauthenticated Broken Access Control
CVE-2026-52701 affects User Registration <= 5.2.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
User Registration
2026-06-26 CVSS 6.5
CVE-2026-56048
Payment Gateway Based Fees and Discounts for WooCommerce - Unauthenticated Insecure Direct Object References (IDOR)
CVE-2026-56048 affects Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Payment Gateway Based Fees and Discounts for WooCommerce
2026-06-26 CVSS 6.5
CVE-2026-57635
FunnelKit Payment Gateway for Stripe WooCommerce - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2026-57635 affects FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
FunnelKit Payment Gateway for Stripe WooCommerce
2026-06-25 CVSS 10.0
CVE-2026-46752
Apache Kvrocks - security boundary risk
CVE-2026-46752 affects Apache Kvrocks. Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. Patch the affected deployment and review component presence.
Apache Kvrocks
2026-06-25 CVSS 10.0
CVE-2026-57700
Daan.Dev OMGF Pro - Unrestricted Upload of File with Dangerous Type vulnerability
CVE-2026-57700 affects Daan.Dev OMGF Pro vendor-fixed release. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Daan.Dev OMGF Pro
2026-06-25 CVSS 9.9
CVE-2026-54823
Widget Options - Contributor Remote Code Execution (remote code execution)
CVE-2026-54823 affects Widget Options <= 4.2.3. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Widget Options
2026-06-25 CVSS 9.4
CVE-2026-41566
Apache Kvrocks - security boundary risk
CVE-2026-41566 affects Apache Kvrocks. Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. Patch the affected deployment and review component presence.
Apache Kvrocks
2026-06-25 CVSS 9.4
CVE-2026-55413
ToolJet - remote code execution risk
CVE-2026-55413 affects ToolJet. ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role (free tier) can overwrite a ... Patch the affected deployment and review workflow and admin logs.
ToolJet
2026-06-25 CVSS 9.3
CVE-2026-54836
YMC Filter - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability
CVE-2026-54836 affects YMC Filter vendor-fixed release. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
YMC Filter
2026-06-25 CVSS 9.3
CVE-2026-54843
MDTF - Unauthenticated SQL Injection
CVE-2026-54843 affects MDTF <= 1.3.7. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
MDTF
2026-06-25 CVSS 9.3
CVE-2026-54849
Premmerce Wishlist for WooCommerce - Unauthenticated SQL Injection
CVE-2026-54849 affects Premmerce Wishlist for WooCommerce <= 1.1.11. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Premmerce Wishlist for WooCommerce
2026-06-25 CVSS 8.8
CVE-2026-56053
EventPrime - Subscriber PHP Object Injection
CVE-2026-56053 affects EventPrime <= 4.3.4.1. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
EventPrime
2026-06-25 CVSS 8.7
CVE-2026-11310
wolfSSL - trust validation risk
CVE-2026-11310 affects wolfSSL. X.509 trust-chain bypass in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra (OPENSSL_EXTRA) and whose application validates certificates by... Patch the affected deployment and review trust and service logs.
wolfSSL
2026-06-25 CVSS 8.5
CVE-2026-54822
SALESmanago & Leadoo - Subscriber SQL Injection
CVE-2026-54822 affects SALESmanago & Leadoo <= 3.11.2. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
SALESmanago & Leadoo
2026-06-25 CVSS 8.5
CVE-2026-54838
WC Vendors Marketplace - Subscriber SQL Injection
CVE-2026-54838 affects WC Vendors Marketplace <= 2.6.8. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WC Vendors Marketplace
2026-06-25 CVSS 8.5
CVE-2026-56049
Post Snippets - Contributor Remote Code Execution (remote code execution)
CVE-2026-56049 affects Post Snippets <= 4.0.19. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Post Snippets
2026-06-25 CVSS 8.3
CVE-2026-54848
Saad Iqbal APIExperts Square for WooCommerce - Insertion of Sensitive Information Into Sent Data vulnerability
CVE-2026-54848 affects Saad Iqbal APIExperts Square for WooCommerce vendor-fixed release. Site owners should patch the component, preserve logs, and review data exposure before closing the issue.
Saad Iqbal APIExperts Square for WooCommerce
2026-06-25 CVSS 8.2
CVE-2026-11999
wolfSSL - trust validation risk
CVE-2026-11999 affects wolfSSL. X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cer... Patch the affected deployment and review trust and service logs.
wolfSSL
2026-06-25 CVSS 8.2
CVE-2026-55961
wolfSSL - trust validation risk
CVE-2026-55961 affects wolfSSL. wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticati... Patch the affected deployment and review trust and service logs.
wolfSSL
2026-06-25 CVSS 8.2
CVE-2026-56091
Apache Shiro Guice - authentication boundary risk
CVE-2026-56091 affects Apache Shiro Guice. When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. Patch the affected deployment and review component presence.
Apache Shiro Guice
2026-06-25 CVSS 8.1
CVE-2026-45233
HTMLy CMS - path traversal risk
CVE-2026-45233 affects HTMLy CMS. HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the ad... Patch the affected deployment and review web and app logs.
HTMLy CMS
2026-06-25 CVSS 8.1
CVE-2026-54842
Royal Plugins Royal MCP - Missing Authorization vulnerability
CVE-2026-54842 affects Royal Plugins Royal MCP vendor-fixed release. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Royal Plugins Royal MCP
2026-06-25 CVSS 8.1
CVE-2026-54845
MDTF - Unauthenticated Local File Inclusion
CVE-2026-54845 affects MDTF <= 1.3.8. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
MDTF
2026-06-25 CVSS 7.7
CVE-2026-37149
Grocery Store Management System - SQL injection risk
CVE-2026-37149 affects Grocery Store Management System. GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to a... Patch the affected deployment and review web and app logs.
Grocery Store Management System
2026-06-25 CVSS 7.7
CVE-2026-56054
JS Help Desk - Subscriber Arbitrary File Deletion
CVE-2026-56054 affects JS Help Desk <= 3.1.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
JS Help Desk
2026-06-25 CVSS 7.5
CVE-2026-12937
Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress - generic SQL Injection
CVE-2026-12937 affects Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress vendor-fixed release. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress
2026-06-25 CVSS 7.5
CVE-2026-27366
MainWP Child - Unauthenticated Broken Access Control
CVE-2026-27366 affects MainWP Child <= 6.1.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
MainWP Child
2026-06-25 CVSS 7.5
CVE-2026-38637
relibc - availability risk
CVE-2026-38637 affects relibc. An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input. Patch the affected deployment and review component presence.
relibc
2026-06-25 CVSS 7.5
CVE-2026-38640
relibc - availability risk
CVE-2026-38640 affects relibc. A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string. Patch the affected deployment and review component presence.
relibc
2026-06-25 CVSS 7.5
CVE-2026-54828
Motors - Unauthenticated Broken Access Control
CVE-2026-54828 affects Motors <= 1.4.109. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Motors
2026-06-25 CVSS 7.5
CVE-2026-54829
Jacob N. Breetvelt WP Photo Album Plus - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability
CVE-2026-54829 affects Jacob N. Breetvelt WP Photo Album Plus vendor-fixed release. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Jacob N. Breetvelt WP Photo Album Plus
2026-06-25 CVSS 7.5
CVE-2026-54830
Five Star Restaurant Reservations - Unauthenticated Broken Access Control
CVE-2026-54830 affects Five Star Restaurant Reservations <= 2.7.19. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Five Star Restaurant Reservations
2026-06-25 CVSS 7.5
CVE-2026-54841
Vitepos - Unauthenticated Sensitive Data Exposure
CVE-2026-54841 affects Vitepos <= 3.4.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Vitepos
2026-06-25 CVSS 7.5
CVE-2026-54844
CheckView Automated Testing - Unauthenticated Broken Access Control
CVE-2026-54844 affects CheckView Automated Testing <= 2.1.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
CheckView Automated Testing
2026-06-25 CVSS 7.5
CVE-2026-9702
InPost PL - WordPress plugin vulnerability
CVE-2026-9702 affects InPost PL before 1.9.1. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
InPost PL
2026-06-25 CVSS 7.4
CVE-2026-54821
Visual Link Preview - Subscriber Sensitive Data Exposure
CVE-2026-54821 affects Visual Link Preview <= 2.3.1. Site owners should patch the component, preserve logs, and review data exposure before closing the issue.
Visual Link Preview
2026-06-25 CVSS 7.2
CVE-2026-40083
Cacti - SQL injection risk
CVE-2026-40083 affects Cacti. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assig... Patch the affected deployment and review Cacti and web logs.
Cacti
2026-06-25 CVSS 7.2
CVE-2026-55477
3X-UI - authentication boundary risk
CVE-2026-55477 affects 3X-UI. 3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray config... Patch the affected deployment and review workflow and admin logs.
3X-UI
2026-06-25 CVSS 7.1
CVE-2026-56005
WP Activity Log - Subscriber Cross Site Scripting (XSS)
CVE-2026-56005 affects WP Activity Log <= 5.6.3.1. Site owners should patch the component, preserve logs, and review content and widgets before closing the issue.
WP Activity Log
2026-06-25 CVSS 7.1
CVE-2026-56006
H5P - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56006 affects H5P <= 1.17.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
H5P
2026-06-25 CVSS 7.1
CVE-2026-56014
Master Slider - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56014 affects Master Slider <= 3.11.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Master Slider
2026-06-25 CVSS 7.1
CVE-2026-56042
Advanced Order Export For WooCommerce - Customer Cross Site Scripting (XSS)
CVE-2026-56042 affects Advanced Order Export For WooCommerce <= 4.0.9. Site owners should patch the component, preserve logs, and review content and widgets before closing the issue.
Advanced Order Export For WooCommerce
2026-06-25 CVSS 7.1
CVE-2026-56051
TablePress - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56051 affects TablePress <= 3.3.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
TablePress
2026-06-25 CVSS 7.1
CVE-2026-56071
Forminator - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56071 affects Forminator <= 1.53.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Forminator
2026-06-25 CVSS 6.5
CVE-2026-40084
Cacti - path traversal risk
CVE-2026-40084 affects Cacti. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occ... Patch the affected deployment and review Cacti and web logs.
Cacti
2026-06-25 CVSS 6.5
CVE-2026-56013
License Manager for WooCommerce - Unauthenticated Insecure Direct Object References (IDOR)
CVE-2026-56013 affects License Manager for WooCommerce <= 3.0.15. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
License Manager for WooCommerce
2026-06-25 CVSS 6.5
CVE-2026-56050
Themeisle PPOM for WooCommerce - Improper Access Control vulnerability
CVE-2026-56050 affects Themeisle PPOM for WooCommerce vendor-fixed release. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Themeisle PPOM for WooCommerce
2026-06-25 CVSS 6.3
CVE-2026-55964
wolfSSL - trust validation risk
CVE-2026-55964 affects wolfSSL. Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA. Intermediate CA certificates are required to have the keyCertSign key usage when a Key Usage extension is present, but chain-supplied temporary CAs... Patch the affected deployment and review trust and service logs.
wolfSSL
2026-06-25 CVSS 6.1
CVE-2026-40080
Cacti - authentication boundary risk
CVE-2026-40080 affects Cacti. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). ... Patch the affected deployment and review Cacti and web logs.
Cacti
2026-06-25 CVSS 8.7
CVE-2026-13311
shell-quote - parse() event-loop denial of service risk
CVE-2026-13311 affects shell-quote before 1.8.5. Node.js services that pass untrusted text into parse() should update dependency locks and review request timeout or event-loop stall evidence.
shell-quote Public PoC
2026-06-25 CVSS 7.5
CVE-2026-12077
Dokan Pro - unauthenticated SQL injection data exposure risk
CVE-2026-12077 affects Dokan Pro for WordPress through 5.0.4. Marketplace owners should patch, review vendor/store pages, database errors, and unusual requests around location-based filtering.
Dokan Pro
2026-06-25 CVSS 8.8
CVE-2026-9155
Rapid7 InsightConnect Sed Plugin - command execution risk in Linux workflow action
CVE-2026-9155 affects the Rapid7 InsightConnect Sed Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
Rapid7 InsightConnect Sed Plugin
2026-06-25 CVSS 7.1
CVE-2026-9154
Rapid7 InsightConnect Sed Plugin - file write risk in Linux workflow action
CVE-2026-9154 affects the Rapid7 InsightConnect Sed Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
Rapid7 InsightConnect Sed Plugin
2026-06-25 CVSS 7.7
CVE-2026-8592
Rapid7 InsightConnect AWK Plugin - command execution risk in Linux workflow action
CVE-2026-8592 affects the Rapid7 InsightConnect AWK Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
Rapid7 InsightConnect AWK Plugin
2026-06-25 CVSS 7.7
CVE-2026-8665
Rapid7 InsightConnect Translate Plugin - command execution risk in Linux workflow action
CVE-2026-8665 affects the Rapid7 InsightConnect Translate Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
Rapid7 InsightConnect Translate Plugin
2026-06-25 CVSS 8.0
CVE-2026-10712
GitLab CE/EE - path validation cross-site scripting risk
CVE-2026-10712 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
GitLab
2026-06-25 CVSS 8.6
CVE-2026-12053
GitLab EE - Duo Workflows output filtering information exposure
CVE-2026-12053 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
GitLab
2026-06-25 CVSS 8.7
CVE-2026-10086
GitLab EE - developer-role stored client-side code risk
CVE-2026-10086 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
GitLab
2026-06-24 CVSS 6.1
CVE-2026-39900
Cacti - authentication boundary risk
CVE-2026-39900 affects Cacti. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab parameter in the auth_profile.php JavaScript context. This issue has been fixed in ver... Patch the affected deployment and review Cacti and web logs.
Cacti
2026-06-24 CVSS 9.8
CVE-2026-39955
Cacti - pre-authentication graph view SQL injection risk
CVE-2026-39955 affects Cacti 1.2.30 and earlier. Upgrade to 1.2.31, review guest graph viewing exposure, database errors, and graph_view.php access logs.
Cacti Public PoC
2026-06-24 CVSS 9.3
CVE-2026-39948
Cacti - guest graph SQL injection risk
CVE-2026-39948 affects Cacti 1.2.30 and earlier where guest graph viewing can expose SQL injection risk. Patch to 1.2.31 and review database and web logs.
Cacti Public PoC
2026-06-24 CVSS 8.6
CVE-2026-40079
Cacti - graph template command injection risk
CVE-2026-40079 affects Cacti 1.2.30 and earlier. Review graph templates, RRD activity, web-server process activity, and patch to 1.2.31.
Cacti Public PoC
2026-06-24 CVSS 6.9
CVE-2026-39899
Cacti - package import path traversal risk
CVE-2026-39899 affects Cacti 1.2.30 and earlier. Review package import access, uploaded files, and filesystem changes before closing the issue.
Cacti Public PoC
2026-06-24 CVSS 9.1
CVE-2026-45688
Rocket.Chat - CAS login NoSQL authorization bypass risk
CVE-2026-45688 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review SSO login events and active sessions after patching.
Rocket.Chat Public PoC
2026-06-24 CVSS 9.1
CVE-2026-45689
Rocket.Chat - OAuth token NoSQL authorization bypass risk
CVE-2026-45689 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review OAuth tokens, app installs, and administrator activity.
Rocket.Chat Public PoC
2026-06-24 CVSS 8.5
CVE-2026-45687
Rocket.Chat - file upload record authorization bypass risk
CVE-2026-45687 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review upload records, DDP events, and file storage changes.
Rocket.Chat Public PoC
2026-06-24 CVSS 9.3
CVE-2026-33543
FOSSBilling - administrator bootstrap API exposure
CVE-2026-33543 affects FOSSBilling 0.7.2 and earlier. Upgrade to 0.8.0, review staff accounts, API logs, billing templates, and payment integrations.
FOSSBilling Public PoC
2026-06-24 CVSS 8.2
CVE-2026-56351
n8n - SQL node identifier injection risk
CVE-2026-56351 affects n8n before 2.4.0 in MySQL, PostgreSQL, and Microsoft SQL nodes. Review workflow editors, SQL node configuration, database logs, and connected credentials.
n8n Public PoC
2026-06-24 CVSS 6.9
CVE-2026-56262
Crawl4AI - unauthenticated monitor endpoint access
CVE-2026-56262 affects Crawl4AI before 0.8.7. Operators should patch, require authentication, review monitor endpoint access, and preserve crawl service logs.
Crawl4AI Public PoC
2026-06-24 CVSS 9.9
CVE-2026-55454
Appsmith - bundled Caddy admin API takeover risk
CVE-2026-55454 affects Appsmith before 2.1. Review Caddy configuration changes, SSRF exposure, and low-privilege user activity after upgrading.
Appsmith Public PoC
2026-06-24 CVSS 8.9
CVE-2026-50189
Appsmith - bundled supervisord XML-RPC exposure
CVE-2026-50189 affects Appsmith before 2.1. Review supervisord exposure, administrator activity, container process history, and environment access.
Appsmith Public PoC
2026-06-24 CVSS 7.7
CVE-2026-33235
AutoGPT - Fill Text Template denial of service risk
CVE-2026-33235 affects AutoGPT before 0.6.52. Review Fill Text Template blocks, tenant activity, worker CPU pressure, and failed runs.
AutoGPT Public PoC
2026-06-24 CVSS 7.5
CVE-2026-52794
Sentry - event ingestion ReDoS risk
CVE-2026-52794 affects Sentry from 24.4.0 until 26.5.2. Review event ingestion rates, CPU spikes, queue backlogs, and project-level event sources.
Sentry Public PoC
2026-06-24 CVSS 9.6
CVE-2026-53943
Ghost CMS - shared cache preview poisoning risk
CVE-2026-53943 affects Ghost before 6.37.0 in shared-cache deployments. Review cache rules, preview headers, staff sessions, and frontend/admin domain separation.
Ghost CMS Public PoC
2026-06-24 CVSS 5.3
CVE-2026-53949
Ghost CMS - public API filter validation data exposure
CVE-2026-53949 affects Ghost from 5.46.1 until 6.21.2. Review public API filters, database type, member data exposure, and access logs.
Ghost CMS Public PoC
2026-06-24 CVSS 5.3
CVE-2026-53947
Ghost CMS - members signin user enumeration
CVE-2026-53947 affects Ghost from 5.18.0 until 6.21.1. Review member signin logs, rate limits, and suspicious email enumeration attempts.
Ghost CMS Public PoC
2026-06-24 CVSS 8.8
CVE-2026-9772
Unraid - FileUpload command execution risk
CVE-2026-9772 affects Unraid web administration paths where authenticated access can reach command execution risk. Restrict admin access, patch, and review plugin, upload, and process activity.
Unraid Public PoC
2026-06-24 CVSS 8.8
CVE-2026-9773
Unraid - ToggleState command execution risk
CVE-2026-9773 affects Unraid web administration paths where authenticated access can reach command execution risk. Restrict admin access, patch, and review plugin, upload, and process activity.
Unraid Public PoC
2026-06-24 CVSS 8.8
CVE-2026-57280
Jenkins Script Security Plugin - sandbox constructor bypass
CVE-2026-57280 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 7.5
CVE-2026-57281
Jenkins Script Security Plugin - Groovy AST sandbox bypass
CVE-2026-57281 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 8.8
CVE-2026-57296
Jenkins External Workspace Manager - controller file read to RCE risk
CVE-2026-57296 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 8.8
CVE-2026-57301
Jenkins OWASP ZAP Plugin - controller build execution risk
CVE-2026-57301 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 7.1
CVE-2026-57303
Jenkins Assembla Plugin - XXE and SSRF risk
CVE-2026-57303 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 8.8
CVE-2026-12242
AdRotate Banner Manager - shortcode PHP code injection risk
CVE-2026-12242 affects AdRotate Banner Manager through 5.17.7 when certain cache support settings are enabled. Review shortcode content, cache settings, and contributor activity.
AdRotate Banner Manager
2026-06-24 CVSS 7.7
CVE-2026-9710
Cornerstone - CSS preview metadata disclosure risk
CVE-2026-9710 affects the premium Cornerstone page builder before 7.8.8. Review logged-in user activity, wp-admin access, and sensitive metadata exposure.
Cornerstone
2026-06-24 CVSS 7.5
CVE-2026-10735
ShapedPlugin compromised update supply-chain risk
CVE-2026-10735 affects Shapedsmart-post-show-pro before 4.0.2, Real Testimonials Pro before 3.2.5, and Product Slider for WooCommerce Pro before 3.5.3. Review updates, files, users, and credentials.
ShapedPlugin plugin bundle
2026-06-24 CVSS 7.2
CVE-2026-10749
Post Duplicator - serialized metadata object injection risk
CVE-2026-10749 affects Post Duplicator before 3.0.15. Review contributor activity, duplicated posts, custom fields, and plugin update state.
Post Duplicator
2026-06-24 CVSS 7.8
CVE-2026-2050
GIMP / GEGL - HDR file parsing heap overflow risk
CVE-2026-2050 affects GIMP HDR file parsing through the GEGL image processing path. Desktop fleets should update packages and review workflows that open untrusted HDR files.
GIMP / GEGL Public PoC
2026-06-24 CVSS 7.6
CVE-2026-11998
AngularJS - SCE resource URL bypass risk
CVE-2026-11998 affects AngularJS 1.2.0-rc.3 and later in Strict Contextual Escaping resource URL policy handling. Review legacy AngularJS apps, trusted resource URL rules, and migration plans.
AngularJS
2026-06-24 CVSS 7.1
CVE-2026-47110
Tiptap for PHP - malformed link attribute denial of service
CVE-2026-47110 affects Tiptap for PHP before 2.1.1. Review stored editor JSON records, rendering errors, and authenticated editor activity after upgrading.
Tiptap for PHP Public PoC
2026-06-24 CVSS 9.8
CVE-2026-12416
Invoice Generator - password reset account takeover risk
CVE-2026-12416 affects the WordPress Invoice Generator plugin through 1.0.0. Site owners should patch or remove the plugin, review administrator password reset activity, and rotate credentials if account changes look suspicious.
Invoice Generator
2026-06-24 CVSS 9.8
CVE-2026-12417
SignUp & SignIn - weak password reset account takeover risk
CVE-2026-12417 affects the WordPress SignUp & SignIn plugin through 1.0.0. Site owners should patch or remove the plugin, review password reset events, and check for unexpected administrator access.
SignUp & SignIn Public PoC
2026-06-24 CVSS 8.8
CVE-2026-4297
Welcome Software Publishing - arbitrary option update privilege escalation
CVE-2026-4297 affects the Welcome Software Publishing plugin through 0.0.31. Review XML-RPC exposure, changed site options, default role settings, and newly registered users.
Welcome Software Publishing
2026-06-24 CVSS 8.8
CVE-2026-7761
Ultimate Member - password reset link exposure risk
CVE-2026-7761 affects Ultimate Member through 2.11.4. Review contributor accounts, member directory configuration, password reset events, and administrator sessions before closing the issue.
Ultimate Member
2026-06-24 CVSS 7.5
CVE-2026-8705
ClearSale Total - unauthenticated SQL injection risk
CVE-2026-8705 affects ClearSale Total through 3.4.2. Stores should patch or remove the plugin, confirm the PHP runtime state, and review WooCommerce payment and plugin logs.
ClearSale Total Public PoC
2026-06-24 CVSS 7.6
CVE-2026-56052
FunnelKit Funnel Builder - blind SQL injection risk
CVE-2026-56052 affects FunnelKit Funnel Builder through 3.15.0.5. Review funnel changes, administrator activity, and database errors before reopening checkout or marketing flows.
FunnelKit Funnel Builder
2026-06-24 CVSS 7.5
CVE-2026-9178
WP Forms Connector - user data exposure risk
CVE-2026-9178 affects WP Forms Connector through 1.8. Site owners should disable the plugin until patched, review REST access logs, and treat exposed user data as sensitive.
WP Forms Connector
2026-06-24 CVSS 7.5
CVE-2026-9179
WP Forms Connector - REST route SQL injection risk
CVE-2026-9179 affects WP Forms Connector through 1.8. Review REST route access, database errors, and user data exposure before returning the plugin to production.
WP Forms Connector
2026-06-24 CVSS 5.3
CVE-2026-9612
WhatsOrder Instant Checkout - WooCommerce invoice data exposure
CVE-2026-9612 affects WhatsOrder Instant Checkout for WooCommerce through 1.0.1. Review generated invoice files, customer data exposure, and web server access before closing the incident.
WhatsOrder Instant Checkout for WooCommerce
2026-06-24 CVSS 7.2
CVE-2026-10091
Email JavaScript Cloak - shortcode stored XSS risk
CVE-2026-10091 affects Email JavaScript Cloak through 1.03. Review contributor posts, shortcode usage, administrator visits, and changed pages after patching.
Email JavaScript Cloak
2026-06-24 CVSS 7.2
CVE-2026-10092
Cincopa video and media plugin - comment shortcode stored XSS risk
CVE-2026-10092 affects the Cincopa video and media plugin through 1.163. Review recent comments, moderation queues, administrator visits, and changed posts after patching.
Cincopa video and media plugin Public PoC
2026-06-24 CVSS 7.2
CVE-2026-12095
Kargo Takip - unauthenticated SSRF risk
CVE-2026-12095 affects Kargo Takip through 1.2. Review outbound request logs, hosting metadata exposure controls, and plugin access before returning it to service.
Kargo Takip
2026-06-24 CVSS 7.2
CVE-2026-12100
URL Preview - unauthenticated SSRF risk
CVE-2026-12100 affects URL Preview through 1.0. Review outbound request logs, allow-lists, and internal service exposure before enabling preview features again.
URL Preview
2026-06-24 CVSS 7.2
CVE-2026-9643
WP Meta SEO - unauthenticated stored XSS through 404 records
CVE-2026-9643 affects WP Meta SEO through 4.5.18. Review 404 records, redirect tables, administrator visits, and changed SEO settings after patching.
WP Meta SEO
2026-06-24 CVSS 7.2
CVE-2026-3652
ARForms - incomplete form data stored XSS risk
CVE-2026-3652 affects ARForms through 7.1.3. Review partial form entries, form submissions, administrator visits, and changed pages after patching.
ARForms
2026-06-24 CVSS 10.0
CVE-2026-12485
GeoVision GV-I/O Box 4E - DVRSearch stack overflow risk
CVE-2026-12485 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 10.0
CVE-2026-12846
GeoVision GV-I/O Box 4E - network configuration stack overflow risk
CVE-2026-12846 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 10.0
CVE-2026-12847
GeoVision GV-I/O Box 4E - gateway field stack overflow risk
CVE-2026-12847 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 10.0
CVE-2026-12848
GeoVision GV-I/O Box 4E - DNS field stack overflow risk
CVE-2026-12848 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 9.1
CVE-2026-12486
GeoVision GV-I/O Box 4E - network-setting command execution risk
CVE-2026-12486 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 9.1
CVE-2026-12849
GeoVision GV-I/O Box 4E - netmask command execution risk
CVE-2026-12849 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 9.1
CVE-2026-12850
GeoVision GV-I/O Box 4E - gateway command execution risk
CVE-2026-12850 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 9.1
CVE-2026-12851
GeoVision GV-I/O Box 4E - DNS command execution risk
CVE-2026-12851 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-23 CVSS 9.8
CVE-2026-53753
Crawl4AI - computed field sandbox escape RCE risk
CVE-2026-53753 affects Crawl4AI before 0.8.7 when computed field expression handling can escape the intended sandbox. Patch, enable authentication, and review crawl jobs and container logs.
Crawl4AI Public PoC
2026-06-23 CVSS 7.5
CVE-2026-53754
Crawl4AI - Docker API SSRF filter bypass
CVE-2026-53754 affects Crawl4AI before 0.8.8 when Docker API SSRF protection misses several internal address forms. Patch, enable authentication, and review outbound access from the container.
Crawl4AI Public PoC
2026-06-23 CVSS 9.9
CVE-2026-56274
Flowise - Custom MCP Server command injection risk
CVE-2026-56274 affects Flowise before 3.1.2 through Custom MCP Server validation bypasses. Patch, restrict Flowise accounts and API keys, and review chatflow and MCP tool changes.
Flowise Public PoC
2026-06-23 CVSS 9.4
CVE-2026-28496
FOSSBilling - Twig template SSTI and RCE risk
CVE-2026-28496 affects FOSSBilling through 0.7.2 when Twig templates are rendered without the intended sandbox. Patch and review email templates, payment adapters, admin actions, and tokens.
FOSSBilling Public PoC
2026-06-23 CVSS 8.1
CVE-2026-45135
Caddy FastCGI - unsafe split path handling for non-PHP files
CVE-2026-45135 affects Caddy 2.7.0 through 2.10.2 when FastCGI split path handling can treat attacker-controlled non-PHP files as scripts. Patch and review upload directories behind FastCGI.
Caddy Public PoC
2026-06-23 CVSS 8.1
CVE-2026-52845
Caddy FastCGI - forward_auth header normalization bypass
CVE-2026-52845 affects Caddy before 2.11.4 when forward_auth copied headers can collide with FastCGI header normalization. Patch and review PHP applications that trust upstream identity headers.
Caddy Public PoC
2026-06-23 CVSS 8.3
CVE-2026-34914
Revive Adserver - Blind SQL injection in zone-include.php clientid handling
CVE-2026-34914 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check zone-include.php clientid, database errors, delivery logs.
Revive Adserver Public PoC
2026-06-23 CVSS 6.1
CVE-2026-34915
Revive Adserver - Reflected XSS in zone-include.php clientid handling
CVE-2026-34915 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check admin browser exposure, zone-include.php access logs, unusual links.
Revive Adserver Public PoC
2026-06-23 CVSS 8.8
CVE-2026-34916
Revive Adserver - PHP code injection through delivery limitation logical parameter
CVE-2026-34916 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check delivery limitation changes, compiledlimitations records, banner delivery logs.
Revive Adserver Public PoC
2026-06-23 CVSS 8.8
CVE-2026-44959
Revive Adserver - PHP code injection through unexpected delivery limitation component
CVE-2026-44959 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check unexpected limitation parameters, compiledlimitations records, PHP error logs.
Revive Adserver Public PoC
2026-06-23 CVSS 8.9
CVE-2026-44792
n8n - Source Control Pull SQL injection
CVE-2026-44792 affects n8n instances using PostgreSQL and Source Control. Patch and review connected repositories, admin pulls, and Data Table import activity.
n8n Public PoC
2026-06-23 CVSS 6.5
CVE-2026-54313
n8n MongoDB node - Find And Replace NoSQL injection
CVE-2026-54313 affects n8n before 2.24.0 when MongoDB node Find And Replace filters can be shaped by a workflow editor. Patch and review workflows that use MongoDB operations.
n8n Public PoC
2026-06-23 CVSS 7.7
CVE-2026-54018
Open WebUI - Playwright URL loader SSRF redirect bypass
CVE-2026-54018 affects Open WebUI before 0.9.6 when the Playwright web loader can follow redirects after initial URL validation. Patch and review RAG web fetch settings and outbound access.
Open WebUI Public PoC
2026-06-23 CVSS 6.5
CVE-2026-54019
Open WebUI - Milvus multitenancy RAG ACL bypass
CVE-2026-54019 affects Open WebUI before 0.9.6 when Milvus multitenancy mode can bypass RAG collection access checks. Patch and review knowledge-base access logs.
Open WebUI Public PoC
2026-06-23 CVSS 8.8
CVE-2026-41862
Spring Statemachine - Kryo persisted context deserialization
CVE-2026-41862 affects Spring Statemachine Kryo persistence backends when persisted contexts deserialize without an allowlist. Patch and plan the persisted-state migration before restart.
Spring Statemachine
2026-06-23 CVSS 9.3
CVE-2026-54257
Electron - Node Buffer byte length calculation issue
CVE-2026-54257 affects Electron 42.3.1 and 42.3.2 through incorrect Node Buffer byte length calculations. Patch Electron and rebuild distributed desktop packages.
Electron Public PoC
2026-06-23 CVSS 7.4
CVE-2026-44726
Deno Node TLS compatibility - plaintext retry risk
CVE-2026-44726 affects Deno 2.0.0 through 2.7.7 when Node TLS compatibility retry handling can leave application data unprotected. Patch and review outbound TLS clients.
Deno Public PoC
2026-06-23 CVSS 6.9
CVE-2026-56762
Hono - cookie name validation robustness issue
CVE-2026-56762 affects Hono before 4.12.12 when cookie names on the write path are not validated. Patch and review setCookie, serialize, and serializeSigned call sites.
Hono Public PoC
2026-06-23 CVSS 8.7
CVE-2026-56248
Capgo - audit_logs RLS unauthenticated DoS risk
CVE-2026-56248 affects Capgo backend before 12.128.12 through costly audit_logs RLS behavior exposed via Supabase PostgREST. Patch and review database timeouts and public anon-key access.
Capgo Public PoC
2026-06-23 CVSS 9.8
CVE-2026-12866
expr-eval - toJSFunction code execution risk
CVE-2026-12866 affects expr-eval when untrusted expressions reach toJSFunction. Review Node services that compile user-controlled expressions, remove that path, and isolate affected workers.
expr-eval Public PoC
2026-06-22 CVSS 8.7
CVE-2026-54281
NestJS Fastify adapter - middleware route bypass risk
CVE-2026-54281 affects @nestjs/platform-fastify before 11.1.24 when route middleware coverage can differ from intended Fastify routing. Patch and review middleware-protected routes.
@nestjs/platform-fastify Public PoC
2026-06-22 CVSS 7.5
CVE-2026-55603
http-proxy-middleware - multipart request body desync risk
CVE-2026-55603 affects http-proxy-middleware deployments that rebuild multipart request bodies with fixRequestBody. Patch and verify gateway validation still matches what upstream services receive.
http-proxy-middleware Public PoC
2026-06-22 CVSS 9.2
CVE-2026-45034
PhpSpreadsheet - stream wrapper patch bypass
CVE-2026-45034 affects PhpSpreadsheet before 1.30.5 when unsafe file paths can bypass wrapper blocking. Review spreadsheet import features, uploaded files, and PHP 7.x exposure.
PhpSpreadsheet Public PoC
2026-06-22 CVSS 7.6
CVE-2026-55409
Filament Forms - disabled RichEditor XSS risk
CVE-2026-55409 affects Filament Forms 3.x before 3.3.53 when disabled RichEditor field state can render unsanitized HTML. Patch and review fields that display stored rich text.
Filament Public PoC
2026-06-22 CVSS 7.4
CVE-2026-48505
Filament MFA - recovery code reuse under concurrent submission
CVE-2026-48505 affects Filament app-based MFA recovery codes before 4.11.5 and 5.6.5. Patch and review recovery-code use, login sessions, and MFA reset activity.
Filament Public PoC
2026-06-22 CVSS 6.5
CVE-2026-48500
Filament auth pages - unauthenticated temporary file upload exposure
CVE-2026-48500 affects Filament auth-page schemas that unintentionally expose Livewire temporary upload handling. Patch and review temporary upload directories, disk growth, and auth-page access logs.
Filament Public PoC
2026-06-22 CVSS 5.3
CVE-2026-48166
Filament login - timing-based user enumeration
CVE-2026-48166 affects Filament login timing behavior before 4.11.5 and 5.6.5. Patch, rate-limit login paths, and review repeated login probes.
Filament Public PoC
2026-06-22 CVSS 5.8
CVE-2026-55599
phpseclib - X.509 AIA outbound request SSRF risk
CVE-2026-55599 affects phpseclib certificate validation when untrusted certificates can trigger outbound AIA fetches. Patch and review services that validate uploaded or partner-supplied certificates.
phpseclib Public PoC
2026-06-22 CVSS 8.8
CVE-2026-54232
vLLM Dockerfile - dependency confusion build risk
CVE-2026-54232 affects vLLM Docker builds before 0.22.1 through a dependency-confusion risk in a Dockerfile package install path. Rebuild images with fixed vLLM, verify package sources, and rotate secrets if affected images reached production.
vLLM Public PoC
2026-06-22 CVSS 7.1
CVE-2026-56221
Capgo - Cloudflare Analytics Engine SQL injection
CVE-2026-56221 affects Capgo before 12.128.2 where API-supplied analytics filters can reach Cloudflare Analytics Engine SQL query construction. Patch and review API keys, analytics access, and tenant data exposure.
Capgo Public PoC
2026-06-22 CVSS 9.4
CVE-2026-56422
MISP - mass assignment and object re-ownership
CVE-2026-56422 affects MISP through 2.5.41. Authenticated users may be able to cause saves against objects outside the row checked by authorization. Patch and review ownership, sharing scope, event, proposal, and organisation changes.
MISP Public PoC
2026-06-22 CVSS 9.3
CVE-2026-56425
MISP AAD auth - OAuth state and session hardening issue
CVE-2026-56425 affects the MISP Azure Active Directory authentication plugin. Operators should patch the AAD auth fix, enforce HTTPS redirect URIs, rotate exposed sessions if needed, and review OAuth callback logs.
MISP Public PoC
2026-06-22 CVSS 8.7
CVE-2026-56446
MISP JsonLogTool - arbitrary NDJSON log path RCE risk
CVE-2026-56446 affects MISP JsonLogTool log destination handling. Site administrators should patch, verify log files stay under approved log directories, and review recent webroot writes before closing the incident.
MISP Public PoC
2026-06-22 CVSS 7.5
CVE-2026-44914
Apache NiFi - restricted component authorization gap
CVE-2026-44914 affects Apache NiFi 1.12.0 through 2.9.0 when replacing process groups that include components requiring restricted permissions. Review users with write access, restricted component policy, and flow replacement activity.
Apache NiFi
2026-06-22 CVSS 8.7
CVE-2026-49241
Angular Language Service VS Code extension - workspace trust bypass RCE risk
CVE-2026-49241 affects Angular Language Service VS Code extension versions before 21.2.4. Developer workstations should update the extension, review Workspace Trust settings, and inspect recent untrusted repository opens.
Angular Language Service Public PoC
2026-06-22 CVSS 8.2
CVE-2026-54268
Angular common - date formatting denial-of-service risk
CVE-2026-54268 affects @angular/common date formatting when untrusted date format strings reach formatDate or DatePipe. Patch Angular and review SSR routes, user preferences, and API data that can influence date formats.
@angular/common Public PoC
2026-06-22 CVSS 8.1
CVE-2026-55388
piscina - inherited filename option worker execution risk
CVE-2026-55388 affects piscina when polluted prototype properties can influence worker options. Node services should upgrade piscina, audit prototype-pollution sources, and review worker process activity.
piscina Public PoC
2026-06-22 CVSS 6.9
CVE-2026-55602
http-proxy-middleware - host and path router match bypass
CVE-2026-55602 affects http-proxy-middleware router configurations that use host plus path matching. Operators should patch, review proxy-table rules, and confirm requests cannot route to unintended backends.
http-proxy-middleware Public PoC
2026-06-22 CVSS 8.1
CVE-2025-66336
Apache Doris MCP Server - metadata query SQL injection
CVE-2025-66336 affects Apache Doris MCP Server metadata queries when database names reach SQL construction without the intended authorization context. Patch to 0.6.1 or newer and review MCP and Doris audit logs.
Apache Doris MCP Server
2026-06-22 CVSS 7.0
CVE-2026-6653
libxml2 - xmlParseInternalSubset use-after-free denial-of-service risk
CVE-2026-6653 affects libxml2 2.9.11 through 2.11.0 in XML internal subset parsing. Patch operating system packages and review services that parse untrusted XML for crashes or parser errors.
libxml2
2026-06-22 CVSS 7.1
CVE-2026-4259
Ultimate WooCommerce Auction Pro - reflected XSS against admins
CVE-2026-4259 affects Ultimate WooCommerce Auction Pro through 2.4.5. Store owners should patch or disable the plugin, review auction pages, and preserve admin activity logs if suspicious links were opened.
Ultimate WooCommerce Auction Pro
2026-06-21 CVSS 8.6
CVE-2026-56382
Craft CMS - authenticated admin remote code execution risk
CVE-2026-56382 affects Craft CMS 5.5.0 through 5.9.13. Patch or remove public exposure, preserve logs, and review Composer lock files, admin field-layout changes, environment access, and logs.
Craft CMS Public PoC
2026-06-21 CVSS 8.8
CVE-2026-56396
phpMyFAQ - administrator privilege escalation
CVE-2026-56396 affects phpMyFAQ before 4.1.4. Patch or remove public exposure, preserve logs, and review admin user changes, rights changes, and FAQ admin logs.
phpMyFAQ Public PoC
2026-06-21 CVSS 7.5
CVE-2026-12775
Montodel House-Rental-Management - SQL injection
CVE-2026-12775 affects Montodel House-Rental-Management rolling release before the reported fix state. Patch or remove public exposure, preserve logs, and review login logs, rental records, database errors, and changed users.
Montodel House-Rental-Management Public PoC
2026-06-21 CVSS 9.8
CVE-2026-56265
Crawl4AI - Docker API authentication bypass
CVE-2026-56265 affects Crawl4AI before 0.8.7 when the Docker API server uses a default JWT signing key. Patch, rotate secrets, and review API access logs before re-exposing the service.
Crawl4AI Public PoC
2026-06-20 CVSS 9.2
CVE-2026-56345
AVideo - Meet plugin authorization bypass and account takeover risk
CVE-2026-56345 affects AVideo through 29.0. Check the installed version, restrict exposed plugins during patching, and review Meet plugin settings, recorded-video uploads, user sessions, and admin logins.
AVideo Public PoC
2026-06-20 CVSS 8.7
CVE-2026-56341
AVideo - payment plugin information disclosure
CVE-2026-56341 affects AVideo through 26.0. Check the installed version, restrict exposed plugins during patching, and review payment plugin logs, PayPal or Authorize.Net records, and Bitcoin transaction records.
AVideo Public PoC
2026-06-20 CVSS 6.9
CVE-2026-56346
AVideo - message decryption authorization gap
CVE-2026-56346 affects AVideo through 25.0. Check the installed version, restrict exposed plugins during patching, and review message plugin usage, server logs, and unusual resource spikes.
AVideo Public PoC
2026-06-20 CVSS 6.8
CVE-2026-56342
AVideo - Live plugin server-side request forgery risk
CVE-2026-56342 affects AVideo through 27.0. Check the installed version, restrict exposed plugins during patching, and review Live plugin settings, outbound requests, and admin activity.
AVideo Public PoC
2026-06-20 CVSS 6.9
CVE-2026-56282
Capgo - unauthenticated PostgreSQL replication telemetry disclosure
CVE-2026-56282 affects Capgo before 12.128.2. Patch or remove public exposure, preserve logs, and review replication endpoint exposure, PostgreSQL logs, and deployment telemetry.
Capgo Public PoC
2026-06-20 CVSS 9.8
CVE-2026-11551
Branda - account takeover / privilege escalation
CVE-2026-11551 affects Branda through 3.4.29. Confirm the installed version, patch or disable the component, and review password reset events, administrators, and login sessions before closing the issue.
Branda
2026-06-20 CVSS 8.1
CVE-2026-9843
Database for Contact Form 7, WPForms, Elementor Forms - arbitrary file deletion
CVE-2026-9843 affects Database for Contact Form 7, WPForms, Elementor Forms through 1.5.1. Confirm the installed version, patch or disable the component, and review form entries, deleted files, and recent admin views before closing the issue.
Database for Contact Form 7, WPForms, Elementor Forms Public PoC
2026-06-20 CVSS 7.5
CVE-2026-11911
Simple File List - arbitrary file deletion
CVE-2026-11911 affects Simple File List through 6.3.7. Confirm the installed version, patch or disable the component, and review file list activity, missing files, and recent PHP changes before closing the issue.
Simple File List
2026-06-20 CVSS 7.5
CVE-2026-11912
Simple File List - arbitrary file modification
CVE-2026-11912 affects Simple File List through 6.3.7. Confirm the installed version, patch or disable the component, and review file list activity, changed files, and recent PHP changes before closing the issue.
Simple File List Public PoC
2026-06-20 CVSS 9.8
CVE-2022-50972
WooCommerce - remote code execution risk
CVE-2022-50972 affects WooCommerce 7.1.0. Confirm the installed version, patch or disable the component, and review WooCommerce product edits, changed PHP files, and web root file timestamps before closing the issue.
WooCommerce Public PoC
2026-06-19 CVSS 5.3
CVE-2026-12238
WP Go Maps - authorization bypass
CVE-2026-12238 affects WP Go Maps through 10.1.01. Confirm the installed version, patch or disable the component, and review map records, REST activity, and plugin settings before closing the issue.
WP Go Maps
2026-06-19 CVSS 10.0
CVE-2026-48772
ProxySQL - MySQL frontend memory corruption risk
CVE-2026-48772 affects ProxySQL 2.0.0 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review ProxySQL listeners, crashes, restarts, and frontend access.
ProxySQL
2026-06-19 CVSS 9.8
CVE-2026-48773
ProxySQL - pre-authentication memory corruption risk
CVE-2026-48773 affects ProxySQL 2.0.18 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review ProxySQL process crashes, listener exposure, and connection spikes.
ProxySQL
2026-06-19 CVSS 7.5
CVE-2026-48774
ProxySQL - GenAI/MCP read-only contract violation
CVE-2026-48774 affects ProxySQL 3.0.0 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review MCP/GenAI settings, tool logs, and database write activity.
ProxySQL
2026-06-19 CVSS 10.0
CVE-2026-48908
Joomla SP Page Builder - unauthenticated file upload
CVE-2026-48908 affects Joomla SP Page Builder vendor advisory. Check whether the extension is installed, remove abandoned copies, and review uploads, executable files, and public builder routes.
Joomla SP Page Builder Public PoC
2026-06-19 CVSS 10.0
CVE-2026-48939
Joomla iCagenda - file attachment upload risk
CVE-2026-48939 affects Joomla iCagenda vendor advisory. Check whether the extension is installed, remove abandoned copies, and review event attachments, uploads, and executable files.
Joomla iCagenda Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20252
Joomla NextGen Editor - SQL injection
CVE-2017-20252 affects Joomla NextGen Editor 2.1.0. Check whether the extension is installed, remove abandoned copies, and review database errors, extension settings, and user activity.
Joomla NextGen Editor Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20253
Joomla My Projects - SQL injection
CVE-2017-20253 affects Joomla My Projects 2.0. Check whether the extension is installed, remove abandoned copies, and review project records, database errors, and user activity.
Joomla My Projects Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20254
Joomla User Bench - SQL injection
CVE-2017-20254 affects Joomla User Bench 1.0. Check whether the extension is installed, remove abandoned copies, and review user records, database errors, and access logs.
Joomla User Bench Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20255
Joomla JB Visa - SQL injection
CVE-2017-20255 affects Joomla JB Visa 1.0. Check whether the extension is installed, remove abandoned copies, and review booking records, database errors, and access logs.
Joomla JB Visa Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20256
Joomla Survey Force Deluxe - SQL injection
CVE-2017-20256 affects Joomla Survey Force Deluxe 3.2.4. Check whether the extension is installed, remove abandoned copies, and review survey records, database errors, and access logs.
Joomla Survey Force Deluxe Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20257
Joomla Quiz Deluxe - SQL injection
CVE-2017-20257 affects Joomla Quiz Deluxe 3.7.4. Check whether the extension is installed, remove abandoned copies, and review quiz records, database errors, and access logs.
Joomla Quiz Deluxe Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20258
Joomla RPC Responsive Portfolio - SQL injection
CVE-2017-20258 affects Joomla RPC Responsive Portfolio 1.6.1. Check whether the extension is installed, remove abandoned copies, and review portfolio records, database errors, and access logs.
Joomla RPC Responsive Portfolio Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20259
Joomla OSDownloads - SQL injection
CVE-2017-20259 affects Joomla OSDownloads 1.7.4. Check whether the extension is installed, remove abandoned copies, and review download records, database errors, and access logs.
Joomla OSDownloads Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20260
Joomla Price Alert - SQL injection
CVE-2017-20260 affects Joomla Price Alert 3.0.2. Check whether the extension is installed, remove abandoned copies, and review price alert records, database errors, and access logs.
Joomla Price Alert Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20261
Joomla Bargain Product VM3 - SQL injection
CVE-2017-20261 affects Joomla Bargain Product VM3 1.0. Check whether the extension is installed, remove abandoned copies, and review VirtueMart product records, database errors, and access logs.
Joomla Bargain Product VM3 Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20262
Joomla Ajax Quiz - SQL injection
CVE-2017-20262 affects Joomla Ajax Quiz 1.8. Check whether the extension is installed, remove abandoned copies, and review quiz records, database errors, and access logs.
Joomla Ajax Quiz Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20263
Joomla FocalPoint Pro/Free - SQL injection
CVE-2017-20263 affects Joomla FocalPoint Pro/Free 1.2.3. Check whether the extension is installed, remove abandoned copies, and review content records, database errors, and access logs.
Joomla FocalPoint Pro/Free Public PoC
2026-06-19 CVSS 7.1
CVE-2017-20264
Joomla Sponsor Wall - SQL injection
CVE-2017-20264 affects Joomla Sponsor Wall 8.0. Check whether the extension is installed, remove abandoned copies, and review sponsor records, database errors, and authenticated user activity.
Joomla Sponsor Wall Public PoC
2026-06-19 CVSS 7.1
CVE-2017-20265
Joomla Flip Wall - SQL injection
CVE-2017-20265 affects Joomla Flip Wall 8.0. Check whether the extension is installed, remove abandoned copies, and review wall records, database errors, and authenticated user activity.
Joomla Flip Wall Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20266
Joomla SP Movie Database - SQL injection
CVE-2017-20266 affects Joomla SP Movie Database 1.3. Check whether the extension is installed, remove abandoned copies, and review movie records, database errors, and access logs.
Joomla SP Movie Database Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20267
Joomla Calendar Planner - SQL injection
CVE-2017-20267 affects Joomla Calendar Planner 1.0.1. Check whether the extension is installed, remove abandoned copies, and review calendar records, database errors, and access logs.
Joomla Calendar Planner Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20268
Joomla Zap Calendar Lite - SQL injection
CVE-2017-20268 affects Joomla Zap Calendar Lite 4.3.4. Check whether the extension is installed, remove abandoned copies, and review calendar records, database errors, and access logs.
Joomla Zap Calendar Lite Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20269
Joomla KissGallery - SQL injection
CVE-2017-20269 affects Joomla KissGallery 1.0.0. Check whether the extension is installed, remove abandoned copies, and review gallery records, database errors, and access logs.
Joomla KissGallery Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20270
Joomla Twitch Tv - SQL injection
CVE-2017-20270 affects Joomla Twitch Tv 1.1. Check whether the extension is installed, remove abandoned copies, and review video records, database errors, and access logs.
Joomla Twitch Tv Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20271
Joomla StreetGuessr Game - SQL injection
CVE-2017-20271 affects Joomla StreetGuessr Game 1.1.8. Check whether the extension is installed, remove abandoned copies, and review game records, database errors, and access logs.
Joomla StreetGuessr Game Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20272
Joomla Ultimate Property Listing - SQL injection
CVE-2017-20272 affects Joomla Ultimate Property Listing 1.0.2. Check whether the extension is installed, remove abandoned copies, and review property records, database errors, and access logs.
Joomla Ultimate Property Listing Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20273
Joomla Event Registration Pro Calendar - SQL injection
CVE-2017-20273 affects Joomla Event Registration Pro Calendar 4.1.3. Check whether the extension is installed, remove abandoned copies, and review event records, database errors, and access logs.
Joomla Event Registration Pro Calendar Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20274
Joomla LMS King Professional - SQL injection
CVE-2017-20274 affects Joomla LMS King Professional 3.2.4.0. Check whether the extension is installed, remove abandoned copies, and review course records, database errors, and access logs.
Joomla LMS King Professional Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20275
Joomla PHP-Bridge - SQL injection
CVE-2017-20275 affects Joomla PHP-Bridge 1.2.3. Check whether the extension is installed, remove abandoned copies, and review bridge records, database errors, and access logs.
Joomla PHP-Bridge Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20276
Joomla SIMGenealogy - SQL injection
CVE-2017-20276 affects Joomla SIMGenealogy 2.1.5. Check whether the extension is installed, remove abandoned copies, and review genealogy records, database errors, and access logs.
Joomla SIMGenealogy Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20277
Joomla JoomRecipe - blind SQL injection
CVE-2017-20277 affects Joomla JoomRecipe 1.0.4. Check whether the extension is installed, remove abandoned copies, and review recipe records, database errors, and access logs.
Joomla JoomRecipe Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20278
Joomla JoomRecipe - SQL injection
CVE-2017-20278 affects Joomla JoomRecipe 1.0.3. Check whether the extension is installed, remove abandoned copies, and review recipe records, database errors, and access logs.
Joomla JoomRecipe Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20279
Joomla Payage - SQL injection
CVE-2017-20279 affects Joomla Payage 2.05. Check whether the extension is installed, remove abandoned copies, and review payment records, database errors, and access logs.
Joomla Payage Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20280
Joomla Myportfolio - SQL injection
CVE-2017-20280 affects Joomla Myportfolio 3.0.2. Check whether the extension is installed, remove abandoned copies, and review portfolio records, database errors, and access logs.
Joomla Myportfolio Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20281
Joomla Extra Search - SQL injection
CVE-2017-20281 affects Joomla Extra Search 2.2.8. Check whether the extension is installed, remove abandoned copies, and review search records, database errors, and access logs.
Joomla Extra Search Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20282
Joomla jCart for OpenCart - SQL injection
CVE-2017-20282 affects Joomla jCart for OpenCart 2.0. Check whether the extension is installed, remove abandoned copies, and review cart records, database errors, and access logs.
Joomla jCart for OpenCart Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25748
Joomla JHotelReservation - SQL injection
CVE-2019-25748 affects Joomla JHotelReservation 6.0.7. Check whether the extension is installed, remove abandoned copies, and review reservation records, database errors, and access logs.
Joomla JHotelReservation Public PoC
2026-06-19 CVSS 7.1
CVE-2019-25749
Joomla J-CruisePortal - SQL injection
CVE-2019-25749 affects Joomla J-CruisePortal 6.0.4. Check whether the extension is installed, remove abandoned copies, and review cruise records, database errors, and authenticated user activity.
Joomla J-CruisePortal Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25750
Joomla J-MultipleHotelReservation - SQL injection
CVE-2019-25750 affects Joomla J-MultipleHotelReservation 6.0.7. Check whether the extension is installed, remove abandoned copies, and review reservation records, database errors, and access logs.
Joomla J-MultipleHotelReservation Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25751
Joomla J-ClassifiedsManager - SQL injection
CVE-2019-25751 affects Joomla J-ClassifiedsManager 3.0.5. Check whether the extension is installed, remove abandoned copies, and review classified records, database errors, and access logs.
Joomla J-ClassifiedsManager Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25752
Joomla J-BusinessDirectory - SQL injection
CVE-2019-25752 affects Joomla J-BusinessDirectory 4.9.7. Check whether the extension is installed, remove abandoned copies, and review directory records, database errors, and access logs.
Joomla J-BusinessDirectory Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25753
Joomla VMap - SQL injection
CVE-2019-25753 affects Joomla VMap 1.9.6. Check whether the extension is installed, remove abandoned copies, and review map records, database errors, and access logs.
Joomla VMap Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25754
Joomla vRestaurant - SQL injection
CVE-2019-25754 affects Joomla vRestaurant 1.9.4. Check whether the extension is installed, remove abandoned copies, and review restaurant records, database errors, and access logs.
Joomla vRestaurant Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25755
Joomla vReview - SQL injection
CVE-2019-25755 affects Joomla vReview 1.9.11. Check whether the extension is installed, remove abandoned copies, and review review records, database errors, and access logs.
Joomla vReview Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25756
Joomla vAccount - SQL injection
CVE-2019-25756 affects Joomla vAccount 2.0.2. Check whether the extension is installed, remove abandoned copies, and review account records, database errors, and access logs.
Joomla vAccount Public PoC
2026-06-19 CVSS 7.1
CVE-2019-25757
Joomla vWishlist - SQL injection
CVE-2019-25757 affects Joomla vWishlist 1.0.1. Check whether the extension is installed, remove abandoned copies, and review wishlist records, database errors, and authenticated user activity.
Joomla vWishlist Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25758
Joomla vBizz - unrestricted file upload
CVE-2019-25758 affects Joomla vBizz 1.0.7. Check whether the extension is installed, remove abandoned copies, and review uploads, executable files, and authenticated user activity.
Joomla vBizz Public PoC
2026-06-19 CVSS 7.1
CVE-2019-25759
Joomla vBizz - SQL injection
CVE-2019-25759 affects Joomla vBizz 1.0.7. Check whether the extension is installed, remove abandoned copies, and review business records, database errors, and authenticated user activity.
Joomla vBizz Public PoC
2026-06-19 CVSS 6.9
CVE-2019-25760
Joomla Easy Shop - local file inclusion
CVE-2019-25760 affects Joomla Easy Shop 1.2.3. Check whether the extension is installed, remove abandoned copies, and review file access logs, configuration reads, and old public routes.
Joomla Easy Shop Public PoC
2026-06-19 CVSS 7.1
CVE-2019-25761
Joomla JoomCRM - SQL injection
CVE-2019-25761 affects Joomla JoomCRM 1.1.1. Check whether the extension is installed, remove abandoned copies, and review CRM records, database errors, and authenticated user activity.
Joomla JoomCRM Public PoC
2026-06-19 CVSS 8.7
CVE-2019-25762
Joomla JoomProject - information disclosure
CVE-2019-25762 affects Joomla JoomProject 1.1.3.2. Check whether the extension is installed, remove abandoned copies, and review project data, user exports, and access logs.
Joomla JoomProject Public PoC
2026-06-19 CVSS 8.7
CVE-2023-54357
Joomla com_booking - information disclosure
CVE-2023-54357 affects Joomla com_booking 2.4.9. Check whether the extension is installed, remove abandoned copies, and review booking users, account enumeration signs, and access logs.
Joomla com_booking Public PoC
2026-06-19 CVSS 8.2
CVE-2026-49260
PhpWeasyPrint - PDF command construction risk
CVE-2026-49260 affects pontedilana/php-weasyprint before 2.5.1. Patch the Composer dependency, check which routes generate PDFs, and review composer.lock, PDF generation jobs, and web-server logs.
pontedilana/php-weasyprint Public PoC
2026-06-19 CVSS 8.1
CVE-2026-49286
PhpWeasyPrint - output filename handling risk
CVE-2026-49286 affects pontedilana/php-weasyprint before 2.6.0. Patch the Composer dependency, check which routes generate PDFs, and review composer.lock, PDF output folders, and generated files.
pontedilana/php-weasyprint Public PoC
2026-06-19 CVSS 8.5
CVE-2016-20088
Comodo Chromodo Browser - local service privilege escalation
CVE-2016-20088 affects Comodo Chromodo Browser through 52.15.25.664. Confirm exposure, apply the vendor fix or remove the component, and review Windows services, old browser installs, and updater paths.
Comodo Chromodo Browser Public PoC
2026-06-19 CVSS 8.5
CVE-2016-20090
Comodo Dragon Browser - local service privilege escalation
CVE-2016-20090 affects Comodo Dragon Browser through 52.15.25.663. Confirm exposure, apply the vendor fix or remove the component, and review Windows services, old browser installs, and updater paths.
Comodo Dragon Browser Public PoC
2026-06-19 CVSS 7.0
CVE-2026-39999
Apache APISIX - authentication bypass by spoofing
CVE-2026-39999 affects Apache APISIX vendor advisory. Confirm exposure, apply the vendor fix or remove the component, and review gateway routes, authentication plugins, and unusual upstream access.
Apache APISIX Public PoC
2026-06-19 CVSS 7.6
CVE-2026-49290
Slopsmith - path traversal file read risk
CVE-2026-49290 affects Slopsmith before 0.2.9-alpha.5. Confirm exposure, apply the vendor fix or remove the component, and review media library paths, container mounts, and access logs.
Slopsmith Public PoC
2026-06-19 CVSS 5.3
CVE-2026-49345
Mercator - server-side request forgery
CVE-2026-49345 affects Mercator before 2025.05.19. Confirm exposure, apply the vendor fix or remove the component, and review outbound requests, Redis/internal access, and web logs.
Mercator Public PoC
2026-06-19 CVSS 9.8
CVE-2026-7515
BetterDocs Pro - Local file inclusion
CVE-2026-7515 affects BetterDocs Pro through 3.8.0. Confirm the installed version, patch or disable the component, and review PHP files and uploads before closing the issue.
BetterDocs Pro
2026-06-19 CVSS 9.1
CVE-2026-8713
Avada / Fusion Builder - File deletion risk
CVE-2026-8713 affects Avada / Fusion Builder through 3.15.3. Confirm the installed version, patch or disable the component, and review Avada forms, deleted files, and wp-config state before closing the issue.
Avada / Fusion Builder
2026-06-19 CVSS 6.5
CVE-2026-11989
Bit Integrations - SSRF risk
CVE-2026-11989 affects Bit Integrations through 2.8.7. Confirm the installed version, patch or disable the component, and review WooCommerce and attachment integrations before closing the issue.
Bit Integrations Public PoC
2026-06-19 CVSS 6.4
CVE-2026-4328
Advanced Import - SSRF risk
CVE-2026-4328 affects Advanced Import through 1.4.6. Confirm the installed version, patch or disable the component, and review import URLs and outbound requests before closing the issue.
Advanced Import
2026-06-19 CVSS 5.3
CVE-2026-3640
STRABL checkout solution - Missing authentication
CVE-2026-3640 affects STRABL checkout solution through 4.5. Confirm the installed version, patch or disable the component, and review WooCommerce orders, refunds, and user creation before closing the issue.
STRABL checkout solution
2026-06-19 CVSS 9.4
CVE-2026-12045
pgAdmin 4 - AI Assistant SQL safety bypass
CVE-2026-12045 affects pgAdmin 4 9.13 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review AI Assistant use, database role privileges, and pgAdmin logs.
pgAdmin 4 Public PoC
2026-06-19 CVSS 9.3
CVE-2026-12048
pgAdmin 4 - stored XSS in error and plan rendering
CVE-2026-12048 affects pgAdmin 4 6.0 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review connected server names, object names, and user browser sessions.
pgAdmin 4 Public PoC
2026-06-19 CVSS 8.8
CVE-2026-12044
pgAdmin 4 - SQL injection in dialog template rendering
CVE-2026-12044 affects pgAdmin 4 1.0 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review object descriptions, database role permissions, and pgAdmin activity.
pgAdmin 4 Public PoC
2026-06-19 CVSS 9.8
CVE-2026-54414
FileRise - shared-folder upload file-write risk
CVE-2026-54414 affects FileRise before 3.16.0. Patch or remove public exposure, preserve logs, and review shared links, users.txt, upload folders, and new admin users.
FileRise Public PoC
2026-06-19 CVSS 7.5
CVE-2026-11576
Eclipse ThreadX NetX Duo - HTTP server cleanup handling
CVE-2026-11576 affects Eclipse ThreadX NetX Duo HTTP server PUT handling. Review embedded HTTP server firmware, PUT support, and vendor update state, then apply the vendor fix or remove the risky exposure until patched.
Eclipse ThreadX NetX Duo Public PoC
2026-06-18 CVSS 8.5
CVE-2026-56012
Media Library Assistant - Blind SQL injection
CVE-2026-56012 affects Media Library Assistant through 3.35. Confirm the installed version, patch or disable the component, and review database errors and media records before closing the issue.
Media Library Assistant
2026-06-18 CVSS 7.2
CVE-2026-11395
CF7 to Webhook - SSRF risk
CVE-2026-11395 affects CF7 to Webhook through 5.0.0. Confirm the installed version, patch or disable the component, and review Contact Form 7 webhook settings before closing the issue.
CF7 to Webhook Public PoC
2026-06-18 CVSS 6.1
CVE-2026-12137
Customize My Account for WooCommerce - Reflected XSS
CVE-2026-12137 affects Customize My Account for WooCommerce through 4.3.6. Confirm the installed version, patch or disable the component, and review shop manager sessions and admin visits before closing the issue.
Customize My Account for WooCommerce Public PoC
2026-06-18 CVSS 5.3
CVE-2026-12093
Simple Membership - Webhook authorization bypass
CVE-2026-12093 affects Simple Membership through 4.7.5. Confirm the installed version, patch or disable the component, and review member status and Stripe webhook settings before closing the issue.
Simple Membership Public PoC
2026-06-18 CVSS 8.3
CVE-2024-32949
Integrate Google Drive - Missing authorization
CVE-2024-32949 affects Integrate Google Drive through 1.3.8. Confirm the installed version, patch or disable the component, and review Google Drive file access and plugin permissions before closing the issue.
Integrate Google Drive
2026-06-18 CVSS 8.1
CVE-2025-58924
Geya theme - Local file inclusion
CVE-2025-58924 affects Geya theme through 1.15. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Geya theme
2026-06-18 CVSS 8.1
CVE-2025-58952
Neuronet theme - Local file inclusion
CVE-2025-58952 affects Neuronet theme before 1.14.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Neuronet theme
2026-06-18 CVSS 8.1
CVE-2025-58953
Joly theme - Local file inclusion
CVE-2025-58953 affects Joly theme through 1.22.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Joly theme
2026-06-18 CVSS 8.1
CVE-2025-58954
HomeRoofer theme - Local file inclusion
CVE-2025-58954 affects HomeRoofer theme through 2.11.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
HomeRoofer theme
2026-06-18 CVSS 8.1
CVE-2025-60085
Learnify theme - Local file inclusion
CVE-2025-60085 affects Learnify theme through 1.15.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Learnify theme
2026-06-18 CVSS 8.1
CVE-2025-69105
Modernee theme - Local file inclusion
CVE-2025-69105 affects Modernee theme through 1.6.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Modernee theme
2026-06-18 CVSS 8.1
CVE-2025-69107
Rosaleen theme - Local file inclusion
CVE-2025-69107 affects Rosaleen theme through 2.8. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Rosaleen theme
2026-06-18 CVSS 8.1
CVE-2025-69109
Raider Spirit theme - Local file inclusion
CVE-2025-69109 affects Raider Spirit theme through 1.1.2. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Raider Spirit theme
2026-06-18 CVSS 8.1
CVE-2025-69110
AirSupply theme - Local file inclusion
CVE-2025-69110 affects AirSupply theme through 2.0.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
AirSupply theme
2026-06-18 CVSS 8.1
CVE-2025-69112
Planty theme - Local file inclusion
CVE-2025-69112 affects Planty theme through 1.14.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Planty theme
2026-06-18 CVSS 8.2
CVE-2026-40726
User Registration Stripe - Broken access control
CVE-2026-40726 affects User Registration Stripe through 1.3.14. Confirm the installed version, patch or disable the component, and review registration payments and user records before closing the issue.
User Registration Stripe
2026-06-18 CVSS 8.2
CVE-2026-49081
User Registration Stripe - Broken access control
CVE-2026-49081 affects User Registration Stripe through 1.3.12. Confirm the installed version, patch or disable the component, and review registration payments and user records before closing the issue.
User Registration Stripe
2026-06-18 CVSS 8.2
CVE-2026-54184
Clean Login - IDOR risk
CVE-2026-54184 affects Clean Login through 1.15. Confirm the installed version, patch or disable the component, and review login flows and user records before closing the issue.
Clean Login
2026-06-18 CVSS 8.5
CVE-2026-54813
SureDash - Blind SQL injection
CVE-2026-54813 affects SureDash through 1.8.0. Confirm the installed version, patch or disable the component, and review database errors and dashboard records before closing the issue.
SureDash
2026-06-18 CVSS 8.5
CVE-2026-54818
Slimstat Analytics - Blind SQL injection
CVE-2026-54818 affects Slimstat Analytics through 5.4.11. Confirm the installed version, patch or disable the component, and review analytics tables and database errors before closing the issue.
Slimstat Analytics
2026-06-18 CVSS 9.2
CVE-2026-56020
Webmin - SSL client certificate impersonation risk
CVE-2026-56020 affects Webmin before 2.641. Patch to 2.641 or newer, restrict the Webmin listener, and review login history, miniserv configuration, and certificate-auth users.
Webmin Public PoC
2026-06-18 CVSS 6.9
CVE-2026-56021
Webmin - module configuration file read risk
CVE-2026-56021 affects Webmin before 2.641. Patch to 2.641 or newer, restrict the Webmin listener, and review module access, unexpected reads, and exposed configuration.
Webmin Public PoC
2026-06-18 CVSS 6.9
CVE-2026-56022
Webmin - MFA/session bypass risk
CVE-2026-56022 affects Webmin before 2.641. Patch to 2.641 or newer, restrict the Webmin listener, and review MFA settings, session logs, and authentication sources.
Webmin Public PoC
2026-06-18 CVSS 9.8
CVE-2026-54419
PIAF-HMS - unauthenticated SQL injection
CVE-2026-54419 affects PIAF-HMS current public code. Patch or remove public exposure, preserve logs, and review hotel records, PBX-HMS database users, and web logs.
PIAF-HMS Public PoC
2026-06-18 CVSS 8.6
CVE-2026-40455
LMS - SQL injection
CVE-2026-40455 affects LMS before commit 4cb30a7. Patch or remove public exposure, preserve logs, and review tariff changes, database errors, and authenticated admin activity.
LMS Public PoC
2026-06-18 CVSS 8.6
CVE-2026-54222
UBB.threads - control-panel SQL injection
CVE-2026-54222 affects UBB.threads confirmed in 7.7.5. Patch or remove public exposure, preserve logs, and review control panel members activity and database access.
UBB.threads
2026-06-18 CVSS 7.6
CVE-2026-55746
Cotonti - stored XSS in personal file storage
CVE-2026-55746 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review PFS folder titles and user-uploaded content.
Cotonti Public PoC
2026-06-18 CVSS 8.8
CVE-2026-55741
Cotonti - administration configuration CSRF
CVE-2026-55741 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review configuration changes and admin sessions.
Cotonti Public PoC
2026-06-18 CVSS 9.6
CVE-2026-55742
Cotonti - administration rights CSRF
CVE-2026-55742 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review rights changes, group permissions, and admin sessions.
Cotonti Public PoC
2026-06-18 CVSS 8.6
CVE-2026-55744
Cotonti - personal file storage CSRF
CVE-2026-55744 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review PFS uploads, changed files, and user sessions.
Cotonti Public PoC
2026-06-18 CVSS 8.2
CVE-2026-48788
Remark42 - stored XSS in comments
CVE-2026-48788 affects Remark42 1.6.0 through 1.15.0. Patch or remove public exposure, preserve logs, and review comment content, moderator sessions, and site embeds.
Remark42 Public PoC
2026-06-18 CVSS 6.5
CVE-2026-49205
phpMyFAQ - API authorization gap
CVE-2026-49205 affects phpMyFAQ before 4.1.4. Patch or remove public exposure, preserve logs, and review API keys, content writes, and user permissions.
phpMyFAQ Public PoC
2026-06-18 CVSS 10.0
CVE-2026-49257
mcp-pinot - unauthenticated MCP server exposure
CVE-2026-49257 affects mcp-pinot through 3.0.1. Review Pinot credentials, MCP access logs, and table/config changes, then apply the vendor fix or remove the risky exposure until patched.
mcp-pinot Public PoC
2026-06-18 CVSS 7.5
CVE-2026-45617
LiquidJS - strip_html ReDoS
CVE-2026-45617 affects LiquidJS through 10.25.7. Review template inputs, Node.js worker CPU, and dependency locks, then apply the vendor fix or remove the risky exposure until patched.
LiquidJS Public PoC
2026-06-18 CVSS 6.5
CVE-2026-44645
LiquidJS - render limit bypass
CVE-2026-44645 affects LiquidJS through 10.25.7. Review template-authoring users and renderLimit assumptions, then apply the vendor fix or remove the risky exposure until patched.
LiquidJS Public PoC
2026-06-18 CVSS 8.7
CVE-2026-48716
nanobot - WhatsApp document filename file-write risk
CVE-2026-48716 affects nanobot through 0.1.5.post3. Review media folders, bridge logs, and document ingestion settings, then apply the vendor fix or remove the risky exposure until patched.
nanobot Public PoC
2026-06-18 CVSS 8.4
CVE-2026-44688
Eclipse Theia - AI chat workspace prompt-context risk
CVE-2026-44688 affects Eclipse Theia before 1.71.0. Review workspace trust, AI agent settings, and opened repositories, then apply the vendor fix or remove the risky exposure until patched.
Eclipse Theia Public PoC
2026-06-18 CVSS 8.4
CVE-2026-44691
Eclipse Theia - workspace task execution risk
CVE-2026-44691 affects Eclipse Theia before 1.69.0. Review workspace trust, task definitions, and AI tool confirmation, then apply the vendor fix or remove the risky exposure until patched.
Eclipse Theia Public PoC
2026-06-18 CVSS 8.4
CVE-2026-46580
Eclipse Theia - workspace prompt template risk
CVE-2026-46580 affects Eclipse Theia before 1.71.0. Review prompt template folders, workspace trust, and AI agent settings, then apply the vendor fix or remove the risky exposure until patched.
Eclipse Theia Public PoC
2026-06-18 CVSS 5.3
CVE-2026-12565
BBOT - archive extraction path handling
CVE-2026-12565 affects BBOT unarchive module on older tar stacks. Review container base images, GNU tar versions, and extraction jobs, then apply the vendor fix or remove the risky exposure until patched.
BBOT Public PoC
2026-06-18 CVSS 8.8
CVE-2026-12407
E2Pdf - Export PDF Tool for WordPress - Missing authorization / privilege escalation
CVE-2026-12407 affects E2Pdf - Export PDF Tool for WordPress through 1.32.26. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
E2Pdf - Export PDF Tool for WordPress
2026-06-18 CVSS 8.8
CVE-2026-9860
Offload, AI & Optimize with Cloudflare Images - Remote code execution
CVE-2026-9860 affects Offload, AI & Optimize with Cloudflare Images through 1.10.2. Confirm the installed version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Offload, AI & Optimize with Cloudflare Images Public PoC
2026-06-18 CVSS 9.8
CVE-2026-55740
bus-ticket - unauthenticated SQL injection
CVE-2026-55740 affects the Nur-Alam39 bus-ticket PHP application. Public deployments should be taken out of exposure until SQL handling and database credentials are fixed, then database access and records should be reviewed.
bus-ticket Public PoC
2026-06-18 CVSS 9.1
CVE-2026-32967
Apache DolphinScheduler - v2 experimental interface authorization gap
CVE-2026-32967 affects the Apache DolphinScheduler v2 experimental interface. Patch, restrict exposed API routes, and review scheduler user activity.
Apache DolphinScheduler
2026-06-18 CVSS 9.1
CVE-2026-36418
JimuReport - Aviator expression remote code execution risk
CVE-2026-36418 affects JimuReport 2.3.4 and below through unsafe expression handling. Patch, restrict report execution APIs, and review report templates and server logs.
JimuReport Public PoC
2026-06-18 CVSS 9.3
CVE-2026-48768
TypeBot - unauthenticated file upload URL generation issue
CVE-2026-48768 affects TypeBot 3.16.1 and earlier through unauthenticated file upload URL generation. Patch, review storage buckets, and rotate exposed upload credentials if needed.
TypeBot Public PoC
2026-06-18 CVSS 9.1
CVE-2026-48814
Network-AI - unauthenticated cross-origin MCP tool invocation
CVE-2026-48814 affects Network-AI 5.7.1 and earlier when MCP SSE endpoints allow unauthenticated cross-origin tool invocation. Patch and review tool invocation logs.
Network-AI Public PoC
2026-06-18 CVSS 9.1
CVE-2026-20266
Splunk AI Toolkit - admin OS command execution risk
CVE-2026-20266 affects Splunk AI Toolkit versions below 5.7.4. Splunk admins should patch and review AI Toolkit actions, app changes, and host-level process activity.
Splunk AI Toolkit
2026-06-17 CVSS 8.6
CVE-2025-69128
JobCareer - Path traversal / file deletion
CVE-2025-69128 affects JobCareer through 7.3. Confirm the installed version, patch or disable the component, and review file access logs and unexpected downloads before closing the incident.
JobCareer
2026-06-17 CVSS 8.8
CVE-2025-69130
Entrepreneur - Booking for Small Businesses - PHP object injection
CVE-2025-69130 affects Entrepreneur - Booking for Small Businesses through 3.1.3. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Entrepreneur - Booking for Small Businesses
2026-06-17 CVSS 8.5
CVE-2025-69135
Events Schedule - SQL injection
CVE-2025-69135 affects Events Schedule through 2.7.2. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Events Schedule
2026-06-17 CVSS 8.6
CVE-2025-69139
Car Zone - Arbitrary file deletion
CVE-2025-69139 affects Car Zone through 3.7. Confirm the installed version, patch or disable the component, and review missing plugin files, media files, and backups before closing the incident.
Car Zone
2026-06-17 CVSS 8.5
CVE-2026-22335
WooCommerce Frontend Manager - Ultimate - SQL injection
CVE-2026-22335 affects WooCommerce Frontend Manager - Ultimate before 6.7.7. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WooCommerce Frontend Manager - Ultimate
2026-06-17 CVSS 8.6
CVE-2026-22343
WordPress Dating Theme - Broken access control
CVE-2026-22343 affects WordPress Dating Theme through 11.2.0. Confirm the installed version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
WordPress Dating Theme
2026-06-17 CVSS 8.6
CVE-2026-27400
BookPro - Arbitrary file deletion
CVE-2026-27400 affects BookPro through 1.1.0. Confirm the installed version, patch or disable the component, and review missing plugin files, media files, and backups before closing the incident.
BookPro
2026-06-17 CVSS 8.5
CVE-2026-48967
Geo Mashup - SQL injection
CVE-2026-48967 affects Geo Mashup through 1.13.19. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Geo Mashup
2026-06-17 CVSS 8.5
CVE-2026-49073
Directorist Booking - Blind SQL injection
CVE-2026-49073 affects Directorist Booking through 3.0.3. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Directorist Booking
2026-06-17 CVSS 8.5
CVE-2026-49113
Cornerstone - Arbitrary code execution
CVE-2026-49113 affects Cornerstone before 7.8.8. Confirm the installed version, patch or disable the component, and review users, files, logs, and plugin settings before closing the incident.
Cornerstone
2026-06-17 CVSS 8.5
CVE-2026-54185
Cornerstone - SQL injection
CVE-2026-54185 affects Cornerstone before 7.8.8. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Cornerstone
2026-06-17 CVSS 8.6
CVE-2026-54415
Azuriom CMS - server management authorization gap
CVE-2026-54415 affects Azuriom before 1.2.11 in server management authorization. Site owners should upgrade and review server tokens, account email changes, and password changes during the exposure window.
Azuriom CMS Public PoC
2026-06-17 CVSS 8.6
CVE-2026-11407
Pimcore CMS/DXP - Twig sandbox bypass
CVE-2026-11407 affects Pimcore CMS/DXP 12.3.8 through a Twig sandbox bypass reachable by authenticated administrators. Review class definitions, template changes, file reads, and database access after patching.
Pimcore CMS/DXP Public PoC
2026-06-17 CVSS 8.5
CVE-2026-46870
MySQL Shell for VS Code - Oracle June 2026 CPU issue
CVE-2026-46870 affects MySQL Shell for VS Code 2026.2.0+9.6.1. Database teams should patch developer tooling and review saved connections, extension access, and unusual database activity.
MySQL Shell for VS Code Public PoC
2026-06-17 CVSS 8.6
CVE-2026-11311
NGINX Gateway Fabric - CRD field configuration injection
CVE-2026-11311 affects NGINX Gateway Fabric configuration generation when NGINX Plus is used as the data plane. Review who can create or modify NginxProxy and AuthenticationFilter resources, patch, and audit recent CRD changes.
NGINX Gateway Fabric
2026-06-17 CVSS 8.6
CVE-2026-50107
NGINX Gateway Fabric - access log format configuration injection
CVE-2026-50107 affects NGINX Gateway Fabric configuration generation for NGINX Plus or NGINX Open Source data planes. Patch and review recent NginxProxy access log format changes and related Kubernetes RBAC.
NGINX Gateway Fabric
2026-06-17 CVSS 8.8
CVE-2026-49268
Apache Shiro - DefaultLdapRealm DN construction issue
CVE-2026-49268 affects Apache Shiro through 2.2.0 and 3.0.0-alpha-1 when DefaultLdapRealm builds LDAP Distinguished Names from user input. Upgrade and review LDAP realm templates, authentication logs, and account mappings.
Apache Shiro
2026-06-17 CVSS 8.8
CVE-2025-59563
Sonaar - subscriber privilege escalation
CVE-2025-59563 affects Sonaar through 4.27.4. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Sonaar
2026-06-17 CVSS 8.8
CVE-2025-69138
Genemy - subscriber privilege escalation
CVE-2025-69138 affects Genemy through 1.6.6. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Genemy
2026-06-17 CVSS 8.8
CVE-2026-12165
Contest Gallery - privilege escalation
CVE-2026-12165 affects Contest Gallery through 30.0.2. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Contest Gallery Public PoC
2026-06-17 CVSS 8.8
CVE-2026-12256
Avada - contributor PHP object injection
CVE-2026-12256 affects Avada through 3.15.3. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Avada
2026-06-17 CVSS 8.8
CVE-2026-22342
WordPress Dating Theme - CSRF account takeover risk
CVE-2026-22342 affects WordPress Dating Theme through 11.2.0. Confirm the installed version, patch or disable the component, and review users, files, logs, and plugin settings before closing the incident.
WordPress Dating Theme
2026-06-17 CVSS 9.1
CVE-2026-24611
MetForm Pro - unauthenticated broken access control
CVE-2026-24611 affects MetForm Pro through 3.9.1. Confirm the installed version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
MetForm Pro
2026-06-17 CVSS 8.8
CVE-2026-42629
PowerPack Pro for Elementor - broken authentication
CVE-2026-42629 affects PowerPack Pro for Elementor before 2.13.0. Confirm the installed version, patch or disable the component, and review new sessions, password changes, and account history before closing the incident.
PowerPack Pro for Elementor
2026-06-17 CVSS 9.0
CVE-2026-52705
SigmaForms Pro - unauthenticated arbitrary file upload
CVE-2026-52705 affects SigmaForms Pro - AI Generated Forms through 1.4.5. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
SigmaForms Pro - AI Generated Forms
2026-06-17 CVSS 8.8
CVE-2026-54805
Falang multilanguage - subscriber privilege escalation
CVE-2026-54805 affects Falang multilanguage through 1.4.2. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Falang multilanguage
2026-06-17 CVSS 9.3
CVE-2026-54812
Motors - SQL injection
CVE-2026-54812 affects Motors through 1.4.109. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Motors
2026-06-17 CVSS 9.3
CVE-2026-54815
Cargo Shipping Location for WooCommerce - SQL injection
CVE-2026-54815 affects Cargo Shipping Location for WooCommerce through 5.6. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Cargo Shipping Location for WooCommerce
2026-06-17 CVSS 9.3
CVE-2026-54819
Listdom - SQL injection
CVE-2026-54819 affects Listdom through 5.4.0. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Listdom
2026-06-17 CVSS 9.3
CVE-2025-59554
Advanced Ads Tracking - unauthenticated SQL injection
CVE-2025-59554 affects Advanced Ads - Tracking before 3.0.7. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Advanced Ads - Tracking
2026-06-17 CVSS 9.8
CVE-2025-69127
Plumbing theme - unauthenticated PHP object injection
CVE-2025-69127 affects Plumbing through 1.6. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Plumbing
2026-06-17 CVSS 9.3
CVE-2026-22332
Tutor LMS Pro - unauthenticated SQL injection
CVE-2026-22332 affects Tutor LMS Pro through 3.9.6. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Tutor LMS Pro
2026-06-17 CVSS 9.3
CVE-2026-22340
WPJobster - unauthenticated SQL injection
CVE-2026-22340 affects WPJobster through 6.3.5. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WPJobster
2026-06-17 CVSS 9.3
CVE-2026-39438
ListingPro - unauthenticated SQL injection
CVE-2026-39438 affects ListingPro through 2.9.10. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
ListingPro
2026-06-17 CVSS 9.3
CVE-2026-39596
Blocksy Companion Pro - unauthenticated SQL injection
CVE-2026-39596 affects Blocksy Companion Pro before 2.1.29. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Blocksy Companion Pro
2026-06-17 CVSS 9.3
CVE-2026-48875
JetSmartFilters - unauthenticated SQL injection
CVE-2026-48875 affects JetSmartFilters through 3.8.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetSmartFilters
2026-06-17 CVSS 9.3
CVE-2026-49076
JetEngine - unauthenticated SQL injection
CVE-2026-49076 affects JetEngine through 3.8.9.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetEngine
2026-06-17 CVSS 9.3
CVE-2026-49079
JetSearch - unauthenticated SQL injection
CVE-2026-49079 affects JetSearch through 3.5.17. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetSearch
2026-06-17 CVSS 9.3
CVE-2026-49080
wpDataTables - unauthenticated SQL injection
CVE-2026-49080 affects wpDataTables through 7.3.6. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
wpDataTables
2026-06-17 CVSS 9.3
CVE-2026-49084
JetEngine - unauthenticated SQL injection
CVE-2026-49084 affects JetEngine before 3.8.9.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetEngine
2026-06-17 CVSS 9.8
CVE-2026-49108
Moderno theme - unauthenticated PHP object injection
CVE-2026-49108 affects Moderno before 1.43. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Moderno
2026-06-17 CVSS 9.3
CVE-2026-54186
JobSearch - unauthenticated SQL injection
CVE-2026-54186 affects JobSearch through 3.2.9. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JobSearch
2026-06-17 CVSS 9.3
CVE-2026-54187
JetEngine - unauthenticated SQL injection
CVE-2026-54187 affects JetEngine through 3.8.10.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetEngine
2026-06-17 CVSS 9.3
CVE-2026-54808
WP Travel Gutenberg Blocks - SQL injection
CVE-2026-54808 affects WP Travel Gutenberg Blocks through 3.9.4. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Travel Gutenberg Blocks
2026-06-17 CVSS 9.3
CVE-2026-54809
GIFT4U - SQL injection
CVE-2026-54809 affects GIFT4U through 1.0.10. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GIFT4U
2026-06-17 CVSS 9.3
CVE-2026-54811
WP eMember - unauthenticated SQL injection
CVE-2026-54811 affects WP eMember before 10.9.4. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP eMember
2026-06-17 CVSS 9.8
CVE-2025-60229
Lagom theme - PHP object injection
CVE-2025-60229 affects Lagom through 2.0. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Lagom
2026-06-17 CVSS 9.8
CVE-2025-60230
The Barber Shop theme - PHP object injection
CVE-2025-60230 affects The Barber Shop through 1.9. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
The Barber Shop
2026-06-17 CVSS 9.8
CVE-2025-60231
The Hospital theme - PHP object injection
CVE-2025-60231 affects The Hospital through 1.8.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
The Hospital
2026-06-17 CVSS 9.8
CVE-2025-60236
Creatify theme - PHP object injection
CVE-2025-60236 affects Creatify through 1.5. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Creatify
2026-06-17 CVSS 9.8
CVE-2025-69111
Reisen theme - unauthenticated PHP object injection
CVE-2025-69111 affects Reisen through 1.4.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Reisen
2026-06-17 CVSS 9.8
CVE-2026-27395
Support Board - unauthenticated privilege escalation
CVE-2026-27395 affects Support Board before 3.8.9. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Support Board
2026-06-17 CVSS 9.8
CVE-2026-27429
Nifty theme - unauthenticated PHP object injection
CVE-2026-27429 affects Nifty through 1.4.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Nifty
2026-06-17 CVSS 9.8
CVE-2026-39529
Elementra theme - unauthenticated PHP object injection
CVE-2026-39529 affects Elementra through 1.0.9. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Elementra
2026-06-17 CVSS 9.8
CVE-2026-40725
WooCommerce Product Filters - unauthenticated PHP object injection
CVE-2026-40725 affects WooCommerce Product Filters before 2.0.6. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WooCommerce Product Filters
2026-06-17 CVSS 9.8
CVE-2026-42380
AI Lab theme - unauthenticated PHP object injection
CVE-2026-42380 affects AI Lab before 5.4.2. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
AI Lab
2026-06-17 CVSS 9.8
CVE-2026-49058
LoginPress Pro - unauthenticated privilege escalation
CVE-2026-49058 affects LoginPress Pro through 6.2.2. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
LoginPress Pro
2026-06-17 CVSS 9.8
CVE-2026-49075
JetEngine - contributor PHP object injection
CVE-2026-49075 affects JetEngine through 3.8.9.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
JetEngine
2026-06-17 CVSS 9.8
CVE-2026-49107
Thrive Apprentice - unauthenticated PHP object injection
CVE-2026-49107 affects Thrive Apprentice before 10.8.10.2. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Thrive Apprentice
2026-06-17 CVSS 9.8
CVE-2026-49767
wpForo Forum - unauthenticated broken authentication
CVE-2026-49767 affects wpForo Forum through 3.1.0. Confirm the installed version, patch or disable the component, and review new sessions, password changes, and account history before closing the incident.
wpForo Forum
2026-06-17 CVSS 9.8
CVE-2026-52706
JetEngine - unauthenticated PHP object injection
CVE-2026-52706 affects JetEngine through 3.8.10. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
JetEngine
2026-06-17 CVSS 9.8
CVE-2026-54194
Fusion Builder - contributor PHP object injection
CVE-2026-54194 affects Fusion Builder through 3.15.4. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Fusion Builder
2026-06-17 CVSS 9.8
CVE-2026-54803
SMS Alert Order Notifications - subscriber privilege escalation
CVE-2026-54803 affects SMS Alert Order Notifications through 3.9.4. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
SMS Alert Order Notifications
2026-06-17 CVSS 9.8
CVE-2026-54806
WP Activity Log - unauthenticated PHP object injection
CVE-2026-54806 affects WP Activity Log through 5.6.3.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP Activity Log
2026-06-17 CVSS 9.8
CVE-2026-54807
Registration Form for WooCommerce - unauthenticated privilege escalation
CVE-2026-54807 affects Registration Form for WooCommerce through 1.0.9. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Registration Form for WooCommerce
2026-06-17 CVSS 9.9
CVE-2024-52488
Grip theme - subscriber arbitrary file upload
CVE-2024-52488 affects Grip through 1.0.9. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Grip
2026-06-17 CVSS 9.8
CVE-2025-60205
ThemeREX Addons - unauthenticated PHP object injection
CVE-2025-60205 affects ThemeREX Addons through 2.36.1.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
ThemeREX Addons
2026-06-17 CVSS 9.9
CVE-2025-60218
PT Luxa Addons - subscriber arbitrary file upload
CVE-2025-60218 affects PT Luxa Addons through 1.2.2. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
PT Luxa Addons
2026-06-17 CVSS 9.8
CVE-2025-69108
Hot Coffee theme - unauthenticated PHP object injection
CVE-2025-69108 affects Hot Coffee through 1.7. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Hot Coffee
2026-06-17 CVSS 9.8
CVE-2025-69122
SeaFood Company theme - unauthenticated PHP object injection
CVE-2025-69122 affects SeaFood Company through 1.4. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
SeaFood Company
2026-06-17 CVSS 10.0
CVE-2025-69129
WordPress and WooCommerce Scraper - unauthenticated arbitrary file upload
CVE-2025-69129 affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site through 1.0.7. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
WordPress & WooCommerce Scraper Plugin, Import Data from Any Site
2026-06-17 CVSS 9.8
CVE-2025-69179
Support Ticket Management System - unauthenticated privilege escalation
CVE-2025-69179 affects Support Ticket Management System through 1.9. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Support Ticket Management System
2026-06-17 CVSS 9.9
CVE-2026-22327
Restaurt theme - subscriber arbitrary file upload
CVE-2026-22327 affects Restaurt through 1.0.4. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Restaurt
2026-06-17 CVSS 9.9
CVE-2026-25446
WishList Member X - subscriber arbitrary file upload
CVE-2026-25446 affects WishList Member X through 3.29.0. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
WishList Member X
2026-06-17 CVSS 10.0
CVE-2026-25470
ACPT Pro - remote code execution
CVE-2026-25470 affects ACPT Pro - Custom Post Types Plugin for WordPress through 2.0.47. Confirm the installed version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
ACPT Pro - Custom Post Types Plugin for WordPress Public PoC
2026-06-17 CVSS 9.9
CVE-2026-27041
Unlimited Elements for Elementor Premium - contributor arbitrary file upload
CVE-2026-27041 affects Unlimited Elements for Elementor (Premium) through 2.0.6. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Unlimited Elements for Elementor (Premium)
2026-06-17 CVSS 9.9
CVE-2026-39589
Webenvo theme - subscriber arbitrary file upload
CVE-2026-39589 affects Webenvo through 0.0.6. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Webenvo
2026-06-17 CVSS 9.9
CVE-2026-40746
Restaurant Zone theme - subscriber arbitrary file upload
CVE-2026-40746 affects Restaurant Zone through 0.7.8. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Restaurant Zone
2026-06-17 CVSS 9.9
CVE-2026-40747
Ecommerce Zone theme - subscriber arbitrary file upload
CVE-2026-40747 affects Ecommerce Zone through 0.9.7. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Ecommerce Zone
2026-06-17 CVSS 9.9
CVE-2026-40748
Kids Gift Shop theme - subscriber arbitrary file upload
CVE-2026-40748 affects Kids Gift Shop through 0.5.4. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Kids Gift Shop
2026-06-17 CVSS 9.9
CVE-2026-40749
Charity Zone theme - subscriber arbitrary file upload
CVE-2026-40749 affects Charity Zone through 1.1.1. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Charity Zone
2026-06-17 CVSS 9.9
CVE-2026-40783
Blocksy Companion Pro - contributor remote code execution
CVE-2026-40783 affects Blocksy Companion Pro through 2.1.37. Confirm the installed version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Blocksy Companion Pro Public PoC
2026-06-17 CVSS 9.2
CVE-2026-42055
NGINX - HTTP/2 proxy and gRPC module request handling risk
CVE-2026-42055 affects NGINX proxy and gRPC module configurations in the June 2026 F5 advisory. Review HTTP/2 proxying, gRPC exposure, and edge logs before closing.
NGINX
2026-06-17 CVSS 9.2
CVE-2026-42530
NGINX - HTTP/3 QUIC module request handling risk
CVE-2026-42530 affects NGINX HTTP/3 QUIC module deployments. Operators should confirm whether HTTP/3 is enabled, patch, and review edge stability and request logs.
NGINX
2026-06-17 CVSS 9.9
CVE-2026-46850
MySQL Shell for VS Code - June 2026 Oracle CPU critical issue
CVE-2026-46850 affects MySQL Shell for VS Code 2026.2.0+9.6.1. Database teams should patch developer tooling and review saved connection profiles and extension access.
MySQL Shell for VS Code
2026-06-17 CVSS 9.8
CVE-2026-46860
MySQL Router - June 2026 Oracle CPU critical issue
CVE-2026-46860 affects MySQL Router 9.0.0 through 9.7.0. Patch public or internal routers and review routing logs, crashes, and unexpected client activity.
MySQL Router
2026-06-17 CVSS 9.6
CVE-2026-46861
MySQL NDB Cluster Operator - June 2026 Oracle CPU critical issue
CVE-2026-46861 affects MySQL NDB Cluster Operator versions in the 8.0, 8.4, and 9.x lines listed by Oracle. Patch the operator and review cluster control-plane access.
MySQL NDB Cluster
2026-06-17 CVSS 9.1
CVE-2026-50203
Apache Airflow SFTP provider - path traversal write risk
CVE-2026-50203 affects Apache Airflow SFTP provider workflows where a malicious or compromised SFTP server can influence retrieved paths. Patch the provider and review DAG output directories.
Apache Airflow Public PoC
2026-06-17 CVSS 9.8
CVE-2026-32966
Apache DolphinScheduler - DataSource API authorization gap
CVE-2026-32966 affects Apache DolphinScheduler DataSource API authorization. Operators should patch, restrict API exposure, and review datasource metadata access.
Apache DolphinScheduler
2026-06-17 CVSS 9.8
CVE-2026-47103
Python StateMachine - SCXML document code execution risk
CVE-2026-47103 affects Python StateMachine 3.0.0 before 3.2.0 when untrusted SCXML documents are processed. Upgrade and review services that import state machine definitions.
Python StateMachine
2026-06-17 CVSS 9.3
CVE-2026-48616
Rocket.Chat - Livechat protected file access control issue
CVE-2026-48616 affects Rocket.Chat Livechat file download authorization in multiple branches before the fixed releases. Patch and review protected file download logs.
Rocket.Chat
2026-06-17 CVSS 10.0
CVE-2026-28587
Android MmsSmsProvider - permission check information disclosure
CVE-2026-28587 affects Android MmsSmsProvider permission handling. Managed fleets should apply the Android security bulletin update and review devices that process sensitive messaging data.
Android
2026-06-16 CVSS 8.1
CVE-2026-53864
OpenClaw - Node.js control variable sanitizer bypass
CVE-2026-53864 affects OpenClaw before 2026.5.26. Review workspace .env files, tool environment overrides, and skill environment blocks for unexpected Node.js control variables before re-enabling shared workspaces.
OpenClaw Public PoC
2026-06-16 CVSS 9.9
CVE-2026-40750
WordPress Kids Online Store theme - dangerous file upload
CVE-2026-40750 affects the WordPress Kids Online Store theme through 0.8.9. Site owners should patch or replace the theme, block script execution from uploads, and review recent files and admin users.
Kids Online Store theme
2026-06-16 CVSS 8.8
CVE-2026-6933
Premmerce Dev Tools - Remote code execution
CVE-2026-6933 affects Premmerce Dev Tools through 2.0. Confirm the installed version, patch or disable the plugin, and review changed files, cron jobs, users, and web server logs before closing the incident.
Premmerce Dev Tools
2026-06-16 CVSS 8.8
CVE-2026-8443
WP Review Slider Pro - SQL injection
CVE-2026-8443 affects WP Review Slider Pro through 12.6.8. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Review Slider Pro Public PoC
2026-06-16 CVSS 8.8
CVE-2026-8444
WP Review Slider Pro - SQL injection
CVE-2026-8444 affects WP Review Slider Pro through 12.6.8. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Review Slider Pro
2026-06-16 CVSS 8.2
CVE-2026-49065
Hippoo Mobile App for WooCommerce - Broken access control
CVE-2026-49065 affects Hippoo Mobile App for WooCommerce through 1.9.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Hippoo Mobile App for WooCommerce
2026-06-16 CVSS 8.1
CVE-2026-27333
Paid Videochat Turnkey Site - Deserialization
CVE-2026-27333 affects Paid Videochat Turnkey Site through 7.3.23. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, users, and unexpected plugin settings before closing the incident.
Paid Videochat Turnkey Site
2026-06-16 CVSS 8.1
CVE-2026-39587
WP BASE Booking - Privilege escalation
CVE-2026-39587 affects WP BASE Booking through 5.9.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
WP BASE Booking
2026-06-16 CVSS 8.1
CVE-2026-42411
CloudSecure WP Security - Broken authentication
CVE-2026-42411 affects CloudSecure WP Security through 1.4.7. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
CloudSecure WP Security
2026-06-16 CVSS 8.1
CVE-2026-42687
EventPrime - PHP object injection
CVE-2026-42687 affects EventPrime through 4.3.2.1. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
EventPrime
2026-06-16 CVSS 8.1
CVE-2026-48970
Really Simple SSL - Broken authentication
CVE-2026-48970 affects Really Simple SSL through 9.5.10. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Really Simple SSL
2026-06-16 CVSS 7.5
CVE-2025-59133
Projectopia - IDOR
CVE-2025-59133 affects Projectopia through 5.1.25.2. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
Projectopia
2026-06-16 CVSS 7.5
CVE-2026-25425
User Registration - Broken access control
CVE-2026-25425 affects User Registration through 5.1.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
User Registration
2026-06-16 CVSS 7.5
CVE-2026-27089
WpTravelly - Bypass vulnerability
CVE-2026-27089 affects WpTravelly through 2.1.7. Confirm the installed version, patch or disable the plugin, and review permission checks, account activity, and exposed private records before closing the incident.
WpTravelly
2026-06-16 CVSS 7.5
CVE-2026-34886
Simple Membership - Broken access control
CVE-2026-34886 affects Simple Membership through 4.7.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Simple Membership
2026-06-16 CVSS 7.5
CVE-2026-34891
IDPay Payment Gateway for WooCommerce - Sensitive data exposure
CVE-2026-34891 affects IDPay Payment Gateway for WooCommerce through 2.2.5. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
IDPay Payment Gateway for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-34898
Event Tickets Manager for WooCommerce - Broken access control
CVE-2026-34898 affects Event Tickets Manager for WooCommerce through 1.5.3. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Event Tickets Manager for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-39480
Backup Migration - Sensitive data exposure
CVE-2026-39480 affects Backup Migration through 2.1.1. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Backup Migration
2026-06-16 CVSS 7.5
CVE-2026-39503
Easy Digital Downloads - Broken access control
CVE-2026-39503 affects Easy Digital Downloads through 3.6.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Easy Digital Downloads
2026-06-16 CVSS 7.5
CVE-2026-39513
Easy Appointments - Broken access control
CVE-2026-39513 affects Easy Appointments through 3.12.21. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Easy Appointments
2026-06-16 CVSS 7.5
CVE-2026-39524
Masteriyo - LMS - Broken access control
CVE-2026-39524 affects Masteriyo - LMS through 2.1.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Masteriyo - LMS
2026-06-16 CVSS 7.5
CVE-2026-39533
AWP Classifieds - Broken access control
CVE-2026-39533 affects AWP Classifieds through 4.4.4. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
AWP Classifieds
2026-06-16 CVSS 7.5
CVE-2026-39534
WP Directory Kit - Broken access control
CVE-2026-39534 affects WP Directory Kit through 1.5.0. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WP Directory Kit
2026-06-16 CVSS 7.5
CVE-2026-40741
Redsys for WooCommerce Light - Broken access control
CVE-2026-40741 affects Redsys for WooCommerce Light through 7.0.0. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Redsys for WooCommerce Light
2026-06-16 CVSS 7.5
CVE-2026-40762
WPGraphQL - SQL injection
CVE-2026-40762 affects WPGraphQL before 2.11.1. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WPGraphQL
2026-06-16 CVSS 7.5
CVE-2026-40767
wpForo Forum - Broken access control
CVE-2026-40767 affects wpForo Forum before 3.0.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
wpForo Forum
2026-06-16 CVSS 7.5
CVE-2026-40774
Booking Package - Broken access control
CVE-2026-40774 affects Booking Package through 1.7.06. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Booking Package
2026-06-16 CVSS 7.5
CVE-2026-40776
WP Event Solution - Broken access control
CVE-2026-40776 affects WP Event Solution through 4.1.8. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WP Event Solution
2026-06-16 CVSS 7.5
CVE-2026-40781
ReviewX - Broken authentication
CVE-2026-40781 affects ReviewX through 2.3.6. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
ReviewX
2026-06-16 CVSS 7.5
CVE-2026-40789
Amelia - Sensitive data exposure
CVE-2026-40789 affects Amelia through 2.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Amelia
2026-06-16 CVSS 7.5
CVE-2026-42384
Simply Schedule Appointments - Sensitive data exposure
CVE-2026-42384 affects Simply Schedule Appointments before 1.6.11.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Simply Schedule Appointments
2026-06-16 CVSS 7.5
CVE-2026-42666
Salon booking system - Broken access control
CVE-2026-42666 affects Salon booking system through 10.30.25. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Salon booking system
2026-06-16 CVSS 7.5
CVE-2026-42667
Bookly - Sensitive data exposure
CVE-2026-42667 affects Bookly through 27.4. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Bookly
2026-06-16 CVSS 7.5
CVE-2026-42668
Email Marketing for WooCommerce by Omnisend - Broken authentication
CVE-2026-42668 affects Email Marketing for WooCommerce by Omnisend through 1.18.0. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Email Marketing for WooCommerce by Omnisend
2026-06-16 CVSS 7.5
CVE-2026-45441
WpEvently - Other vulnerability
CVE-2026-45441 affects WpEvently through 5.3.3. Confirm the installed version, patch or disable the plugin, and review users, files, logs, and plugin settings before closing the incident.
WpEvently
2026-06-16 CVSS 7.5
CVE-2026-48835
Contact Form by WPForms - Broken access control
CVE-2026-48835 affects Contact Form by WPForms through 1.10.0.4. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Contact Form by WPForms
2026-06-16 CVSS 7.5
CVE-2026-48868
Simple Shopping Cart - IDOR
CVE-2026-48868 affects Simple Shopping Cart through 5.2.9. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
Simple Shopping Cart
2026-06-16 CVSS 7.5
CVE-2026-48872
EmbedPress - Sensitive data exposure
CVE-2026-48872 affects EmbedPress through 4.5.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
EmbedPress
2026-06-16 CVSS 7.5
CVE-2026-48873
Montonio for WooCommerce - Broken access control
CVE-2026-48873 affects Montonio for WooCommerce through 10.1.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Montonio for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-48883
WPC Product Bundles for WooCommerce - Broken access control
CVE-2026-48883 affects WPC Product Bundles for WooCommerce through 8.5.3. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WPC Product Bundles for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-49056
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels - Sensitive data exposure
CVE-2026-49056 affects WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels through 4.9.4. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
2026-06-16 CVSS 7.5
CVE-2026-49061
WPC Product Options for WooCommerce - Arbitrary file download
CVE-2026-49061 affects WPC Product Options for WooCommerce through 3.2.1. Confirm the installed version, patch or disable the plugin, and review download logs, exposed files, and backup paths before closing the incident.
WPC Product Options for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-49066
Conekta Payment Gateway - Sensitive data exposure
CVE-2026-49066 affects Conekta Payment Gateway through 6.0.0. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Conekta Payment Gateway
2026-06-16 CVSS 7.5
CVE-2026-49068
Coupon Affiliates - Sensitive data exposure
CVE-2026-49068 affects Coupon Affiliates through 7.8.1. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Coupon Affiliates
2026-06-16 CVSS 7.5
CVE-2026-49070
Knit Pay - Broken access control
CVE-2026-49070 affects Knit Pay through 9.4.0.0. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Knit Pay
2026-06-16 CVSS 7.5
CVE-2026-49078
WP Travel Engine - Other vulnerability
CVE-2026-49078 affects WP Travel Engine through 6.7.10. Confirm the installed version, patch or disable the plugin, and review users, files, logs, and plugin settings before closing the incident.
WP Travel Engine
2026-06-16 CVSS 7.5
CVE-2026-49110
Upsell Order Bump Offer for WooCommerce - Broken authentication
CVE-2026-49110 affects Upsell Order Bump Offer for WooCommerce through 3.1.4. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Upsell Order Bump Offer for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-49112
Shared Files - Path traversal
CVE-2026-49112 affects Shared Files through 1.7.64. Confirm the installed version, patch or disable the plugin, and review file access logs and unexpected downloads before closing the incident.
Shared Files
2026-06-16 CVSS 7.5
CVE-2026-52692
Affiliates Manager - Sensitive data exposure
CVE-2026-52692 affects Affiliates Manager through 2.9.50. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Affiliates Manager
2026-06-16 CVSS 7.5
CVE-2026-52694
Signature Add-On for WooCommerce - Sensitive data exposure
CVE-2026-52694 affects Signature Add-On for WooCommerce through 2.0. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Signature Add-On for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-52695
ABC Crypto Checkout - Sensitive data exposure
CVE-2026-52695 affects ABC Crypto Checkout through 1.8.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
ABC Crypto Checkout
2026-06-16 CVSS 7.5
CVE-2026-52699
VikRentCar - IDOR
CVE-2026-52699 affects VikRentCar through 1.4.5. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
VikRentCar
2026-06-16 CVSS 7.3
CVE-2026-40775
Royal MCP - Broken access control
CVE-2026-40775 affects Royal MCP through 1.4.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Royal MCP
2026-06-16 CVSS 7.3
CVE-2026-49063
Listdom - Privilege escalation
CVE-2026-49063 affects Listdom through 5.5.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
Listdom
2026-06-16 CVSS 7.2
CVE-2026-39434
CTX Feed - PHP object injection
CVE-2026-39434 affects CTX Feed through 6.6.26. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
CTX Feed
2026-06-16 CVSS 7.2
CVE-2026-39470
WooCommerce Cart Abandonment Recovery - Privilege escalation
CVE-2026-39470 affects WooCommerce Cart Abandonment Recovery before 2.1.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
WooCommerce Cart Abandonment Recovery
2026-06-16 CVSS 7.2
CVE-2026-39472
WooCommerce PDF Invoices & Packing Slips - PHP object injection
CVE-2026-39472 affects WooCommerce PDF Invoices & Packing Slips before 5.9.0. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WooCommerce PDF Invoices & Packing Slips
2026-06-16 CVSS 7.2
CVE-2026-39499
Advanced Product Fields for WooCommerce - PHP object injection
CVE-2026-39499 affects Advanced Product Fields for WooCommerce through 1.6.19. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Advanced Product Fields for WooCommerce
2026-06-16 CVSS 7.2
CVE-2026-42650
AutomatorWP - Cross-site scripting
CVE-2026-42650 affects AutomatorWP through 5.6.7. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
AutomatorWP
2026-06-16 CVSS 7.1
CVE-2025-68840
iRobots.txt SEO - Cross-site scripting
CVE-2025-68840 affects iRobots.txt SEO through 1.1.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
iRobots.txt SEO
2026-06-16 CVSS 7.1
CVE-2025-68851
Okay Toolkit - Cross-site scripting
CVE-2025-68851 affects Okay Toolkit through 2.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Okay Toolkit
2026-06-16 CVSS 7.1
CVE-2025-68872
Eli's WordCents AdSense Widget with Analytics - Cross-site scripting
CVE-2025-68872 affects Eli's WordCents AdSense Widget with Analytics through 1.3.03.27. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Eli's WordCents AdSense Widget with Analytics
2026-06-16 CVSS 7.1
CVE-2026-23970
Redirection for Contact Form 7 - Cross-site scripting
CVE-2026-23970 affects Redirection for Contact Form 7 through 3.2.8. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Redirection for Contact Form 7
2026-06-16 CVSS 7.1
CVE-2026-34900
GiveWP - Cross-site scripting
CVE-2026-34900 affects GiveWP through 4.14.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
GiveWP
2026-06-16 CVSS 7.1
CVE-2026-34902
WooCommerce Product Table Lite - Cross-site scripting
CVE-2026-34902 affects WooCommerce Product Table Lite through 4.6.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
WooCommerce Product Table Lite
2026-06-16 CVSS 7.1
CVE-2026-39435
CformsII - Cross-site scripting
CVE-2026-39435 affects CformsII through 15.1.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
CformsII
2026-06-16 CVSS 7.1
CVE-2026-39447
Simply Schedule Appointments - Cross-site scripting
CVE-2026-39447 affects Simply Schedule Appointments through 1.6.10.6. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Simply Schedule Appointments
2026-06-16 CVSS 7.1
CVE-2026-39449
Contact Form to Any API - Cross-site scripting
CVE-2026-39449 affects Contact Form to Any API through 3.0.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Contact Form to Any API
2026-06-16 CVSS 7.1
CVE-2026-39463
ManageWP Worker - Cross-site scripting
CVE-2026-39463 affects ManageWP Worker through 4.9.31. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
ManageWP Worker
2026-06-16 CVSS 7.1
CVE-2026-39507
Social Slider Feed - Cross-site scripting
CVE-2026-39507 affects Social Slider Feed through 2.3.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Social Slider Feed
2026-06-16 CVSS 7.1
CVE-2026-39514
Paid Member Subscriptions - Cross-site scripting
CVE-2026-39514 affects Paid Member Subscriptions through 2.17.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Paid Member Subscriptions
2026-06-16 CVSS 7.1
CVE-2026-40732
Notification for Telegram - Cross-site scripting
CVE-2026-40732 affects Notification for Telegram through 3.5. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Notification for Telegram
2026-06-16 CVSS 7.1
CVE-2026-40770
Coupon Affiliates - Cross-site scripting
CVE-2026-40770 affects Coupon Affiliates through 7.5.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Coupon Affiliates
2026-06-16 CVSS 7.1
CVE-2026-40787
Quiz And Survey Master - Cross-site scripting
CVE-2026-40787 affects Quiz And Survey Master through 11.0.0. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Quiz And Survey Master
2026-06-16 CVSS 7.1
CVE-2026-40791
WP Time Slots Booking Form - Cross-site scripting
CVE-2026-40791 affects WP Time Slots Booking Form through 1.2.46. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
WP Time Slots Booking Form
2026-06-16 CVSS 7.1
CVE-2026-42649
Favicon Rotator - Cross-site scripting
CVE-2026-42649 affects Favicon Rotator through 1.2.11. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Favicon Rotator
2026-06-16 CVSS 7.1
CVE-2026-42658
Classified Listing - Cross-site scripting
CVE-2026-42658 affects Classified Listing through 5.3.8. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Classified Listing
2026-06-16 CVSS 7.1
CVE-2026-42775
AutomatorWP - Cross-site scripting
CVE-2026-42775 affects AutomatorWP through 5.7.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
AutomatorWP
2026-06-16 CVSS 7.1
CVE-2026-45437
Product Filter Widget for Elementor - Cross-site scripting
CVE-2026-45437 affects Product Filter Widget for Elementor through 1.0.6. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Product Filter Widget for Elementor
2026-06-16 CVSS 7.1
CVE-2026-48838
Post SMTP - Cross-site scripting
CVE-2026-48838 affects Post SMTP through 3.6.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Post SMTP
2026-06-16 CVSS 7.1
CVE-2026-48867
Quiz And Survey Master - Cross-site scripting
CVE-2026-48867 affects Quiz And Survey Master through 11.1.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Quiz And Survey Master
2026-06-16 CVSS 7.1
CVE-2026-48871
MW WP Form - Cross-site scripting
CVE-2026-48871 affects MW WP Form through 5.1.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
MW WP Form
2026-06-16 CVSS 7.1
CVE-2026-48876
Stop Spammers - Cross-site scripting
CVE-2026-48876 affects Stop Spammers through 2026.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Stop Spammers
2026-06-16 CVSS 7.1
CVE-2026-48885
HollerBox - Cross-site scripting
CVE-2026-48885 affects HollerBox through 2.3.10.1. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
HollerBox
2026-06-16 CVSS 7.1
CVE-2026-48966
Funnel Builder by FunnelKit - Cross-site scripting
CVE-2026-48966 affects Funnel Builder by FunnelKit through 3.15.0.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Funnel Builder by FunnelKit
2026-06-16 CVSS 7.1
CVE-2026-49055
Drag and Drop Multiple File Upload - Contact Form 7 - Cross-site scripting
CVE-2026-49055 affects Drag and Drop Multiple File Upload - Contact Form 7 through 1.3.9.7. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Drag and Drop Multiple File Upload - Contact Form 7
2026-06-16 CVSS 7.1
CVE-2026-52702
SEO Redirection - Cross-site scripting
CVE-2026-52702 affects SEO Redirection through 9.17. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
SEO Redirection
2026-06-16 CVSS 7.5
CVE-2026-49083
LatePoint - Privilege escalation
CVE-2026-49083 affects LatePoint through 5.5.1. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
LatePoint
2026-06-16 CVSS 7.2
CVE-2026-27407
AI Engine - Privilege escalation
CVE-2026-27407 affects AI Engine through 3.4.9. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
AI Engine
2026-06-16 CVSS 7.7
CVE-2026-40727
Groundhogg - Arbitrary file deletion
CVE-2026-40727 affects Groundhogg through 4.4. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
Groundhogg
2026-06-16 CVSS 7.7
CVE-2026-40779
Link Library - Arbitrary file deletion
CVE-2026-40779 affects Link Library through 7.8.8. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
Link Library
2026-06-16 CVSS 7.2
CVE-2026-39471
ShortPixel Image Optimizer - PHP object injection
CVE-2026-39471 affects ShortPixel Image Optimizer through 6.4.3. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
ShortPixel Image Optimizer
2026-06-16 CVSS 7.2
CVE-2026-39481
Modula Image Gallery - PHP object injection
CVE-2026-39481 affects Modula Image Gallery through 2.14.18. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Modula Image Gallery
2026-06-16 CVSS 7.2
CVE-2026-39498
YayMail - PHP object injection
CVE-2026-39498 affects YayMail through 4.3.3. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
YayMail
2026-06-16 CVSS 7.4
CVE-2026-49082
Chatway Live Chat - Sensitive data exposure
CVE-2026-49082 affects Chatway Live Chat through 1.4.8. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Chatway Live Chat
2026-06-16 CVSS 7.1
CVE-2026-39450
FunnelKit Automations - Broken authentication
CVE-2026-39450 affects FunnelKit Automations through 3.7.3. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
FunnelKit Automations
2026-06-16 CVSS 7.1
CVE-2026-39518
EventPrime - IDOR
CVE-2026-39518 affects EventPrime through 4.3.0.0. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
EventPrime
2026-06-16 CVSS 7.1
CVE-2026-40785
AutomatorWP - Broken authentication
CVE-2026-40785 affects AutomatorWP through 5.6.7. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
AutomatorWP
2026-06-16 CVSS 7.1
CVE-2026-40788
ChatBot - Broken access control
CVE-2026-40788 affects ChatBot through 7.9.7. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
ChatBot
2026-06-16 CVSS 7.1
CVE-2026-42686
EventPrime - Cross-site scripting
CVE-2026-42686 affects EventPrime through 4.3.2.1. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
EventPrime
2026-06-16 CVSS 6.5
CVE-2026-49775
Welcart e-Commerce - Broken access control
CVE-2026-49775 affects Welcart e-Commerce through 2.11.28. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Welcart e-Commerce
2026-06-16 CVSS 5.3
CVE-2026-9187
Abandoned Contact Form 7 - Arbitrary file deletion
CVE-2026-9187 affects Abandoned Contact Form 7 through 2.2. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
Abandoned Contact Form 7
2026-06-16 CVSS 7.5
CVE-2025-68045
WP Event SOlution - Broken access control
CVE-2025-68045 affects WP Event SOlution through 4.1.12. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WP Event SOlution
2026-06-16 CVSS 7.5
CVE-2026-39490
JupiterX Core - Broken access control
CVE-2026-39490 affects JupiterX Core through 4.14.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
JupiterX Core
2026-06-16 CVSS 9.3
CVE-2026-39574
InPost Gallery - SQL injection
CVE-2026-39574 affects InPost Gallery through 2.1.4.6. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
InPost Gallery
2026-06-16 CVSS 8.5
CVE-2026-39581
WP Sessions Time Monitoring Full Automatic - SQL injection
CVE-2026-39581 affects WP Sessions Time Monitoring Full Automatic through 1.1.4. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Sessions Time Monitoring Full Automatic
2026-06-16 CVSS 9.3
CVE-2026-49772
The Events Calendar - SQL injection
CVE-2026-49772 affects The Events Calendar 6.15.12 - 6.16.2. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
The Events Calendar
2026-06-16 CVSS 9.9
CVE-2026-49774
RD Station - Remote code execution
CVE-2026-49774 affects RD Station through 5.6.0. Confirm the installed version, patch or disable the plugin, and review changed files, cron jobs, users, and web server logs before closing the incident.
RD Station
2026-06-16 CVSS 7.5
CVE-2026-52711
WooCommerce POS - Broken access control
CVE-2026-52711 affects WooCommerce POS through 1.8.14. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WooCommerce POS
2026-06-16 CVSS 9.3
CVE-2026-52715
GEO my WordPress - SQL injection
CVE-2026-52715 affects GEO my WordPress through 4.5.5. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GEO my WordPress
2026-06-16 CVSS 8.1
CVE-2026-8442
WP Review Slider Pro - Arbitrary file deletion
CVE-2026-8442 affects WP Review Slider Pro through 12.6.8. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
WP Review Slider Pro
2026-06-16 CVSS 7.6
CVE-2026-52712
Attendance Manager - SQL injection
CVE-2026-52712 affects Attendance Manager through 0.6.2. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Attendance Manager
2026-06-16 CVSS 7.1
CVE-2026-39437
Min Max Step Quantity Limits Manager for WooCommerce - Cross-site scripting
CVE-2026-39437 affects Min Max Step Quantity Limits Manager for WooCommerce through 5.2.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Min Max Step Quantity Limits Manager for WooCommerce
2026-06-16 CVSS 7.1
CVE-2026-54191
Pods - Cross-site scripting
CVE-2026-54191 affects Pods through 3.3.8. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Pods
2026-06-16 CVSS 7.1
CVE-2026-54198
Media Library Assistant - Cross-site scripting
CVE-2026-54198 affects Media Library Assistant through 3.35. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Media Library Assistant
2026-06-16 CVSS 6.5
CVE-2026-2381
WooCommerce Stripe Payment Gateway - Broken access control
CVE-2026-2381 affects WooCommerce Stripe Payment Gateway through 10.3.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WooCommerce Stripe Payment Gateway
2026-06-16 CVSS 6.5
CVE-2026-40809
Metro Magazine - Broken access control
CVE-2026-40809 affects Metro Magazine through 1.4.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Metro Magazine
2026-06-15 CVSS 8.8
CVE-2026-36670
OpenSIPS Control Panel - alias management SQL injection
CVE-2026-36670 affects OpenSIPS Control Panel before 9.3.3. Authenticated users with access to the alias management module can trigger SQL injection behavior, so exposed panels should be upgraded and logs reviewed.
OpenSIPS Control Panel Public PoC
2026-06-15 CVSS 9.8
CVE-2026-38329
Bludit CMS - API plugin file upload RCE risk
CVE-2026-38329 affects Bludit before 3.18.4 when API plugin file handling is exposed. Review API token use, plugin access, uploaded files, and web-server logs before closing the issue.
Bludit CMS Public PoC
2026-06-15 CVSS 9.8
CVE-2026-50869
Bludit CMS - API plugin directory traversal
CVE-2026-50869 affects Bludit 3.19.0 API plugin handling. Treat public API plugin exposure as high risk, restrict access, review file paths, and preserve logs if suspicious reads or writes are found.
Bludit CMS Public PoC
2026-06-15 CVSS 9.1
CVE-2026-48714
i18next-http-middleware - remote prototype pollution risk in missing-key handling
CVE-2026-48714 affects i18next-http-middleware before 3.9.7 when missing-key write handling is exposed with vulnerable backend behavior. Upgrade, restrict the handler, and review translation persistence logs for unexpected writes.
i18next-http-middleware Public PoC
2026-06-15 CVSS 8.8
CVE-2026-48017
DbGate - authenticated server-side code execution risk
CVE-2026-48017 affects DbGate 7.1.8 and earlier when authenticated users can reach vulnerable server-side runner behavior. Upgrade, limit access to trusted admins, review runner activity, and rotate stored credentials if suspicious use cannot be ruled out.
DbGate Public PoC
2026-06-15 CVSS 8.5
CVE-2026-24637
PowerPress Podcasting - contributor SQL injection
CVE-2026-24637 affects PowerPress Podcasting through 11.15.10. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
PowerPress Podcasting
2026-06-15 CVSS 9.1
CVE-2026-39465
Responsive Slider by MetaSlider - editor remote code execution
CVE-2026-39465 affects Responsive Slider by MetaSlider through 3.106.0. WordPress owners should confirm the plugin version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Responsive Slider by MetaSlider
2026-06-15 CVSS 8.8
CVE-2026-39474
Post Duplicator - contributor PHP object injection
CVE-2026-39474 affects Post Duplicator through 3.0.10. WordPress owners should confirm the plugin version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Post Duplicator
2026-06-15 CVSS 8.8
CVE-2026-39478
Anti-Malware Security and Brute-Force Firewall - contributor PHP object injection
CVE-2026-39478 affects Anti-Malware Security and Brute-Force Firewall through 4.23.87. WordPress owners should confirm the plugin version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Anti-Malware Security and Brute-Force Firewall
2026-06-15 CVSS 8.8
CVE-2026-39532
Events Calendar for GeoDirectory - contributor PHP object injection
CVE-2026-39532 affects Events Calendar for GeoDirectory through 2.3.25. WordPress owners should confirm the plugin version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Events Calendar for GeoDirectory
2026-06-15 CVSS 8.8
CVE-2026-39579
B Blocks - contributor privilege escalation
CVE-2026-39579 affects B Blocks through 2.0.31. WordPress owners should confirm the plugin version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
B Blocks
2026-06-15 CVSS 8.5
CVE-2026-40766
MasterStudy LMS - subscriber SQL injection
CVE-2026-40766 affects MasterStudy LMS through 3.7.25. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
MasterStudy LMS
2026-06-15 CVSS 8.6
CVE-2026-40769
Contact Form Extender for Divi - unauthenticated arbitrary file deletion
CVE-2026-40769 affects Contact Form Extender for Divi through 1.0.6. WordPress owners should confirm the plugin version, patch or disable the component, and review missing plugin files, media files, and backups before closing the incident.
Contact Form Extender for Divi
2026-06-15 CVSS 8.8
CVE-2026-42661
WP Customer Area - custom role path traversal
CVE-2026-42661 affects WP Customer Area through 8.3.4. WordPress owners should confirm the plugin version, patch or disable the component, and review file access logs and unexpected downloads before closing the incident.
WP Customer Area
2026-06-15 CVSS 8.2
CVE-2026-42664
AI Product Search for WooCommerce - unauthenticated broken access control
CVE-2026-42664 affects AI Product Search for WooCommerce - Motive Commerce Search through 1.38.2. WordPress owners should confirm the plugin version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
AI Product Search for WooCommerce - Motive Commerce Search
2026-06-15 CVSS 8.5
CVE-2026-48874
GamiPress - subscriber SQL injection
CVE-2026-48874 affects GamiPress through 7.8.7. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GamiPress
2026-06-15 CVSS 9.1
CVE-2026-48881
TrueBooker - unauthenticated broken access control
CVE-2026-48881 affects TrueBooker through 1.1.9. WordPress owners should confirm the plugin version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
TrueBooker
2026-06-15 CVSS 8.5
CVE-2026-48882
WP Time Slots Booking Form - subscriber SQL injection
CVE-2026-48882 affects WP Time Slots Booking Form through 1.2.50. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Time Slots Booking Form
2026-06-15 CVSS 8.8
CVE-2026-48889
Amelia - subscriber privilege escalation
CVE-2026-48889 affects Amelia through 2.3. WordPress owners should confirm the plugin version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Amelia
2026-06-15 CVSS 8.5
CVE-2026-48964
ELEX WordPress HelpDesk - subscriber SQL injection
CVE-2026-48964 affects ELEX WordPress HelpDesk & Customer Ticketing System through 3.3.6. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
ELEX WordPress HelpDesk & Customer Ticketing System
2026-06-15 CVSS 8.8
CVE-2026-49780
Dokan - customer privilege escalation
CVE-2026-49780 affects Dokan through 5.0.2. WordPress owners should confirm the plugin version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Dokan
2026-06-15 CVSS 8.5
CVE-2026-52697
Taskbuilder - subscriber SQL injection
CVE-2026-52697 affects Taskbuilder through 5.0.7. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Taskbuilder
2026-06-15 CVSS 8.5
CVE-2026-52700
WCMultiShipping - subscriber SQL injection
CVE-2026-52700 affects WCMultiShipping through 3.0.2. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WCMultiShipping
2026-06-15 CVSS 9.3
CVE-2026-39441
Feed KuantoKusta for WooCommerce - unauthenticated SQL injection
CVE-2026-39441 affects Feed KuantoKusta for WooCommerce Free through 5.3. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Feed KuantoKusta for WooCommerce Free
2026-06-15 CVSS 9.3
CVE-2026-39492
WP Maps - unauthenticated SQL injection
CVE-2026-39492 affects WP Maps through 4.9.1. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Maps
2026-06-15 CVSS 9.3
CVE-2026-39493
Simply Schedule Appointments - unauthenticated SQL injection
CVE-2026-39493 affects Simply Schedule Appointments through 1.6.9.27. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Simply Schedule Appointments
2026-06-15 CVSS 9.3
CVE-2026-39502
Form Maker by 10Web - unauthenticated SQL injection
CVE-2026-39502 affects Form Maker by 10Web through 1.15.38. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Form Maker by 10Web
2026-06-15 CVSS 9.3
CVE-2026-39511
WP Photo Album Plus - unauthenticated SQL injection
CVE-2026-39511 affects WP Photo Album Plus through 9.1.08.001. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Photo Album Plus
2026-06-15 CVSS 9.3
CVE-2026-39512
GeoDirectory - unauthenticated SQL injection
CVE-2026-39512 affects GeoDirectory through 2.8.152. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GeoDirectory
2026-06-15 CVSS 9.3
CVE-2026-39519
GeekyBot - unauthenticated SQL injection
CVE-2026-39519 affects GeekyBot through 1.2.0. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GeekyBot
2026-06-15 CVSS 9.3
CVE-2026-39530
SpeakOut! Email Petitions - unauthenticated SQL injection
CVE-2026-39530 affects SpeakOut! Email Petitions through 4.6.5. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
SpeakOut! Email Petitions
2026-06-15 CVSS 9.3
CVE-2026-40771
Contest Gallery - unauthenticated SQL injection
CVE-2026-40771 affects Contest Gallery through 28.1.6. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Contest Gallery
2026-06-15 CVSS 9.3
CVE-2026-40798
wpForo Forum - unauthenticated SQL injection
CVE-2026-40798 affects wpForo Forum through 3.0.4. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
wpForo Forum
2026-06-15 CVSS 9.3
CVE-2026-42381
Funnel Builder by FunnelKit - unauthenticated SQL injection
CVE-2026-42381 affects Funnel Builder by FunnelKit through 3.15.0.1. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Funnel Builder by FunnelKit
2026-06-15 CVSS 9.3
CVE-2026-42386
Order Delivery Date for WooCommerce - unauthenticated SQL injection
CVE-2026-42386 affects Order Delivery Date for WooCommerce through 4.5.1. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Order Delivery Date for WooCommerce
2026-06-15 CVSS 9.3
CVE-2026-42639
GD Rating System - unauthenticated SQL injection
CVE-2026-42639 affects GD Rating System through 3.6.2. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GD Rating System
2026-06-15 CVSS 9.3
CVE-2026-42665
WP Data Access - unauthenticated SQL injection
CVE-2026-42665 affects WP Data Access through 5.5.70. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Data Access
2026-06-15 CVSS 9.3
CVE-2026-45439
Realtyna Organic IDX - unauthenticated SQL injection
CVE-2026-45439 affects Realtyna Organic IDX through 5.1.0. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Realtyna Organic IDX
2026-06-15 CVSS 9.3
CVE-2026-48886
JS Help Desk - unauthenticated SQL injection
CVE-2026-48886 affects JS Help Desk through 3.0.9. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JS Help Desk
2026-06-15 CVSS 9.3
CVE-2026-49067
Advanced 301 and 302 Redirect - unauthenticated SQL injection
CVE-2026-49067 affects Advanced 301 and 302 Redirect through 1.6.9. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Advanced 301 and 302 Redirect
2026-06-15 CVSS 9.3
CVE-2026-49776
GPTranslate - unauthenticated SQL injection
CVE-2026-49776 affects GPTranslate through 2.32.6. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GPTranslate
2026-06-15 CVSS 9.3
CVE-2026-52693
eCommerce Product Catalog - unauthenticated SQL injection
CVE-2026-52693 affects eCommerce Product Catalog through 3.5.5. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
eCommerce Product Catalog
2026-06-15 CVSS 9.6
CVE-2026-52703
FastDup - unauthenticated path traversal
CVE-2026-52703 affects FastDup through 2.7.2. WordPress sites should patch or disable the component, then review file access logs and unexpected downloads before closing the incident.
FastDup
2026-06-15 CVSS 9.8
CVE-2026-27053
Broadcast Live Video - unauthenticated PHP object injection
CVE-2026-27053 affects Broadcast Live Video before 7.1.3. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Broadcast Live Video
2026-06-15 CVSS 9.8
CVE-2026-34901
iControlWP - unauthenticated privilege escalation
CVE-2026-34901 affects iControlWP through 5.5.3. WordPress sites should patch or disable the component, then review new users, role changes, and administrator sessions before closing the incident.
iControlWP
2026-06-15 CVSS 9.8
CVE-2026-39583
Datalogics Ecommerce Delivery - unauthenticated privilege escalation
CVE-2026-39583 affects Datalogics Ecommerce Delivery through 2.6.62. WordPress sites should patch or disable the component, then review new users, role changes, and administrator sessions before closing the incident.
Datalogics Ecommerce Delivery
2026-06-15 CVSS 9.9
CVE-2026-39591
WP-BusinessDirectory - subscriber arbitrary file upload
CVE-2026-39591 affects WP-BusinessDirectory through 4.0.0. WordPress sites should patch or disable the component, then review upload directories, new PHP files, and web access logs before closing the incident.
WP-BusinessDirectory
2026-06-15 CVSS 10.0
CVE-2026-40772
GeekyBot - unauthenticated arbitrary file upload
CVE-2026-40772 affects GeekyBot through 1.2.2. WordPress sites should patch or disable the component, then review upload directories, new PHP files, and web access logs before closing the incident.
GeekyBot
2026-06-15 CVSS 10.0
CVE-2026-48836
Easy Invoice - unauthenticated remote code execution
CVE-2026-48836 affects Easy Invoice through 2.1.19. WordPress sites should patch or disable the component, then review changed files, cron jobs, users, and web server logs before closing the incident.
Easy Invoice
2026-06-15 CVSS 9.8
CVE-2026-49085
WP Insightly form integrations - unauthenticated PHP object injection
CVE-2026-49085 affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms through 1.1.4. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
2026-06-15 CVSS 9.8
CVE-2026-49104
Keap and form integrations - unauthenticated PHP object injection
CVE-2026-49104 affects Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms through 1.2.1. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
2026-06-15 CVSS 9.8
CVE-2026-49105
WP Zendesk form integrations - unauthenticated PHP object injection
CVE-2026-49105 affects WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms through 1.1.4. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
2026-06-15 CVSS 9.8
CVE-2026-49106
Constant Contact and Contact Form 7 integration - unauthenticated PHP object injection
CVE-2026-49106 affects Integration for Contact Form 7 and Constant Contact through 1.1.6. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Contact Form 7 and Constant Contact
2026-06-15 CVSS 9.8
CVE-2026-49109
Salesforce and form integrations - unauthenticated PHP object injection
CVE-2026-49109 affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms through 1.4.3. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
2026-06-15 CVSS 9.8
CVE-2026-49763
Contact Form 7 HubSpot integration - unauthenticated PHP object injection
CVE-2026-49763 affects Integration for Contact Form 7 HubSpot through 1.3.7. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Contact Form 7 HubSpot
2026-06-15 CVSS 9.8
CVE-2026-49764
RegistrationMagic - unauthenticated broken authentication
CVE-2026-49764 affects RegistrationMagic through 6.0.8.6. WordPress sites should patch or disable the component, then review new sessions, password changes, and account history before closing the incident.
RegistrationMagic
2026-06-15 CVSS 9.8
CVE-2026-49765
Mailchimp and form integrations - unauthenticated PHP object injection
CVE-2026-49765 affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms through 1.1.8. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms
2026-06-15 CVSS 9.9
CVE-2026-49766
WP User Manager - subscriber arbitrary file deletion
CVE-2026-49766 affects WP User Manager through 2.9.16. WordPress sites should patch or disable the component, then review missing plugin files, media files, and backups before closing the incident.
WP User Manager
2026-06-15 CVSS 9.8
CVE-2026-49768
Happyforms - unauthenticated PHP object injection
CVE-2026-49768 affects Happyforms through 1.26.13. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Happyforms
2026-06-15 CVSS 9.8
CVE-2026-49769
wpForo Forum - unauthenticated PHP object injection
CVE-2026-49769 affects wpForo Forum through 3.1.0. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
wpForo Forum
2026-06-15 CVSS 9.8
CVE-2026-49770
WP Travel Engine - unauthenticated PHP object injection
CVE-2026-49770 affects WP Travel Engine through 6.7.12. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP Travel Engine
2026-06-15 CVSS 9.8
CVE-2026-49781
OttoKit - unauthenticated PHP object injection
CVE-2026-49781 affects OttoKit through 1.1.27. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
OttoKit
2026-06-15 CVSS 9.8
CVE-2026-9691
ActiveCampaign and form integrations - unauthenticated PHP object injection
CVE-2026-9691 affects Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms through 1.1.1. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms
2026-06-15 CVSS 7.5
CVE-2026-12204
ShopXO - unauthenticated scheduled task endpoint authorization bypass
CVE-2026-12204 affects ShopXO up to 6.7.1 in app/api/controller/Crontab.php. Stores should restrict scheduled task endpoints, review order/payment state changes, and preserve logs before cleanup.
ShopXO Public PoC
2026-06-15 CVSS 9.8
CVE-2026-48114
Metacat 2.x - unauthenticated SQL injection
CVE-2026-48114 affects Metacat 2.x through 2.19.1 in the harvester registration path. Operators should upgrade to Metacat 3.x, restrict legacy servlet exposure, and review PostgreSQL and repository logs.
Metacat Public PoC
2026-06-15 CVSS 9.3
CVE-2026-49952
Discuz! X5.0 - authentication bypass in backup/restore boundary
CVE-2026-49952 affects Discuz! X5.0 releases 20260320 through 20260501. Forum operators should upgrade to 20260510 or newer, restrict administrative paths, and review database backup and restore activity.
Discuz! X5.0 Public PoC
2026-06-15 CVSS 8.6
CVE-2026-49954
Discuz! X5.0 - administrator plugin local file inclusion
CVE-2026-49954 affects Discuz! X5.0 releases 20260320 through 20260610, with older X3.4 and X3.5 releases possibly affected. Operators should restrict administrator access, review plugin imports, and watch for unexpected PHP files.
Discuz! X5.0
2026-06-15 CVSS 7.1
CVE-2026-52719
GStreamer gst-plugins-bad - VA JPEG out-of-bounds read
CVE-2026-52719 affects the VA JPEG decoder in GStreamer gst-plugins-bad before 1.28.4. Systems that parse untrusted media should update packages and review crashes from media thumbnailing or ingestion jobs.
GStreamer gst-plugins-bad
2026-06-15 CVSS 8.8
CVE-2026-52720
GStreamer librfb - heap overflow in RFB/VNC client handling
CVE-2026-52720 affects GStreamer's librfb RFB/VNC client handling. Hosts that connect to untrusted VNC/RFB sources or process remote media streams should update packages and review crashes or unusual client-side failures.
GStreamer librfb
2026-06-15 CVSS 7.1
CVE-2026-52722
GStreamer VMnc decoder - signed integer overflow
CVE-2026-52722 affects GStreamer's VMnc decoder. Systems that index, preview, transcode, or open untrusted media should update packages and review application crashes, thumbnailer failures, and desktop media logs.
GStreamer VMnc decoder
2026-06-15 CVSS 6.5
CVE-2026-20262
Cisco Catalyst SD-WAN Manager - authenticated arbitrary file write
CVE-2026-20262 affects Cisco Catalyst SD-WAN Manager web UI upload handling. The reported path requires valid low-privilege credentials but can create or overwrite files, so exposed management planes need patching and account review.
Cisco Catalyst SD-WAN Manager CISA KEV Active Exploit Public PoC
2026-06-15 CVSS 10.0
CVE-2026-52704
WooCommerce PDF Invoice Builder - remote code inclusion risk
CVE-2026-52704 affects WooCommerce PDF Invoice Builder through 2.0.8. Stores should disable or patch the plugin, review generated invoice files and templates, and check administrator activity before reopening payments.
WooCommerce PDF Invoice Builder
2026-06-15 CVSS 8.8
CVE-2016-20071
404 Redirection Manager - unauthenticated SQL injection
CVE-2016-20071 affects the 404 Redirection Manager plugin version 1.0. WordPress sites still carrying the old plugin should remove it, check redirect tables, and preserve database logs if unusual requests appear.
404 Redirection Manager Public PoC
2026-06-15 CVSS 8.8
CVE-2026-49062
Faust.Js - password recovery authentication bypass
CVE-2026-49062 affects WP Engine Faust.Js through 1.8.7. Headless WordPress sites should patch, then review password recovery emails, reset tokens, and administrator session history.
Faust.Js
2026-06-15 CVSS 8.8
CVE-2026-49111
Masteriyo LMS - privilege escalation risk
CVE-2026-49111 affects Masteriyo - LMS through 2.2.0. Sites should patch, then compare WordPress roles, LMS instructors, course managers, and recent role changes.
Masteriyo - LMS
2026-06-15 CVSS 8.7
CVE-2016-20076
Simple-Backup - arbitrary file delete and download
CVE-2016-20076 affects Simple-Backup 2.7.11. Old WordPress sites should remove the plugin, review backup directories, and check whether sensitive files were downloaded or deleted.
Simple-Backup Public PoC
2026-06-15 CVSS 8.7
CVE-2016-20081
HB Audio Gallery Lite - path traversal file download
CVE-2016-20081 affects HB Audio Gallery Lite 1.0.0. Sites should remove the abandoned plugin and inspect access logs for file reads outside the intended audio gallery.
HB Audio Gallery Lite Public PoC
2026-06-15 CVSS 8.7
CVE-2018-25437
CherryFramework Themes - backup archive disclosure
CVE-2018-25437 affects CherryFramework Themes 3.1.4. Review whether theme backup archives are publicly reachable, remove exposed archives, and check access logs before rotating secrets.
CherryFramework Themes Public PoC
2026-06-15 CVSS 7.5
CVE-2026-49064
GetPaid - sensitive information exposure
CVE-2026-49064 affects GetPaid through 2.8.49. Payment sites should patch, clear caches, and review whether invoice, customer, or payment-related data was exposed in sent responses.
GetPaid
2026-06-15 CVSS 6.9
CVE-2016-20078
IMDb Profile Widget - local file inclusion
CVE-2016-20078 affects IMDb Profile Widget 1.0.8. Sites should remove the legacy plugin and inspect logs for suspicious file reads before deciding whether to rotate credentials.
IMDb Profile Widget Public PoC
2026-06-15 CVSS 6.9
CVE-2016-20080
Brandfolder - local and remote file inclusion
CVE-2016-20080 affects the Brandfolder WordPress plugin through 3.0. Remove the plugin, review file inclusion indicators, and verify no unexpected PHP files or credentials were exposed.
Brandfolder Public PoC
2026-06-15 CVSS 9.3
CVE-2026-5482
Responsive FileManager - unrestricted file upload to RCE risk
CVE-2026-5482 affects Tecrail Responsive FileManager through 9.14.0. The project was reported as unmaintained at assignment time, so exposed deployments should be removed or isolated and upload directories reviewed.
Responsive FileManager Public PoC
2026-06-15 CVSS 7.5
CVE-2026-5079
multer - denial of service via deeply nested field names
CVE-2026-5079 affects multer upload parsing when deeply nested multipart field names are accepted. Node.js services should update from the affected multer line, enforce upload limits, and monitor upload endpoints for memory pressure.
multer Public PoC
2026-06-14 CVSS 8.5
CVE-2026-54420
LiteSpeed cPanel Plugin - shared hosting privilege escalation risk
CVE-2026-54420 affects LiteSpeed cPanel user-end plugin deployments before 2.4.8, including bundled WHM Plugin deployments before the fixed 5.3.2.1 line. Shared hosts using CloudLinux/CageFS should patch and review cPanel logs because the vendor reported active exploitation.
LiteSpeed cPanel Plugin Active Exploit Public PoC
2026-06-13 CVSS 7.5
CVE-2026-9848
WP Ticket - unauthenticated SQL injection via WordPress search
CVE-2026-9848 affects the WP Ticket plugin through 6.0.4. Sites using WP Ticket should update to 6.0.5 or newer, then review support-ticket searches, database errors, and unusual front-end search traffic.
WP Ticket
2026-06-13 CVSS 7.2
CVE-2026-9109
GPTranslate - unauthenticated stored XSS in translation storage
CVE-2026-9109 affects GPTranslate through 2.31. Sites using the plugin should update to 2.32 or newer, clear page cache, and review recently translated public pages for unexpected script-like content.
GPTranslate
2026-06-13 CVSS 7.2
CVE-2026-5513
Bookly - unauthenticated stored XSS via remembered customer name
CVE-2026-5513 affects Bookly through 27.2 when the setting to remember personal information in cookies is enabled. Sites using Bookly should update to 27.3 or newer, clear cache, and review appointment/customer entries opened by logged-in staff after disclosure.
Bookly Public PoC
2026-06-13 CVSS 9.8
CVE-2026-12183
BUK TS-G - authentication weakness in system configuration handling
CVE-2026-12183 affects BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux. Treat exposed panels as high risk, restrict access to trusted networks, patch, and review system configuration or administrative changes.
BUK TS-G Gas Station Automation System Public PoC
2026-06-13 CVSS 7.6
CVE-2026-6428
Koha - SQL injection risk in catalogue report handling
CVE-2026-6428 affects Koha catalogue report handling when a staff account has Reports permission on vulnerable branches. Upgrade to the fixed Koha branch, review report exports and database errors, and remove unnecessary Reports access.
Koha Public PoC
2026-06-13 CVSS 6.4
CVE-2026-11769
Grafana Operator - jsonnet dashboard service account exposure
CVE-2026-11769 affects Grafana Operator versions 5.23 and earlier. Upgrade to 5.24.0 or newer, review users who can create GrafanaDashboard or GrafanaLibraryPanel resources, and check operator service account exposure.
Grafana Operator
2026-06-12 CVSS 8.0
CVE-2026-44168
MariaDB Server - branch-level server vulnerability
CVE-2026-44168 affects supported MariaDB branches including 10.6, 10.11, 11.4, and 11.8 lines. Confirm the exact server branch, patch to the fixed release, and review database errors or restarts.
MariaDB Server
2026-06-12 CVSS 6.3
CVE-2026-44170
MariaDB Server - lower-severity branch advisory
CVE-2026-44170 affects MariaDB Server branches tracked in the June 2026 advisory batch. Patch the deployed branch and review logs before closing the maintenance window.
MariaDB Server
2026-06-12 CVSS 6.9
CVE-2026-44172
MariaDB Server - mysql_real_escape_string edge case
CVE-2026-44172 affects MariaDB client/server behavior around escaped input in specific versions. Patch the affected branch and review applications that build SQL from user input.
MariaDB Server
2026-06-12 CVSS 8.0
CVE-2026-48163
MariaDB Server - June 2026 high-severity advisory
CVE-2026-48163 affects MariaDB Server versions in the 10.6, 10.11, 11.4, and 11.8 lines. Confirm the running branch, patch, and review service health after restart.
MariaDB Server
2026-06-12 CVSS 8.0
CVE-2026-48165
MariaDB Server - June 2026 high-severity advisory
CVE-2026-48165 affects MariaDB Server versions in the June 2026 advisory batch. Patch the deployed branch and review database logs and failover events.
MariaDB Server
2026-06-12 CVSS 8.1
CVE-2026-44249
Netty handler - IPv6 subnet rule bypass
Netty handler before 4.1.135.Final and 4.2.15.Final can mishandle IPv6 subnet filter rules. Review Java services that rely on Netty IP filtering and update the dependency lock.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-44893
Netty HAProxy codec - malformed TLV memory leak
Netty HAProxy PROXY protocol v2 parsing before 4.1.135.Final and 4.2.15.Final can trigger memory pressure. Patch services using HAProxyMessageDecoder and review direct-memory alerts.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-44894
Netty QUIC - token validation amplification risk
Netty QUIC handling before 4.2.15.Final can treat unexpected tokens as valid in a way that changes amplification behavior. Patch HTTP/3 services and review edge traffic.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-45416
Netty TLS ClientHello handling - memory exhaustion
Netty TLS ClientHello handling before 4.1.135.Final and 4.2.15.Final can allocate excessive memory in affected handlers. Patch SNI/TLS gateway services.
Netty Public PoC
2026-06-12 CVSS 6.8
CVE-2026-45673
Netty DNS resolver - predictable query entropy
Netty DNS resolver before 4.1.135.Final and 4.2.15.Final can use weak DNS query entropy. Patch resolver users and review cache poisoning exposure.
Netty Public PoC
2026-06-12 CVSS 8.7
CVE-2026-45674
Netty DNS resolver - CNAME bailiwick validation issue
Netty DNS resolver before 4.1.135.Final and 4.2.15.Final can mishandle CNAME bailiwick validation. Patch Java services using Netty DNS.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-46340
Netty SCTP transport - fragment memory growth
Netty SCTP transport before 4.1.135.Final and 4.2.15.Final can accumulate fragments without safe bounds. Patch services using netty-transport-sctp.
Netty Public PoC
2026-06-12 CVSS 8.7
CVE-2026-47691
Netty DNS resolver - NS record bailiwick validation issue
Netty DNS resolver before 4.1.135.Final and 4.2.15.Final can insufficiently validate NS record bailiwick. Patch resolver users and monitor DNS behavior.
Netty Public PoC
2026-06-12 CVSS 8.7
CVE-2026-48006
Netty Redis aggregator - direct-memory leak
Netty RedisArrayAggregator before 4.1.135.Final and 4.2.15.Final can leak pooled direct-memory buffers when Redis pipeline connections close mid-aggregate.
Netty Public PoC
2026-06-12 CVSS 5.3
CVE-2026-48043
Netty HTTP/2 decompression - resource leak
Netty HTTP/2 decompression handling before 4.1.135.Final and 4.2.15.Final can leak resources in affected flow-controller paths. Patch gateway services.
Netty Public PoC
2026-06-12 CVSS 8.7
CVE-2026-48059
Netty HAProxy codec - nested TLV memory leak
Netty HAProxy PROXY protocol v2 codec before 4.1.135.Final and 4.2.15.Final can leak memory on nested TLV handling. Patch and review gateway memory alerts.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-48748
Netty HTTP/3 codec - blocked streams memory exhaustion
Netty HTTP/3 codec before 4.2.15.Final can exhaust memory through blocked stream handling. Patch HTTP/3 gateways and review OOM events.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-50010
Netty TLS trust manager - hostname verification gap
Netty before 4.1.135.Final and 4.2.15.Final can lose hostname verification in specific trust-manager wrapping paths. Review custom trust managers and patch.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-50011
Netty Redis aggregator - unbounded allocation
Netty RedisArrayAggregator before 4.1.135.Final and 4.2.15.Final can allocate excessive memory from attacker-controlled RESP array counts.
Netty Public PoC
2026-06-12 CVSS 6.9
CVE-2026-50560
Netty HTTP/2 header settings - resource pressure
Netty HTTP/2 max-header handling before 4.1.135.Final and 4.2.15.Final can create resource pressure similar to rapid reset patterns.
Netty Public PoC
2026-06-12 CVSS 5.3
CVE-2026-47244
Netty HTTP/2 streams - missing default concurrent stream cap
Netty HTTP/2 server defaults before 4.1.135.Final and 4.2.15.Final can allow excessive concurrent stream object growth when not explicitly capped.
Netty Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47131
vm2 - sandbox escape via host TypeError exposure
CVE-2026-47131 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 8.7
CVE-2026-47135
vm2 - cross-realm Symbol isolation weakness
CVE-2026-47135 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47137
vm2 - NodeVM require guard bypass
CVE-2026-47137 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 8.6
CVE-2026-47139
vm2 - network builtin restriction bypass
CVE-2026-47139 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47140
vm2 - dangerous builtin denylist gap
CVE-2026-47140 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 6.9
CVE-2026-47141
vm2 - observability builtin data exposure
CVE-2026-47141 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47208
vm2 - sandbox breakout vulnerability
CVE-2026-47208 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 8.6
CVE-2026-47209
vm2 - proxy set trap isolation weakness
CVE-2026-47209 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 9.8
CVE-2026-47210
vm2 - async sandbox escape with WebAssembly JSPI
CVE-2026-47210 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 6.5
CVE-2026-50623
Apache CXF - OAuth2 token introspection authentication bypass
CVE-2026-50623 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-12 CVSS 8.2
CVE-2026-50629
Apache CXF - OAuth2 clientId log injection
CVE-2026-50629 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-12 CVSS 7.4
CVE-2026-50631
Apache CXF - refresh-token single-use race condition
CVE-2026-50631 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-12 CVSS 9.8
CVE-2026-50632
Apache CXF - incomplete JMS RCE fix
CVE-2026-50632 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-12 CVSS 9.8
CVE-2026-50633
Apache CXF - JCA JNDI injection
CVE-2026-50633 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-12 CVSS 6.5
CVE-2026-50634
Apache CXF - JWS JSON metadata verification gap
CVE-2026-50634 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-12 CVSS 7.5
CVE-2026-50645
Apache CXF - attachment header resource exhaustion
CVE-2026-50645 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-12 CVSS 9.3
CVE-2026-44990
ApostropheCMS / sanitize-html - sanitizer bypass stored XSS
CVE-2026-44990 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-12 CVSS 7.3
CVE-2026-45011
ApostropheCMS - image widget stored XSS
CVE-2026-45011 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-12 CVSS 7.6
CVE-2026-45012
ApostropheCMS - rich-text import SSRF
CVE-2026-45012 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-12 CVSS 8.1
CVE-2026-45013
ApostropheCMS - password reset Host header account takeover
CVE-2026-45013 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-12 CVSS 3.7
CVE-2026-53607
ApostropheCMS - pretty file URL SSRF exposure
CVE-2026-53607 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-12 CVSS 9.1
CVE-2026-53609
ApostropheCMS - prototype pollution authorization bypass
CVE-2026-53609 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-12 CVSS 8.7
CVE-2026-53608
ApostropheCMS SEO package - stored XSS in tracking fields
CVE-2026-53608 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-12 CVSS 8.7
CVE-2026-47138
Parse Server - unauthenticated API exposure
CVE-2026-47138 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
Parse Server
2026-06-12 CVSS 6.9
CVE-2026-47248
Parse Server - GraphQL endpoint exposure
CVE-2026-47248 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
Parse Server
2026-06-12 CVSS 6.9
CVE-2026-50008
Parse Server - routeAllowList bypass condition
CVE-2026-50008 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
Parse Server
2026-06-12 CVSS 6.9
CVE-2026-53726
Parse Server - relation query exposure
CVE-2026-53726 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
Parse Server
2026-06-12 CVSS 9.8
CVE-2026-53787
Magento Amasty Order Attributes - unauthenticated arbitrary file upload
CVE-2026-53787 affects Amasty Order Attributes for Magento 2 before 4.0.0. Magento stores should patch, review upload directories, and block script execution from media paths.
Amasty Order Attributes for Magento 2
2026-06-12 CVSS 9.8
CVE-2026-54133
jmespath.php - compiler runtime code execution risk
CVE-2026-54133 affects jmespath.php before 2.9.1 when untrusted expressions reach the compiler runtime. Patch and use the non-compiler runtime for user-controlled expressions.
jmespath.php Public PoC
2026-06-12 CVSS 8.4
CVE-2026-54360
MISP - sharing group mass assignment issue
CVE-2026-54360 affects MISP sharing group creation. Operators should patch, review sharing group IDs, ownership, membership, and event visibility around the advisory window.
MISP
2026-06-12 CVSS 7.2
CVE-2026-42306
Moby Docker Engine - container networking and firewall exposure
CVE-2026-42306 affects Docker Engine and Moby daemon versions before fixed releases. Review daemon version, published container ports, and host firewall state after upgrade.
Moby / Docker Engine
2026-06-12 CVSS 9.9
CVE-2026-47365
cPanel WP Toolkit - cross-tenant command authorization bypass
CVE-2026-47365 affects WP Toolkit before 6.11.0 as used in cPanel & WHM. Hosting providers should update WP Toolkit, review account boundaries, and check recent wp-toolkit CLI activity.
cPanel WP Toolkit
2026-06-12 CVSS 9.1
CVE-2026-9067
Schema & Structured Data for WP & AMP - arbitrary media upload
CVE-2026-9067 affects Schema & Structured Data for WP & AMP before 1.60. WordPress sites should update the plugin, review media uploads, and check for unexpected files under wp-content/uploads.
Schema & Structured Data for WP & AMP
2026-06-12 CVSS 8.8
CVE-2026-47342
Apache OFBiz - privilege escalation before 24.09.07
CVE-2026-47342 affects Apache OFBiz versions before 24.09.07. Upgrade to the fixed release and review low-privilege users, role changes, and recent administrative actions.
Apache OFBiz
2026-06-12 CVSS 7.5
CVE-2026-44892
Netty HTTP/3 - unbounded header memory pressure
CVE-2026-44892 affects Netty HTTP/3 handling when header size is not bounded. Java services using netty-codec-http3 should update and review memory alerts and HTTP/3 gateway restarts.
Netty
2026-06-12 CVSS 7.6
CVE-2026-41003
Spring Security - SAML relying-party registration exposure
CVE-2026-41003 affects Spring Security applications that render attacker-influenced SAML relying-party registration values. Review SAML configuration sources and move to fixed Spring Security releases.
Spring Security
2026-06-12 CVSS 7.5
CVE-2026-41695
Spring Data Commons - untrusted property path handling
CVE-2026-41695 affects Spring Data Commons when untrusted property path strings reach MappingContext resolution. Patch affected branches and review filter, sort, and projection inputs.
Spring Data Commons
2026-06-12 CVSS 7.5
CVE-2026-41856
Spring for GraphQL - method-security boundary issue
CVE-2026-41856 affects Spring for GraphQL controller hierarchies that rely on method-security annotations. Upgrade fixed releases and review authorization behavior around inherited controller methods.
Spring for GraphQL
2026-06-12 CVSS 5.5
CVE-2026-12066
PbootCMS - password recovery exposure
CVE-2026-12066 affects PbootCMS up to 3.2.12 in the member password recovery flow. Review exposed member recovery pages, account changes, admin logins, and vendor patch status.
PbootCMS Public PoC
2026-06-12 CVSS 8.8
CVE-2026-11933
MongoDB Server - server-side JavaScript engine use-after-free
CVE-2026-11933 affects MongoDB Server when an authenticated reader can run server-side JavaScript. Review $where and $function usage, disable server-side scripting where possible, and patch affected server lines.
MongoDB Server
2026-06-12 CVSS 6.5
CVE-2026-12131
CodeAstro HRMS - SQL injection in payroll invoice handling
CVE-2026-12131 affects CodeAstro Human Resource Management System 1.0 in payroll invoice handling. Confirm whether HRMS is deployed, restrict the payroll module, patch, and review invoice and database logs.
CodeAstro Human Resource Management System Public PoC
2026-06-11 CVSS 10.0
CVE-2026-10520
Ivanti Sentry - unauthenticated root-level command injection
CVE-2026-10520 affects Ivanti Sentry and was added to CISA KEV on 2026-06-11. Confirm version state, restrict management access, patch, and review appliance logs and unexpected accounts.
Ivanti Sentry CISA KEV Active Exploit
2026-06-11 CVSS 9.9
CVE-2026-10523
Ivanti Sentry - unauthenticated administrative account creation
CVE-2026-10523 affects Ivanti Sentry and can allow unauthorized administrative account creation. Patch first, then review admin users, MFA state, login history, and configuration changes.
Ivanti Sentry
2026-06-11 CVSS 9.8
CVE-2026-11561
Apinizer - expression language injection code injection
CVE-2026-11561 affects Apinizer 2026.04.0 before 2026.04.6. API gateway owners should identify exposed Apinizer nodes, upgrade to a fixed release, and review gateway logs, admin activity, and policy changes.
Apinizer
2026-06-11 CVSS 9.8
CVE-2026-45060
ClipBucket v5 - unauthenticated SQL injection in video progress handling
CVE-2026-45060 affects ClipBucket v5 before 5.5.3 #129. Public video-sharing installs should patch, review anonymous video progress traffic, database access logs, and unexpected admin or media changes.
ClipBucket v5 Public PoC
2026-06-11 CVSS 8.8
CVE-2026-45418
ClipBucket v5 - authenticated SQL injection in subtitle editing
CVE-2026-45418 affects ClipBucket v5 before 5.5.3 #132 when users can upload videos and edit subtitles. Review uploader accounts, subtitle changes, database logs, and media admin actions.
ClipBucket v5 Public PoC
2026-06-11 CVSS 6.5
CVE-2026-47238
ClipBucket v5 - subtitle authorization weakness
CVE-2026-47238 is a medium-severity ClipBucket v5 authorization issue around subtitle management. Track it with the ClipBucket 5.5.3 patch set and review subtitle edit/delete history.
ClipBucket v5 Public PoC
2026-06-11 CVSS 9.8
CVE-2026-49060
Hippoo Mobile App for WooCommerce - privilege escalation
CVE-2026-49060 affects Hippoo Mobile App for WooCommerce through 1.9.4. Store owners should patch, review administrator and shop manager accounts, mobile app API activity, and recent order-setting changes.
Hippoo Mobile App for WooCommerce
2026-06-11 CVSS 9.3
CVE-2026-39494
Product Filter by WBW - blind SQL injection
CVE-2026-39494 affects Product Filter by WBW through 3.1.2. WooCommerce stores should patch, review filter traffic, database errors, and unusual product catalog queries.
Product Filter by WBW
2026-06-11 CVSS 9.3
CVE-2026-42647
JoomSport - blind SQL injection
CVE-2026-42647 affects JoomSport through 5.7.7. Site owners should patch, review league-management traffic, database logs, and editor/admin activity.
JoomSport
2026-06-11 CVSS 7.1
CVE-2026-42653
SliceWP - stored XSS
CVE-2026-42653 affects SliceWP through 1.2.6. Review affiliate dashboards, administrator sessions, payout settings, and plugin update state.
SliceWP
2026-06-11 CVSS 10.0
CVE-2026-49261
MariaDB Galera - wsrep_notify_cmd command handling risk
CVE-2026-49261 affects MariaDB Galera deployments with wsrep_notify_cmd enabled on vulnerable versions. Patch to fixed MariaDB lines or disable the setting, then review node-join and service logs.
MariaDB Server Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44250
Netty codec-redis - nested array memory exhaustion
CVE-2026-44250 affects netty-codec-redis before 4.1.135.Final and 4.2.15.Final. Java services that parse Redis protocol traffic should patch and review memory alerts.
Netty Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44890
Netty codec-redis - direct memory exhaustion
CVE-2026-44890 affects netty-codec-redis before 4.1.135.Final and 4.2.15.Final. Patch exposed services and review direct-memory pressure and Redis protocol gateway logs.
Netty Public PoC
2026-06-11 CVSS 9.5
CVE-2026-47172
Quest Bot - privileged deploy workflow exposure
CVE-2026-47172 affects Quest Bot before 1.0.3. Review GitHub Actions workflows that promote pull-request builds into privileged Docker deployment jobs.
Quest Bot Public PoC
2026-06-11 CVSS 9.5
CVE-2026-47174
Duck Site - privileged deploy workflow exposure
CVE-2026-47174 affects Duck Site before 1.0.1. Review build-to-deploy workflow boundaries, package-write permissions, and production image publishing rules.
Duck Site Public PoC
2026-06-11 CVSS 8.8
CVE-2026-46519
mcp-server-kubernetes - tool restriction bypass
CVE-2026-46519 affects mcp-server-kubernetes before 3.6.0 where tool restrictions may be enforced in discovery but not execution. Patch and review connected MCP clients and Kubernetes permissions.
mcp-server-kubernetes Public PoC
2026-06-11 CVSS 8.5
CVE-2026-48546
KanaDojo - GitHub Actions sandbox escape
CVE-2026-48546 affects KanaDojo before 0.1.18. Repositories using similar issue auto-response workflows should review runner permissions, token scope, and pull-request execution paths.
KanaDojo Public PoC
2026-06-11 CVSS 8.1
CVE-2026-11816
Keras - archive extraction path traversal
CVE-2026-11816 affects Keras before 3.14.0 archive extraction utilities. ML services should patch and review dataset/model import paths, CI runners, Jupyter jobs, and container working directories.
Keras Public PoC
2026-06-11 CVSS 7.5
CVE-2026-52860
Vim - Python omni-completion execution risk
CVE-2026-52860 affects Vim before 9.2.0597 when Python omni-completion processes hostile buffers. Patch developer images and discourage completion on untrusted files until updated.
Vim Public PoC
2026-06-11 CVSS 8.7
CVE-2026-44494
Axios - Node proxy handling prototype-pollution gadget
CVE-2026-44494 affects Axios 1.0.0 before 1.16.0 when prototype pollution elsewhere can influence Node proxy handling. Patch Axios and review dependencies that can pollute object prototypes.
Axios Public PoC
2026-06-11 CVSS 8.6
CVE-2026-44492
Axios - NO_PROXY IPv4-mapped IPv6 bypass
CVE-2026-44492 affects Axios before 0.32.0 and 1.16.0 in Node proxy bypass logic. Review applications that rely on NO_PROXY for metadata services or internal hosts.
Axios Public PoC
2026-06-11 CVSS 8.2
CVE-2026-44487
Axios - Proxy-Authorization redirect credential leak
CVE-2026-44487 affects Axios Node usage with authenticated proxy flows. Patch and review services that follow redirects while using outbound proxy credentials.
Axios Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44486
Axios - proxy credential leak in redirect handling
CVE-2026-44486 affects Axios Node HTTP adapter behavior around authenticated proxies and redirects. Patch and rotate proxy credentials if suspicious redirect traffic is found.
Axios Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44488
Axios - fetch adapter body limit bypass
CVE-2026-44488 affects Axios 1.7.0 through 1.15.x when the fetch adapter does not enforce configured request or response body limits. Patch and review SSR/edge runtimes.
Axios Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44496
Axios - XSRF cookie-name regex denial of service
CVE-2026-44496 affects Axios browser environments where a configurable XSRF cookie name can trigger expensive cookie parsing. Patch frontend bundles and shared packages.
Axios Public PoC
2026-06-11 CVSS 7.0
CVE-2026-44495
Axios - transformResponse prototype-pollution gadget
CVE-2026-44495 affects Axios versions before 0.31.1 and 1.15.2 where a polluted prototype in the same process can influence response transformation. Patch and audit prototype-pollution sources.
Axios Public PoC
2026-06-11 CVSS 7.7
CVE-2026-44705
tmp npm package - temporary path traversal
CVE-2026-44705 affects tmp before 0.2.6 when untrusted data reaches temporary file or directory options. Patch and enforce strict string allowlists around prefix, postfix, dir, and template settings.
tmp Public PoC
2026-06-11 CVSS 8.2
CVE-2026-49982
tmp npm package - non-string path option traversal
CVE-2026-49982 affects tmp 0.2.6 when non-string option values can escape the intended temp directory. Update to 0.2.7 and type-check temporary file options.
tmp Public PoC
2026-06-11 CVSS 8.7
CVE-2026-6552
GitLab EE - Group SAML identity management access control issue
CVE-2026-6552 affects GitLab EE Group SAML identity management. Self-managed GitLab owners should upgrade and review group Owner activity, SAML mappings, and recent identity changes.
GitLab EE
2026-06-11 CVSS 8.7
CVE-2026-10087
GitLab EE - Analytics Dashboard XSS
CVE-2026-10087 affects GitLab EE Analytics Dashboard. Upgrade and review developer-role users, analytics dashboard activity, and unusual browser-session events.
GitLab EE
2026-06-11 CVSS 7.5
CVE-2026-7250
GitLab CE/EE - Grape API JSON parsing denial of service
CVE-2026-7250 affects GitLab CE/EE API request parsing. Public self-managed GitLab instances should upgrade and review API error spikes and application availability metrics.
GitLab CE/EE
2026-06-11 CVSS 7.3
CVE-2026-8589
GitLab EE - group setting HTML injection
CVE-2026-8589 affects GitLab EE group setting fields. Upgrade and review group-setting changes, unexpected email additions, and high-privilege group activity.
GitLab EE
2026-06-11 CVSS 7.1
CVE-2026-8406
openSIS Classic - messaging module IDOR
CVE-2026-8406 affects openSIS Classic 9.3 messaging. School portals should patch, review sent-message access, student/staff accounts, and web logs around messaging routes.
openSIS Classic Public PoC
2026-06-11 CVSS 9.8
CVE-2026-38581
thaipalliative_lte - SQL injection in study form handling
CVE-2026-38581 affects thaipalliative_lte through 3.0. Operators should restrict public access, review study form traffic, database logs, and patient-data exposure before reopening.
thaipalliative_lte Public PoC
2026-06-11 CVSS 8.1
CVE-2026-10795
UpdraftPlus - UpdraftCentral remote communication authentication bypass
CVE-2026-10795 affects UpdraftPlus through 1.26.4 when the site has been connected to UpdraftCentral. Review remote communication logs, backup activity, plugin changes, and administrator accounts before treating the site as clean.
UpdraftPlus
2026-06-11 CVSS 8.2
CVE-2026-40998
Spring Web Services - Jaxp13XPathTemplate XXE via StreamSource and SAXSource
CVE-2026-40998 affects Spring Web Services applications that evaluate XPath over untrusted XML through Jaxp13XPathTemplate with StreamSource or SAXSource. Upgrade and review XML entry points.
Spring Web Services
2026-06-11 CVSS 7.1
CVE-2023-33999
WP Mail Log - DOM-based XSS
CVE-2023-33999 affects WP Mail Log through 1.0.2. Patch or remove the plugin and review whether administrators opened untrusted mail-log views while logged in.
WP Mail Log
2026-06-10 CVSS 8.8
CVE-2026-20251
Splunk Secure Gateway - unsafe deserialization remote code execution
CVE-2026-20251 affects Splunk Secure Gateway through unsafe deserialization. Confirm Splunk Enterprise and Secure Gateway versions, patch fixed releases, and review app activity and admin logs.
Splunk Secure Gateway
2026-06-10 CVSS 8.6
CVE-2026-49948
Mem0 self-hosted server - missing authorization on configuration changes
CVE-2026-49948 affects Mem0 self-hosted server versions through 0.2.8. Check exposed server instances, admin/API-key usage, LLM provider settings, embedder settings, and unexpected configuration changes.
Mem0
2026-06-10 CVSS 5.3
CVE-2026-48108
Russh - SSH identification pre-authentication resource handling
CVE-2026-48108 affects Rust services built on russh 0.34.0-beta.1 before 0.61.0. Check embedded SSH services, patch russh, and review connection limits around the pre-authentication phase.
Russh Public PoC
2026-06-10 CVSS 9.6
CVE-2026-46703
Boxlite - OCI image extraction path handling
CVE-2026-46703 affects Boxlite before 0.9.0 when untrusted OCI images are loaded into sandbox hosts. Patch and review image sources, host file changes, and sandbox runtime logs.
Boxlite Public PoC
2026-06-10 CVSS 9.6
CVE-2026-53474
migration-planner - RVTools spreadsheet SQL injection
CVE-2026-53474 affects migration-planner when uploaded RVTools spreadsheets are processed. Review import history, service account exposure, and patched build status.
migration-planner Public PoC
2026-06-10 CVSS 7.5
CVE-2026-46679
js-libp2p gossipsub - unauthenticated heap exhaustion
CVE-2026-46679 affects @libp2p/gossipsub before 15.0.23. Public peer nodes should patch and review memory alerts, peer churn, and gossipsub traffic exposure.
js-libp2p Public PoC
2026-06-10 CVSS 7.8
CVE-2026-2049
GIMP/GEGL - HDR file parsing memory corruption
CVE-2026-2049 affects GIMP/GEGL HDR file parsing. Teams processing untrusted image submissions should update workstations and automated image-processing containers.
GIMP / GEGL Public PoC
2026-06-10 CVSS 8.7
CVE-2025-71319
image-size - JXL/HEIF parser infinite loop
CVE-2025-71319 affects image-size through 2.0.2. Node.js apps that inspect untrusted JXL or HEIF uploads should patch or isolate image parsing workers.
image-size Public PoC
2026-06-10 CVSS 8.7
CVE-2025-71329
image-size - JXL/HEIF parser infinite loop variant
CVE-2025-71329 affects image-size through 2.0.2 in JXL/HEIF parsing. Review user upload pipelines, background image processors, and server-side metadata extraction.
image-size Public PoC
2026-06-10 CVSS 8.7
CVE-2025-71330
image-size - ICNS parser infinite loop
CVE-2025-71330 affects image-size through 2.0.2 in ICNS parsing. Isolate image metadata extraction when accepting untrusted uploads.
image-size Public PoC
2026-06-10 CVSS 8.8
CVE-2026-50223
Apache OFBiz - Content/DataResource template injection
CVE-2026-50223 affects Apache OFBiz before 24.09.07 when low-privileged users with Content/DataResource editing rights can reach unsafe template behavior. Patch and audit editor accounts.
Apache OFBiz
2026-06-10 CVSS 7.2
CVE-2026-25700
Apache Answer - admin token invalidation weakness
CVE-2026-25700 affects Apache Answer through 2.0.0 where administrative tokens may remain usable after account suspension, deletion, or deactivation. Upgrade and rotate admin tokens.
Apache Answer
2026-06-10 CVSS 8.8
CVE-2026-49498
Ghidra - PostgreSQL password-change SQL injection
CVE-2026-49498 affects Ghidra 11.0 before 12.1 in PostgreSQL-backed password-change handling. Patch shared Ghidra servers and review database roles and account changes.
Ghidra Public PoC
2026-06-10 CVSS 8.8
CVE-2026-52758
Ghidra BSim - PostgreSQL SQL injection
CVE-2026-52758 affects Ghidra before 12.1 in BSim database query handling. Shared reverse-engineering environments should patch and review PostgreSQL audit logs.
Ghidra Public PoC
2026-06-10 CVSS 7.3
CVE-2026-9758
S2OPC - trusted certificate comparison weakness
CVE-2026-9758 affects S2OPC certificate trust comparison. OPC UA operators should patch, rebuild trust lists, and review certificate enrollment and connection logs.
S2OPC
2026-06-10 CVSS 8.8
CVE-2026-53435
Jenkins - deserialization vulnerability in config.xml handling
CVE-2026-53435 affects Jenkins weekly through 2.567 and LTS through 2.555.2. Review users with read and configure-style permissions, config.xml changes, credentials, and Script Console activity.
Jenkins
2026-06-10 CVSS 9.8
CVE-2026-20253
Splunk - unauthenticated PostgreSQL sidecar file operation exposure
CVE-2026-20253 affects some Splunk Enterprise and Splunk Cloud Platform versions where a PostgreSQL sidecar service endpoint lacks authentication controls. Patch and review service exposure, file changes, apps, and admin activity.
Splunk
2026-06-10 CVSS 8.4
CVE-2026-10721
Concrete CMS - PHP object injection in permission, cache, and search components
CVE-2026-10721 affects Concrete CMS before 9.5.2 through unsafe serialized data paths. Check the running CMS version, recent cache or permission errors, and patch the site.
Concrete CMS
2026-06-10 CVSS 9.8
CVE-2026-38615
DedeCMS - command execution in file management code
CVE-2026-38615 affects DedeCMS V5.7.118 file management code. Legacy public installs should be removed or patched, and operators should review file manager activity, upload directories, and unexpected PHP files.
DedeCMS Public PoC
2026-06-10 CVSS 8.1
CVE-2026-45062
FrankenPHP - PHP script routing confusion with non-ASCII paths
CVE-2026-45062 affects FrankenPHP 1.11.2 through 1.12.2 when user-controlled files can be routed as PHP scripts. Upgrade to 1.12.3 and review upload, media, and file-sharing paths.
FrankenPHP Public PoC
2026-06-10 CVSS 7.5
CVE-2026-46643
KnpLabs Snappy - binary path shell escaping regression
CVE-2026-46643 affects KnpLabs Snappy before 1.7.1 when the wkhtmltopdf or wkhtmltoimage binary path can be influenced by user or environment data. Patch and pin trusted binary paths.
KnpLabs Snappy Public PoC
2026-06-10 CVSS 6.9
CVE-2026-46683
KnpLabs Snappy - SSRF and local file read via stylesheet option
CVE-2026-46683 affects KnpLabs Snappy before 1.7.0 when PDF or image generation can be influenced by untrusted stylesheet options. Patch Snappy and restrict outbound access from rendering workers.
KnpLabs Snappy Public PoC
2026-06-10 CVSS 9.8
CVE-2025-6254
Doctreat Core - unauthenticated administrator registration
CVE-2025-6254 affects Doctreat Core through 1.6.8 and can allow unauthenticated administrator registration. Review new admins, registration logs, role changes, and plugin version.
Doctreat Core
2026-06-10 CVSS 7.5
CVE-2026-3018
Newsletters - unauthenticated SQL injection
CVE-2026-3018 affects the Newsletters WordPress plugin through 4.13. Review subscriber actions, access logs, database errors, and patch before relying on firewall filtering.
Newsletters
2026-06-10 CVSS 7.1
CVE-2026-49069
WPZOOM Portfolio - reflected XSS
CVE-2026-49069 affects WPZOOM Portfolio through 1.4.21. Patch and review admin-session exposure if editors or administrators opened untrusted links while logged in.
WPZOOM Portfolio
2026-06-10 CVSS 9.9
CVE-2026-45552
Roxy-WI - cross-tenant authorization bypass in install workflows
CVE-2026-45552 affects Roxy-WI install and exporter workflows. Review panel exposure, guest or low-privilege users, stored SSH credentials, and recent infrastructure changes.
Roxy-WI Public PoC
2026-06-10 CVSS 9.9
CVE-2026-45556
Roxy-WI - WAF configuration path handling issue
CVE-2026-45556 affects Roxy-WI WAF configuration save paths. Operators should restrict the panel, preserve logs, and review load balancer config, cron, and service changes.
Roxy-WI Public PoC
2026-06-10 CVSS 9.9
CVE-2026-45558
Roxy-WI - HAProxy generated configuration injection risk
CVE-2026-45558 affects Roxy-WI HAProxy configuration generation. Review HAProxy section changes, reload history, panel accounts, and managed server ownership.
Roxy-WI Public PoC
2026-06-10 CVSS 9.1
CVE-2026-45550
Roxy-WI - monitoring check cross-tenant update issue
CVE-2026-45550 affects Roxy-WI monitoring check update paths. Multi-tenant operators should review check ownership, recent changes, and user group boundaries.
Roxy-WI Public PoC
2026-06-10 CVSS 8.8
CVE-2026-45564
Roxy-WI - config version restore command injection risk
CVE-2026-45564 affects Roxy-WI configuration version restore paths. Review config restore events, service reloads, and shell command traces on managed hosts.
Roxy-WI Public PoC
2026-06-10 CVSS 8.5
CVE-2026-45549
Roxy-WI - monitoring agent action authorization bypass
CVE-2026-45549 affects Roxy-WI monitoring agent actions. Review who can start, stop, or restart agents and compare service restart times against panel logs.
Roxy-WI Public PoC
2026-06-10 CVSS 8.3
CVE-2026-45567
Roxy-WI - API-style authentication bypass condition
CVE-2026-45567 affects Roxy-WI authentication handling around API-style paths. Place the panel behind a trusted network and review access logs for unexpected API activity.
Roxy-WI Public PoC
2026-06-10 CVSS 8.1
CVE-2026-45565
Roxy-WI - shared input validation traversal weakness
CVE-2026-45565 affects Roxy-WI shared input validation. Review path-like inputs, changed files, and whether previous filtering rules actually blocked traversal patterns.
Roxy-WI Public PoC
2026-06-10 CVSS 8.1
CVE-2026-45569
Roxy-WI - incomplete traversal validation patch
CVE-2026-45569 affects an incomplete Roxy-WI traversal validation patch. Review updated code, path containment, and any config restore or upload actions after the first patch attempt.
Roxy-WI Public PoC
2026-06-10 CVSS 9.8
CVE-2026-46614
Fission - internal function routes exposed on public router
CVE-2026-46614 affects Fission before 1.23.0 where internal function routes may be exposed through the public router listener. Review ingress, router services, and NetworkPolicy.
Fission Public PoC
2026-06-10 CVSS 6.9
CVE-2026-46618
Fission - builder command validation gap
CVE-2026-46618 affects Fission before 1.23.0 where Environment builder command settings could allow unexpected executable selection in builder pods. Review Environment CRD permissions and builder service account scope.
Fission Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50545
Fission - Environment podSpec passthrough validation gap
CVE-2026-50545 affects Fission Environment podSpec handling before 1.24.0. Review who can create or update environments and whether unsafe pod fields can reach runtime or builder pods.
Fission Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50563
Fission - Container Executor function podSpec privilege issue
CVE-2026-50563 affects Fission Container Executor podSpec handling before 1.24.0. Review Function spec permissions, executor service accounts, and runtime pod security.
Fission Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50564
Fission - Environment CRD unsafe podSpec propagation
CVE-2026-50564 affects Fission Environment CRD podSpec propagation before 1.24.0. Review host namespace, hostPath, privileged, and service account fields in function environments.
Fission Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50566
Fission - tenant function can request dangerous container settings
CVE-2026-50566 affects Fission before 1.24.0 when tenant-facing Environment or Function resources can request unsafe container settings. Review RBAC and admission webhook enforcement.
Fission Public PoC
2026-06-10 CVSS 8.8
CVE-2026-46612
Fission - unauthenticated storage service archive access
CVE-2026-46612 affects Fission before 1.23.0 storage service archive handling. Review service reachability, NetworkPolicy, and package archive access across tenants.
Fission Public PoC
2026-06-10 CVSS 8.7
CVE-2026-46617
Fission - runtime pod service account can read namespace secrets
CVE-2026-46617 affects Fission runtime pod service account permissions before 1.23.0. Review function namespace secrets, configmaps, and runtime pod token exposure.
Fission Public PoC
2026-06-10 CVSS 8.5
CVE-2026-49824
Fission - Function environment namespace validation gap
CVE-2026-49824 affects Fission before 1.24.0 where Function environment namespace validation can miss cross-namespace references. Review function specs and admission webhook behavior.
Fission Public PoC
2026-06-10 CVSS 8.5
CVE-2026-50570
Fission - incomplete container capability denylist
CVE-2026-50570 affects Fission before 1.25.0 capability validation. Review admission settings, runtime security contexts, and function or environment specs that request added Linux capabilities.
Fission Public PoC
2026-06-10 CVSS 7.7
CVE-2026-49821
Fission - Package environment namespace validation gap
CVE-2026-49821 affects Fission before 1.24.0 package environment namespace validation. Review Package specs, builder behavior, and cross-namespace references.
Fission Public PoC
2026-06-10 CVSS 7.7
CVE-2026-49822
Fission - KubernetesWatchTrigger cross-namespace surveillance risk
CVE-2026-49822 affects Fission before 1.24.0 KubernetesWatchTrigger namespace boundaries. Review who can create KWT resources and whether watch targets cross tenant namespaces.
Fission Public PoC
2026-06-10 CVSS 7.7
CVE-2026-49823
Fission - PackageRef namespace validation gap in Function specs
CVE-2026-49823 affects Fission before 1.24.0 Function PackageRef namespace checks. Review function specs for cross-namespace package references.
Fission Public PoC
2026-06-10 CVSS 7.7
CVE-2026-50567
Fission - archive extraction path traversal
CVE-2026-50567 affects Fission archive extraction before 1.25.0. Treat package archive URLs as untrusted and review fetcher sidecar file writes and package storage.
Fission Public PoC
2026-06-10 CVSS 7.5
CVE-2026-34183
OpenSSL - QUIC PATH_CHALLENGE memory exhaustion
CVE-2026-34183 affects OpenSSL QUIC stacks where repeated PATH_CHALLENGE handling can exhaust memory. Review custom QUIC clients or servers and update affected OpenSSL branches.
OpenSSL
2026-06-10 CVSS 8.6
CVE-2026-46491
SimpleSAMLphp CAS Server - FileSystemTicketStore path traversal
CVE-2026-46491 affects simplesamlphp-module-casserver before 7.0.3 when the file-based ticket store is used and public CAS validation or proxy endpoints are reachable. Check whether FileSystemTicketStore is enabled, upgrade to 7.0.3, and review PHP filesystem permissions.
SimpleSAMLphp CAS Server Public PoC
2026-06-10 CVSS 8.1
CVE-2026-41717
Spring Data MongoDB - SpEL injection in annotated query binding
CVE-2026-41717 affects Spring Data MongoDB applications that expose annotated repository methods with capture-all placeholders to untrusted input. Upgrade affected branches and search for risky @Query or @Aggregation patterns.
Spring Data MongoDB
2026-06-10 CVSS 8.1
CVE-2026-41729
Spring Data REST - SpEL injection through JSON Patch map keys
CVE-2026-41729 affects Spring Data REST when JSON Patch reaches Map-typed persistent properties. Upgrade affected branches and restrict PATCH exposure while reviewing map-backed resources.
Spring Data REST
2026-06-10 CVSS 8.1
CVE-2026-41731
Spring for Apache Kafka - broad trusted-package deserialization
CVE-2026-41731 affects Spring for Apache Kafka header mappers where broad trusted-package matching can expose JDK classes to deserialization. Upgrade and review JsonKafkaHeaderMapper or DefaultKafkaHeaderMapper configuration.
Spring for Apache Kafka
2026-06-10 CVSS 8.1
CVE-2026-41732
Spring for Apache Pulsar - trusted-package deserialization risk
CVE-2026-41732 affects Spring for Apache Pulsar when JsonPulsarHeaderMapper trusted-package matching is too broad or empty configuration falls back to trusting all packages. Upgrade and review header mapper configuration.
Spring for Apache Pulsar
2026-06-10 CVSS 8.6
CVE-2026-53673
BuddyPress - Private message IDOR through REST API user_id
CVE-2026-53673 affects BuddyPress 14.4.0 private messaging REST API permission checks. Community and membership sites should disable private messaging if needed, review message API access, and update when a fixed release is available.
BuddyPress
2026-06-10 CVSS 7.1
CVE-2026-53674
BuddyPress - Activity mention regular expression injection
CVE-2026-53674 affects BuddyPress 14.4.0 activity mention resolution when username compatibility mode is enabled. Review community activity logs, disable risky compatibility settings if possible, and update when a fixed release is available.
BuddyPress
2026-06-09 CVSS 6.1
CVE-2026-11603
Product Filter Widget for Elementor - reflected XSS in AJAX filter handling
CVE-2026-11603 affects Product Filter Widget for Elementor through 1.0.6. Patch the plugin, clear cache, and review product filter pages opened by logged-in admins or shop managers.
Product Filter Widget for Elementor Public PoC
2026-06-09 CVSS 6.4
CVE-2026-8599
MailerPress - stored XSS in campaign admin preview
CVE-2026-8599 affects MailerPress through 2.0.4. Review author accounts, campaign HTML changes, and admin preview activity before sending newsletters.
MailerPress Public PoC
2026-06-09 CVSS 8.7
CVE-2026-9740
MongoDB Server - unauthenticated BSON validation crash
CVE-2026-9740 affects MongoDB Server BSON validation logic and can crash mongod before authentication. Public or partner-exposed MongoDB listeners should be patched and checked for unexplained restarts.
MongoDB Server
2026-06-09 CVSS 8.2
CVE-2026-9742
MongoDB Server - OIDC configuration pre-auth crash
CVE-2026-9742 affects MongoDB Server deployments with OIDC authentication enabled. Check whether OIDC is configured, patch the affected branch, and review mongod restart and authentication error logs.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9741
MongoDB Server - Queryable Encryption / CSFLE literal exposure
CVE-2026-9741 affects MongoDB Server query analysis processing for Queryable Encryption or CSFLE. Review encrypted-field workloads, patch affected branches, and check logs for sensitive literal exposure.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9743
MongoDB Server - aggregation cursor crash condition
CVE-2026-9743 affects MongoDB Server aggregation processing in specific cursor paths. Patch affected branches and review mongod crash, getMore, and application reconnect logs.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9746
MongoDB Server - change stream / resharding crash condition
CVE-2026-9746 affects MongoDB Server change stream and resharding-related processing. Patch affected branches and review restart, change stream, and resharding alerts.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9747
MongoDB Server - aggregation role metadata crash condition
CVE-2026-9747 affects MongoDB Server aggregation processing involving runtime user-role metadata. Patch affected branches and review application errors and crash alerts.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9748
MongoDB Server - internal bucket index stats crash condition
CVE-2026-9748 affects MongoDB Server internal bucket index statistics processing. Patch affected branches and review index stats, crash, and restart logs.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9749
MongoDB Server - internal exchange aggregation crash condition
CVE-2026-9749 affects MongoDB Server aggregation processing that uses internal exchange behavior. Patch affected branches and review crash and primary step-down alerts.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9750
MongoDB Server - internal metadata crash or incorrect result condition
CVE-2026-9750 affects MongoDB Server internal metadata processing during query execution. Patch affected branches and review authenticated query workloads, crashes, and incorrect-result reports.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9752
MongoDB Server - 2dsphere query crash condition
CVE-2026-9752 affects MongoDB Server geospatial query handling with 2dsphere indexes. Patch affected branches and review geospatial query errors and restart logs.
MongoDB Server
2026-06-09 CVSS 8.1
CVE-2026-9753
MongoDB Server - oplog update memory out-of-bounds condition
CVE-2026-9753 affects MongoDB Server oplog update processing and can cause memory out-of-bounds behavior or a crash. Patch affected branches and review replica set stability.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9754
MongoDB Server - filemd5 limited stack-memory disclosure
CVE-2026-9754 affects MongoDB Server filemd5 command handling for authenticated read-role users. Patch affected branches and review read-only account scope.
MongoDB Server
2026-06-09 CVSS 8.8
CVE-2026-32193
Azure Kubernetes Service - path traversal
CVE-2026-32193 affects Azure Kubernetes Service. Public records describe a path traversal issue that can allow an authorized attacker to execute code locally. Review AKS update state, RBAC, node pool access, and recent cluster activity.
Azure Kubernetes Service
2026-06-09 CVSS 6.5
CVE-2026-49818
Apache Airflow Samba provider - destination path containment
CVE-2026-49818 affects the Apache Airflow Samba provider GCSToSambaOperator. Upgrade apache-airflow-providers-samba to 4.12.6 or newer, then review DAGs that transfer GCS objects to SMB destinations.
Apache Airflow Samba provider
2026-06-09 CVSS 9.8
CVE-2026-45447
OpenSSL - PKCS#7 signature verification use-after-free
CVE-2026-45447 affects applications that process PKCS#7 or S/MIME signed messages through OpenSSL PKCS#7 APIs. Upgrade OpenSSL and review applications that ingest signed email, certificate bundles, or uploaded cryptographic containers.
OpenSSL Public PoC
2026-06-09 CVSS 9.8
CVE-2026-29167
Apache HTTP Server - mod_ldap per-directory use-after-free
CVE-2026-29167 affects Apache HTTP Server 2.4.0 through 2.4.67 when mod_ldap is used in per-directory configuration. Apache rates the issue low, while NVD scores it critical. Upgrade to 2.4.68 and review LDAP-related Apache locations.
Apache HTTP Server
2026-06-09 CVSS 8.8
CVE-2026-50636
LimeSurvey - RemoteControl invite/remind SQL injection
CVE-2026-50636 affects LimeSurvey RemoteControl invite_participants and remind_participants flows when the RPC interface is enabled and a caller has token update permission. Disable RemoteControl if unused, reduce permissions, and apply the vendor fix.
LimeSurvey Public PoC
2026-06-09 CVSS 8.1
CVE-2026-7383
OpenSSL - ASN.1 multibyte string conversion overflow
CVE-2026-7383 is part of the OpenSSL 2026-06-09 advisory. Exposure is narrow and tied to direct ASN1_mbstring_copy style usage with attacker-controlled large input, but operators should still update supported OpenSSL branches.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-34180
OpenSSL - ASN.1 content parsing heap over-read
CVE-2026-34180 affects applications that pass attacker-supplied data into OpenSSL d2i_* decoding functions. OpenSSL command-line tools are not the main exposure; custom services that decode uploaded certificates or PKCS#7 data need review.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-45445
OpenSSL - AES-OCB IV handling issue on EVP_Cipher path
CVE-2026-45445 affects applications that drive AES-OCB through the lower-level OpenSSL EVP_Cipher one-shot path. TLS in OpenSSL is not affected, but custom cryptographic integrations should update and review code.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-9076
OpenSSL - CMS password-based decryption over-read
CVE-2026-9076 affects applications that decrypt untrusted CMS password-recipient data through OpenSSL. Services that accept encrypted CMS files or S/MIME-like input should update and review crash logs.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-42764
OpenSSL - QUIC server invalid token NULL dereference
CVE-2026-42764 affects OpenSSL QUIC server implementations when address validation is disabled. Default validation is enabled, so review custom QUIC listeners before treating the system as exposed.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-42765
OpenSSL - OCSP partial-chain verification NULL dereference
CVE-2026-42765 affects applications that enable both OCSP response checking for the whole certificate chain and partial-chain verification. These flags are off by default, but custom certificate-validation code should be checked.
OpenSSL Public PoC
2026-06-09 CVSS 7.3
CVE-2026-44186
Apache HTTP Server - mod_proxy_ftp infinite loop
CVE-2026-44186 affects Apache HTTP Server 2.4.0 through 2.4.67 when mod_proxy_ftp is used with an attacker-controlled FTP backend. Upgrade to 2.4.68 and review old FTP proxy configurations.
Apache HTTP Server
2026-06-09 CVSS 9.1
CVE-2026-42535
Apache HTTP Server - mod_dav_fs WebDAV property database manipulation
CVE-2026-42535 affects Apache HTTP Server 2.4.67 and earlier when mod_dav_fs is in use. WebDAV content authors may be able to manipulate trusted DAV property databases and trigger child process crashes. Upgrade to 2.4.68 and review DAV-enabled locations.
Apache HTTP Server
2026-06-09 CVSS 8.8
CVE-2026-11616
The Events Calendar for GeoDirectory - Subscriber privilege escalation
The Events Calendar for GeoDirectory CVE-2026-11616 can let a low-privilege WordPress account alter role-related user metadata through the event interest flow. Update to 2.3.29 or newer, then review admin users, role changes, and AJAX logs.
The Events Calendar for GeoDirectory
2026-06-09 CVSS 7.1
CVE-2016-20063
Simple Personal Message - Authenticated SQL injection in legacy WordPress plugin
CVE-2016-20063 is a legacy Simple Personal Message WordPress plugin SQL injection issue. Check whether the plugin still exists, confirm the installed version, update to 2.0.0 or remove it, and review admin activity and database access if it was exposed.
Simple Personal Message Public PoC
2026-06-09 CVSS 8.1
CVE-2026-9662
Recover Exit for WooCommerce - Unauthenticated LFI via tpf include path
Recover Exit for WooCommerce exposes a reported local file inclusion path through a POST value that reaches include(). Stores should remove or disable the plugin, check the affected PHP files, and review logs before reopening checkout flows.
Recover Exit for WooCommerce
2026-06-09 CVSS 7.5
CVE-2026-9185
6Storage Rentals - Unauthenticated tenant profile exposure
6Storage Rentals may expose tenant profile read or update paths without login. Site owners should disable the plugin, preserve access logs, inspect tenant records, and notify affected users if data changed.
6Storage Rentals
2026-06-09 CVSS 7.5
CVE-2026-41849
Spring Framework - SpEL expression parsing denial of service
CVE-2026-41849 is a Spring Framework SpEL denial-of-service issue. Teams should upgrade Spring Framework, check whether user-controlled expressions are evaluated, and review API logs for repeated parser-heavy requests.
Spring Framework
2026-06-09 CVSS 7.5
CVE-2026-41850
Spring Framework - SpEL evaluation denial of service
CVE-2026-41850 is paired with the Spring Framework SpEL DoS advisory set. It is not an Express RCE issue; the practical action is patching Spring and removing user-controlled expression evaluation paths.
Spring Framework
2026-06-09 CVSS 7.2
CVE-2026-7556
FV Flowplayer Video Player - Stored XSS review for WordPress sites
FV Flowplayer CVE-2026-7556 should be treated as a stored XSS cleanup and permission review, not as a confirmed unauthenticated RCE. Check plugin version, recent video embeds, editor accounts, and cached pages.
FV Flowplayer
2026-06-08 CVSS 5.3
CVE-2026-41851
Spring Framework - SpEL unbounded cache denial of service
CVE-2026-41851 affects Spring Framework applications that accept user-controlled SpEL expressions and cache parsed expressions. Check rule/formula features, upgrade Spring, and review memory alerts.
Spring Framework
2026-06-08 CVSS 9.5
CVE-2026-47430
Cordova Plugin InAppBrowser iOS - callback boundary weakness
CVE-2026-47430 affects cordova-plugin-inappbrowser 3.1.0 through 6.0.0 on iOS. Apps that open OAuth, payment, deep-link, or marketing pages in InAppBrowser should upgrade to 6.0.1 and review plugin callback trust boundaries.
Apache Cordova
2026-06-08 CVSS 9.3
CVE-2026-50751
Check Point - deprecated IKEv1 VPN authentication bypass
CVE-2026-50751 affects Check Point Remote Access VPN and Mobile Access deployments that still accept deprecated IKEv1. Check Point reported exploitation in the wild; operators should patch, disable or restrict IKEv1, and review VPN logs from 2026-05-07 onward.
Check Point Remote Access VPN / Mobile Access Active Exploit
2026-06-08 CVSS 9.8
CVE-2026-52778
YesWiki - Bazar CalcField unsafe formula handling
CVE-2026-52778 affects YesWiki before 4.6.6 through the Bazar CalcField formula calculator. Public YesWiki sites should upgrade, review Bazar forms, and check logs for repeated form submissions or PHP file changes.
YesWiki
2026-06-08 CVSS 7.7
CVE-2026-40519
Nginx Proxy Manager - certificate plugin command injection
CVE-2026-40519 affects Nginx Proxy Manager certificate plugin setup when an account can manage certificates. Review admin exposure, certificate permissions, DNS challenge credentials, and update to a build containing the upstream fix.
Nginx Proxy Manager
2026-06-08 CVSS 7.5
CVE-2026-46440
Flowise - Basic Auth credential brute-force exposure
CVE-2026-46440 affects Flowise before 3.1.2 when exposed Basic Auth can be repeatedly tested without adequate rate limiting. Operators should upgrade, add a real access layer, rotate credentials, and review Flowise flows and stored secrets.
Flowise
2026-06-08 CVSS 9.8
CVE-2026-44631
Apache HTTP Server - regex configuration buffer underwrite
CVE-2026-44631 affects Apache HTTP Server 2.4.0 through 2.4.67 through crafted regular expressions in configuration. Operators should upgrade to 2.4.68 and review regex-heavy vhost, rewrite, and match directives.
Apache HTTP Server
2026-06-08 CVSS 7.5
CVE-2026-34355
Apache HTTP Server - mod_proxy_html buffer overflow
CVE-2026-34355 affects Apache HTTP Server mod_proxy_html in 2.4.67 and earlier. Prioritize reverse proxy deployments that process untrusted backend content and upgrade to Apache 2.4.68.
Apache HTTP Server
2026-06-08 CVSS 7.5
CVE-2026-34356
Apache HTTP Server - ProxyPassReverseCookie heap overflow
CVE-2026-34356 affects Apache HTTP Server reverse proxy cookie rewriting in 2.4.67 and earlier. Review ProxyPassReverseCookie configuration and upgrade to Apache 2.4.68.
Apache HTTP Server
2026-06-08 CVSS 7.5
CVE-2026-42536
Apache HTTP Server - mod_xml2enc heap overflow
CVE-2026-42536 affects Apache HTTP Server mod_xml2enc in 2.4.67 and earlier. Operators should check whether xml2enc is loaded, review untrusted content paths, and upgrade to Apache 2.4.68.
Apache HTTP Server
2026-06-08 CVSS 7.3
CVE-2026-44185
Apache HTTP Server - mod_ssl OCSP buffer over-read
CVE-2026-44185 affects Apache HTTP Server outbound OCSP handling in 2.4.67 and earlier. TLS-heavy deployments should upgrade to 2.4.68 and review mod_ssl OCSP configuration.
Apache HTTP Server
2026-06-08 CVSS 7.3
CVE-2026-48913
Apache HTTP Server - mod_http2 use-after-free
CVE-2026-48913 affects Apache HTTP Server mod_http2 when file handles are exhausted. HTTP/2 deployments on Apache 2.4.55 through 2.4.67 should upgrade to 2.4.68 and review worker restart logs.
Apache HTTP Server
2026-06-08 CVSS 6.5
CVE-2026-11529
mysql-mcp-server - mysql URI handler injection
CVE-2026-11529 affects mysql-mcp-server before 0.3.0 in the mysql URI handler. Upgrade to 0.3.0, restrict the database account used by the MCP server, and review query logs from connected clients.
mysql-mcp-server Public PoC
2026-06-08 CVSS 8.7
CVE-2026-46490
samlify - SAML AttributeValue XML injection privilege escalation
CVE-2026-46490 affects samlify before 2.13.0. Node.js SAML SSO services should upgrade, review IdP attribute templates, SP role/group mapping, and recent login events where SAML attributes drive authorization.
samlify Public PoC
2026-06-08 CVSS 9.8
CVE-2023-54352
WordPress Seotheme - Unauthenticated Remote Code Execution
WordPress Seotheme unauthenticated RCE with a public technical signal. Site owners should check for the known shell IOC, related seoplugins paths, unexpected admins, modified theme files, and web-log hits before cleanup.
WordPress Seotheme Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11471
SourceCodester Class and Exam Timetabling - index2.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in login handling. Public school portals should restrict access, inspect SQL handling, and review logs.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11472
SourceCodester Class and Exam Timetabling - index1.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in login handling. Treat internet-exposed installs as at risk until prepared statements and access restrictions are confirmed.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11482
SourceCodester Class and Exam Timetabling - archive5.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. This joins the login cluster and should be checked with the same log and prepared-statement review.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11483
SourceCodester Class and Exam Timetabling - archive4.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Check it together with the related archive and login files.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11484
SourceCodester Class and Exam Timetabling - archive3.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Treat exposed school portals as at risk until SQL handling and logs are reviewed.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11485
SourceCodester Class and Exam Timetabling - archive2.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Check file exposure, direct SQL construction, and web logs for archive traffic.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11486
SourceCodester Class and Exam Timetabling - archive1.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Restrict stale installs and review archive endpoints before reopening public access.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11488
Simple Flight Ticket Booking - checkUser.php SQL Injection
code-projects Simple Flight Ticket Booking System 1.0 SQL injection in login handling. Check stale booking demos, login SQL handling, web logs, and database privileges.
code-projects Simple Flight Ticket Booking Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11489
Online Music Site - AdminDeleteAlbum.php SQL Injection
code-projects Online Music Site 1.0 SQL injection in an admin album action. Check admin path exposure, album changes, logs, and SQL handling.
code-projects Online Music Site Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11490
Online Music Site - Search.php Category SQL Injection
code-projects Online Music Site 1.0 SQL injection in public search handling. Check public search exposure, category validation, web logs, and prepared-statement coverage.
code-projects Online Music Site Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11474
Student Management System - Unrestricted Upload via stimg
Kushan2k student-management-system may allow dangerous file uploads through the stimg registration image field. Check public/profiles for PHP-like files, block script execution in upload directories, and preserve logs.
Kushan2k student-management-system Public PoC
2026-06-07 CVSS 7.5
CVE-2026-11462
BeikeShop Stripe Plugin - Missing Webhook Signature Verification
BeikeShop Stripe plugin callback may process webhook data without verifying the Stripe-Signature header. Store owners should patch, configure the webhook secret, review /callback/stripe logs, and match paid orders against Stripe.
BeikeShop Public PoC
2026-06-07 CVSS 7.3
CVE-2026-11456
Chanjet CRM - SQL Injection in system table handling
Chanjet CRM 1.0 SQL injection in a system table endpoint. Exposed CRM systems should restrict the endpoint, review web logs, and preserve evidence.
Chanjet CRM Public PoC
2026-06-06 CVSS 7.2
CVE-2026-7537
MDJM Event Management - administrator file upload leading to RCE risk
CVE-2026-7537 affects MDJM Event Management for WordPress through 1.7.8.3. Review administrator activity, plugin email attachments, and upload locations for unexpected executable files.
MDJM Event Management Public PoC
2026-06-06 CVSS 7.2
CVE-2026-9851
Booking Package - editor-level account takeover risk
CVE-2026-9851 affects Booking Package for WordPress through 1.7.16. Review editor and administrator accounts, password resets, and booking staff changes after patching.
Booking Package
2026-06-06 CVSS 7.2
CVE-2026-8438
All-In-One Security (AIOS) - stored XSS in debug log handling
CVE-2026-8438 affects AIOS for WordPress through 5.4.7 when REST blocking and debug logging expose unescaped request-path data in admin log views.
All-In-One Security (AIOS)
2026-06-06 CVSS 7.2
CVE-2026-8901
Integration for Freshsales - stored XSS in CRM form submission logs
CVE-2026-8901 affects Integration for Freshsales for WordPress through 1.0.15. Review failed CRM API logs and administrator screens after patching.
Integration for Freshsales
2026-06-06 CVSS 6.5
CVE-2026-9829
Photo Gallery by 10Web - contributor-level SQL injection risk
CVE-2026-9829 affects Photo Gallery by 10Web through 1.8.41. Review contributor accounts, gallery shortcodes, database errors, and suspicious slow queries.
Photo Gallery by 10Web Public PoC
2026-06-06 CVSS 6.1
CVE-2026-9280
Ad Inserter - reflected XSS in iframe mode
CVE-2026-9280 affects Ad Inserter through 2.8.15 when iframe mode is enabled. Patch the plugin and clear affected ad/cache pages.
Ad Inserter Public PoC
2026-06-06 CVSS 5.3
CVE-2026-7792
WPForms PayPal Commerce - webhook verification gap
CVE-2026-7792 affects WPForms PayPal Commerce webhook handling through 1.10.0.4. Reconcile subscriptions, payment status changes, and webhook configuration after patching.
WPForms
2026-06-06 CVSS 5.3
CVE-2026-9016
Debug Log Manager - forged JavaScript error log entries
CVE-2026-9016 affects Debug Log Manager through 2.5.0 when JavaScript error logging is enabled. Patch first, then review whether forged log entries affected incident triage.
Debug Log Manager Public PoC
2026-06-05 CVSS 8.6
CVE-2026-11400
AWS Advanced JDBC Wrapper - Aurora PostgreSQL privilege escalation
CVE-2026-11400 affects AWS Advanced JDBC Wrapper for Aurora PostgreSQL versions 3.0.0 through before 4.0.1. Review wrapper dependency versions, database search_path, and low-privilege function creation.
AWS Aurora PostgreSQL Wrapper
2026-06-05 CVSS 8.6
CVE-2026-11401
AWS Advanced Go Wrapper - Aurora PostgreSQL privilege escalation
CVE-2026-11401 affects the AWS Advanced Go Wrapper 2026-04-06 release for Aurora PostgreSQL. Upgrade to the 2026-05-26 release and review public schema search_path exposure.
AWS Aurora PostgreSQL Wrapper
2026-06-05 CVSS 10.0
CVE-2026-46389
UDS Identity Config - Keycloak client authentication bypass
CVE-2026-46389 affects UDS Identity Config 0.11.0 through 0.26.0. Deployments using the client-kubernetes-secret Keycloak authenticator should update to 0.26.1 and review service-account token activity.
UDS Identity Config
2026-06-05 CVSS 9.3
CVE-2026-45777
Open XDMoD - unauthenticated remote code execution
CVE-2026-45777 affects Open XDMoD 9.5.0 through 11.0.2. HPC portals should upgrade to 11.0.3 or newer, restrict web access, and review web-server process activity and application logs.
Open XDMoD Active Exploit
2026-06-05 CVSS 8.7
CVE-2026-50234
Lyrion Music Server 9.2.0 - unauthenticated path traversal file read
CVE-2026-50234 affects Lyrion Music Server 9.2.0 / through 9.2.0. Public web UI or CLI exposure should be closed, logs reviewed, and the server moved back to a stable or fixed build.
Lyrion Music Server Public PoC
2026-06-05 CVSS 6.9
CVE-2026-50233
Lyrion Music Server 9.2.0 - arbitrary directory listing
CVE-2026-50233 affects Lyrion Music Server 9.2.0 / through 9.2.0. Operators should check web UI and CLI exposure, especially public access to management and library-browsing surfaces.
Lyrion Music Server Public PoC
2026-06-05 CVSS 5.1
CVE-2026-50232
Lyrion Music Server 9.2.0 - stored XSS through media metadata
CVE-2026-50232 affects Lyrion Music Server 9.2.0 / through 9.2.0 when untrusted media metadata is rendered in the web interface. Review recent library additions and keep the admin UI restricted.
Lyrion Music Server Public PoC
2026-06-05 CVSS 5.1
CVE-2026-50231
Lyrion Music Server 9.2.0 - stored XSS in server log viewer
CVE-2026-50231 affects Lyrion Music Server 9.2.0 / through 9.2.0 through server log viewer rendering. Operators should restrict UI access and avoid opening suspicious logs from exposed hosts.
Lyrion Music Server Public PoC
2026-06-05 CVSS 8.8
CVE-2026-7654
Admin Columns - Contributor+ PHP object injection to RCE
CVE-2026-7654 affects the Admin Columns WordPress plugin through 7.0.18. Sites with Contributor or higher accounts should patch to 7.0.19 or newer, then review recent custom-field and account activity.
WordPress Public PoC
2026-06-05 CVSS 8.8
CVE-2026-5411
WP Captcha PRO - Subscriber+ arbitrary file upload
CVE-2026-5411 affects WP Captcha PRO through 5.38. Sites should update to 5.39 or newer and inspect uploads, plugin folders, and unexpected account activity after patching.
WordPress Public PoC
2026-06-05 CVSS 8.8
CVE-2026-5415
WP Captcha PRO - Subscriber+ authentication bypass
CVE-2026-5415 affects WP Captcha PRO through 5.38. Public registration sites should update to 5.39 or newer, review administrators, and rotate sessions if user activity looks suspicious.
WordPress
2026-06-05 CVSS 9.3
CVE-2026-46395
HAX CMS Node.js - private signing key disclosure
CVE-2026-46395 affects the HAX CMS Node.js backend through 25.0.0. Public HAX CMS operators should upgrade, rotate JWT signing material and site tokens, then review admin activity that may not have normal login events.
HAX CMS Public PoC
2026-06-05 CVSS 9.4
CVE-2026-46399
HAX CMS PHP - file overwrite and Git filter risk
CVE-2026-46399 affects HAX CMS PHP before 26.0.0. Review file overwrite paths, Git filters, remote URLs, repository history access, and any content changes made by privileged users.
HAX CMS Public PoC
2026-06-05 CVSS 9.3
CVE-2026-46396
HAX CMS - stored XSS through iframe handling
CVE-2026-46396 affects HAX CMS content rendering before 26.0.0. Operators should patch, review iframe-heavy pages, and inspect admin sessions and tokens after suspicious content edits.
HAX CMS Public PoC
2026-06-05 CVSS 9.3
CVE-2026-46496
HAX CMS - stored XSS through video-player component
CVE-2026-46496 affects HAX CMS media content before 26.0.0. Review video-player usage, media edits, admin sessions, and token exposure after patching.
HAX CMS Public PoC
2026-06-05 CVSS 8.8
CVE-2026-46398
HAX CMS - refresh token cookie missing Secure flag
CVE-2026-46398 affects HAX CMS 25.0.0 before 26.0.0 when refresh tokens may be sent without the Secure cookie flag. Enforce HTTPS, upgrade, and rotate sessions on exposed sites.
HAX CMS Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46400
HAX CMS PHP - file upload validation bypass
CVE-2026-46400 affects HAX CMS PHP 11.0.6 before 25.0.0. Operators should patch, review uploaded files and MIME handling, and remove suspicious PHP-like or active content from public upload paths.
HAX CMS Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46391
HAX CMS open-apis - weak host validation
CVE-2026-46391 affects @haxtheweb/open-apis 9.0.1 before 26.0.0. Review integrations that send basic authorization to remote hosts, rotate exposed credentials, and patch the package.
HAX CMS Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46392
HAX CMS PHP - upload rendering bypass
CVE-2026-46392 affects HAX CMS PHP before 26.0.0. Review uploaded HTML-like content, mixed-case extensions, and pages edited by untrusted users before reopening authoring.
HAX CMS Public PoC
2026-06-05 CVSS 7.7
CVE-2026-46394
HAX CMS PHP - Git command handling risk
CVE-2026-46394 affects the HAX CMS PHP Git helper before 26.0.0. Review Git remotes, filters, helper logs, and repository settings after patching.
HAX CMS Public PoC
2026-06-05 CVSS 7.1
CVE-2026-46393
HAX CMS - authenticated SSRF and local resource access
CVE-2026-46393 affects HAX CMS before 26.0.0. Operators should patch, restrict server-side fetch behavior, and review outbound requests to localhost, metadata endpoints, and private service ranges.
HAX CMS Public PoC
2026-06-05 CVSS 7.5
CVE-2026-46493
HAX CMS - weak salt generation
CVE-2026-46493 affects HAX CMS versions before 26.0.1 that use unsuitable salt generation. Upgrade to 26.0.1 or newer and rotate secrets after patching.
HAX CMS Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46511
HAX CMS - stored XSS and token exposure chain
CVE-2026-46511 affects HAX CMS before 26.0.0 through a stored XSS plus token exposure chain. Review tenants, site tokens, edited content, and admin sessions after upgrading.
HAX CMS Public PoC
2026-06-05 CVSS 6.9
CVE-2026-46390
HAX CMS - unauthenticated gitlist exposure
CVE-2026-46390 affects HAX CMS 2.0.0 before 26.0.0 where gitlist can expose repository browsing to unauthenticated users. Patch and review whether repository history or secrets were visible.
HAX CMS Public PoC
2026-06-05 CVSS 9.8
CVE-2026-10580
Hippoo Mobile App for WooCommerce - unauthenticated admin takeover
CVE-2026-10580 affects Hippoo Mobile App for WooCommerce through 1.9.4. Public stores should update to 1.9.5 or newer, review administrator accounts, WooCommerce API activity, password resets, and payment settings.
Hippoo Mobile App for WooCommerce
2026-06-02 CVSS 9.8
CVE-2026-8206
Kirki Page Builder β Unauthenticated Admin Account Takeover via Password Reset
Kirki 6.0.0β6.0.6 password reset endpoint sends reset link to attacker-supplied email instead of account owner. One unauthenticated request hijacks any admin. 500K+ installs, Wordfence blocking 222+ attacks/day.
WordPress Active Exploit Public PoC
2026-05-30 CVSS 7.5
CVE-2026-9757
GEO my WP β Unauthenticated SQL Injection via map boundary parameters
SQL injection in GEO my WP (β€ 4.5.5) through map boundary query handling. Public Posts Locator pages should be patched and checked for unusual database access.
WordPress Public PoC
2026-05-30 CVSS 8.8
CVE-2026-7465
Spectra / Ultimate Addons for Gutenberg β Contributor-level RCE in block rendering
Authenticated (Contributor+) remote code execution in Spectra Gutenberg Blocks β€ 2.19.25. Review Contributor accounts, block rendering behavior, and plugin version before reopening publishing access.
WordPress Public PoC
2026-05-30 CVSS 7.5
CVE-2026-7459
Simple History β Subscriber+ account takeover via REST event context leak
Simple History β€ 5.26.0: react_to_event REST endpoints only verify login, not per-logger capabilities. Subscribers read password-reset email bodies and complete admin takeover.
WordPress Public PoC
2026-05-29 CVSS 9.1
CVE-2026-4290
WP Travel Pro β Unauthenticated Arbitrary User Deletion
Unauthenticated user deletion in WP Travel Pro (β€ 10.6.0). The affected REST permission path can allow destructive user deletion without a valid admin session. Patch to 10.6.1 and audit recent user changes.
WordPress
2026-05-29 CVSS 9.3
FreePBX-Cluster-2026-05
FreePBX May 2026 Cluster β 4 CVEs in one day (UCP takeover Β· CDR SQLi Β· OAuth bypass Β· path traversal)
Four FreePBX CVEs published the same day. CVE-2026-46376 (9.3) is a pre-auth UCP takeover via hard-coded initial template credentials. CVE-2026-44238 (8.5) is SQL injection in the CDR Reports module via order/sort parameters. CVE-2026-44237 (7.6) β the OAuth2 validateClient() method unconditionally returns true. CVE-2026-44239 (7.6) is PHP path traversal in the Dashboard module's getcontent handler. Patch lines: 16.0.50 / 17.0.11.
FreePBX Public PoC
2026-05-28 CVSS 8.1
CVE-2026-6455
WP Contact Form 7 DB Handler β CSRF β SQLi β Deserialization β Arbitrary File Deletion
The WP Contact Form 7 DB Handler plugin chains four flaws: CSRF bypass (nonce check skipped when field is absent), UNION-based SQL injection, PHP object injection, and arbitrary file deletion via path traversal. One admin click on a crafted link can delete wp-config.php and take down the entire site.
WordPress Public PoC
2026-05-27 CVSS 9.3
CVE-2026-48027
Nx Console VS Code Extension β Supply Chain Attack (Actively Exploited)
Malicious Nx Console version 18.95.0 was published to VS Code Marketplace for ~18 minutes and OpenVSX for ~36 minutes on May 19, 2026. The compromised extension contained embedded malicious code (CWE-506) that executed at activation. Auto-update users may have installed it. CISA has added this to the Known Exploited Vulnerabilities catalog.
VS Code CISA KEV Active Exploit Public PoC
2026-05-27 CVSS 10.0
CVE-2026-44329
BentoML Docker Build β Dockerfile Injection β Full Host RCE
BentoML's Dockerfile template can mishandle docker.base_image from bento.yaml. Malicious build configuration may alter generated Dockerfile behavior during image builds. Patch BentoML and review build inputs before rebuilding.
Docker Public PoC
2026-05-27 CVSS 9.9
CVE-2026-42748
WordPress Triple-9.9: Unrestricted Upload & Path Traversal (3 plugins)
Three separate WordPress plugins with CVSS 9.9 each published on the same day. CVE-2026-42748 is unrestricted file upload; CVE-2026-42756 and CVE-2026-42757 are path traversal vulnerabilities with changed scope (S:C), meaning a compromise can reach beyond WordPress to the wider server.
WordPress
2026-05-21 CVSS 10.0
CVE-2026-48172
cPanel/WHM Redis Socket β Unauthenticated Privilege Escalation to Root
Unauthenticated privilege escalation via Redis Unix socket in cPanel & WHM. Overly permissive socket access can let a local user or compromised PHP process write root-owned files through Redis. Third critical cPanel CVE in 2026.
cPanel Public PoC
2026-05-19 CVSS 9.8
CVE-2026-4885
Piotnet Addons for Elementor Pro β Unauthenticated File Upload β RCE
Unauthenticated arbitrary file upload in Piotnet Addons for Elementor Pro (β€ 7.1.70). Dangerous PHP-like uploads may execute on common hosting stacks, so owners should patch and inspect upload directories.
WordPress Public PoC
2026-05-17 CVSS 8.8
CVE-2026-8719
AI Engine Plugin β Subscriber-to-Admin Privilege Escalation
Privilege escalation in the AI Engine WordPress plugin (50,000+ active installs). Missing capability check in MCP OAuth bearer-token path lets any logged-in user, even Subscriber, escalate to Administrator. Patched in v3.4.10. Public registration sites are most exposed.
WordPress
2026-05-13 CVSS 9.2
CVE-2026-42945
NGINX Rift β 18-Year-Old RCE in ngx_http_rewrite_module
Heap buffer overflow in ngx_http_rewrite_module. Risk rises on systems using the affected rewrite configuration pattern. In the codebase since 2008. Affects ~1/3 of all websites.
NGINX Public PoC
2026-04-28 CVSS 9.8
CVE-2026-41940
cPanel/WHM Pre-Auth CRLF Injection β Root Access
Pre-authentication CRLF injection in cPanel & WHM session handling leading to root access. 44,000 IPs compromised, 7,135 hit by .sorry ransomware. Persistent Mr_Rot13 Filemanager backdoor survives the patch. Second emergency TSR on May 8.
cPanel CISA KEV Active Exploit Public PoC
2026-04-20 CVSS 9.8
CVE-2026-1492
WordPress User Registration & Membership β Auth Bypass β Admin Takeover
Authentication bypass in the User Registration & Membership plugin (60,000+ active installs). An unauthenticated attacker can take over any account, including admin. Patched in 4.2.4 β older versions are wide open.
WordPress
π΄ CVSS 10.0 β Perfect score, drop everything
2026-06-26 CVSS 10.0
CVE-2026-53576
Kestra - authentication boundary risk
CVE-2026-53576 affects Kestra. Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs as the public i... Patch the affected deployment and review workflow and admin logs.
Kestra
2026-06-26 CVSS 10.0
CVE-2026-54350
Budibase - authentication boundary risk
CVE-2026-54350 affects Budibase. Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with... Patch the affected deployment and review workflow and admin logs.
Budibase
2026-06-25 CVSS 10.0
CVE-2026-46752
Apache Kvrocks - security boundary risk
CVE-2026-46752 affects Apache Kvrocks. Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. Patch the affected deployment and review component presence.
Apache Kvrocks
2026-06-25 CVSS 10.0
CVE-2026-57700
Daan.Dev OMGF Pro - Unrestricted Upload of File with Dangerous Type vulnerability
CVE-2026-57700 affects Daan.Dev OMGF Pro vendor-fixed release. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Daan.Dev OMGF Pro
2026-06-24 CVSS 10.0
CVE-2026-12485
GeoVision GV-I/O Box 4E - DVRSearch stack overflow risk
CVE-2026-12485 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 10.0
CVE-2026-12846
GeoVision GV-I/O Box 4E - network configuration stack overflow risk
CVE-2026-12846 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 10.0
CVE-2026-12847
GeoVision GV-I/O Box 4E - gateway field stack overflow risk
CVE-2026-12847 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 10.0
CVE-2026-12848
GeoVision GV-I/O Box 4E - DNS field stack overflow risk
CVE-2026-12848 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-19 CVSS 10.0
CVE-2026-48772
ProxySQL - MySQL frontend memory corruption risk
CVE-2026-48772 affects ProxySQL 2.0.0 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review ProxySQL listeners, crashes, restarts, and frontend access.
ProxySQL
2026-06-19 CVSS 10.0
CVE-2026-48908
Joomla SP Page Builder - unauthenticated file upload
CVE-2026-48908 affects Joomla SP Page Builder vendor advisory. Check whether the extension is installed, remove abandoned copies, and review uploads, executable files, and public builder routes.
Joomla SP Page Builder Public PoC
2026-06-19 CVSS 10.0
CVE-2026-48939
Joomla iCagenda - file attachment upload risk
CVE-2026-48939 affects Joomla iCagenda vendor advisory. Check whether the extension is installed, remove abandoned copies, and review event attachments, uploads, and executable files.
Joomla iCagenda Public PoC
2026-06-18 CVSS 10.0
CVE-2026-49257
mcp-pinot - unauthenticated MCP server exposure
CVE-2026-49257 affects mcp-pinot through 3.0.1. Review Pinot credentials, MCP access logs, and table/config changes, then apply the vendor fix or remove the risky exposure until patched.
mcp-pinot Public PoC
2026-06-17 CVSS 10.0
CVE-2025-69129
WordPress and WooCommerce Scraper - unauthenticated arbitrary file upload
CVE-2025-69129 affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site through 1.0.7. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
WordPress & WooCommerce Scraper Plugin, Import Data from Any Site
2026-06-17 CVSS 10.0
CVE-2026-25470
ACPT Pro - remote code execution
CVE-2026-25470 affects ACPT Pro - Custom Post Types Plugin for WordPress through 2.0.47. Confirm the installed version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
ACPT Pro - Custom Post Types Plugin for WordPress Public PoC
2026-06-17 CVSS 10.0
CVE-2026-28587
Android MmsSmsProvider - permission check information disclosure
CVE-2026-28587 affects Android MmsSmsProvider permission handling. Managed fleets should apply the Android security bulletin update and review devices that process sensitive messaging data.
Android
2026-06-15 CVSS 10.0
CVE-2026-40772
GeekyBot - unauthenticated arbitrary file upload
CVE-2026-40772 affects GeekyBot through 1.2.2. WordPress sites should patch or disable the component, then review upload directories, new PHP files, and web access logs before closing the incident.
GeekyBot
2026-06-15 CVSS 10.0
CVE-2026-48836
Easy Invoice - unauthenticated remote code execution
CVE-2026-48836 affects Easy Invoice through 2.1.19. WordPress sites should patch or disable the component, then review changed files, cron jobs, users, and web server logs before closing the incident.
Easy Invoice
2026-06-15 CVSS 10.0
CVE-2026-52704
WooCommerce PDF Invoice Builder - remote code inclusion risk
CVE-2026-52704 affects WooCommerce PDF Invoice Builder through 2.0.8. Stores should disable or patch the plugin, review generated invoice files and templates, and check administrator activity before reopening payments.
WooCommerce PDF Invoice Builder
2026-06-12 CVSS 10.0
CVE-2026-47131
vm2 - sandbox escape via host TypeError exposure
CVE-2026-47131 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47137
vm2 - NodeVM require guard bypass
CVE-2026-47137 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47140
vm2 - dangerous builtin denylist gap
CVE-2026-47140 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47208
vm2 - sandbox breakout vulnerability
CVE-2026-47208 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-11 CVSS 10.0
CVE-2026-10520
Ivanti Sentry - unauthenticated root-level command injection
CVE-2026-10520 affects Ivanti Sentry and was added to CISA KEV on 2026-06-11. Confirm version state, restrict management access, patch, and review appliance logs and unexpected accounts.
Ivanti Sentry CISA KEV Active Exploit
2026-06-11 CVSS 10.0
CVE-2026-49261
MariaDB Galera - wsrep_notify_cmd command handling risk
CVE-2026-49261 affects MariaDB Galera deployments with wsrep_notify_cmd enabled on vulnerable versions. Patch to fixed MariaDB lines or disable the setting, then review node-join and service logs.
MariaDB Server Public PoC
2026-06-05 CVSS 10.0
CVE-2026-46389
UDS Identity Config - Keycloak client authentication bypass
CVE-2026-46389 affects UDS Identity Config 0.11.0 through 0.26.0. Deployments using the client-kubernetes-secret Keycloak authenticator should update to 0.26.1 and review service-account token activity.
UDS Identity Config
2026-05-27 CVSS 10.0
CVE-2026-44329
BentoML Docker Build β Dockerfile Injection β Full Host RCE
BentoML's Dockerfile template can mishandle docker.base_image from bento.yaml. Malicious build configuration may alter generated Dockerfile behavior during image builds. Patch BentoML and review build inputs before rebuilding.
Docker Public PoC
2026-05-21 CVSS 10.0
CVE-2026-48172
cPanel/WHM Redis Socket β Unauthenticated Privilege Escalation to Root
Unauthenticated privilege escalation via Redis Unix socket in cPanel & WHM. Overly permissive socket access can let a local user or compromised PHP process write root-owned files through Redis. Third critical cPanel CVE in 2026.
cPanel Public PoC
π Critical (CVSS 9.0β9.9) β Patch this week
2026-06-28 CVSS 9.9
CVE-2026-58053
Gitea act_runner - Docker backend container hardening bypass
CVE-2026-58053 affects Gitea act_runner deployments that use the Docker backend through act 0.262.0. Owners should restrict who can run workflows, review Docker runner configuration, isolate runners from production hosts, and apply vendor hardening guidance.
Gitea act_runner Public PoC
2026-06-26 CVSS 9.9
CVE-2026-46386
OpenProject - security boundary risk
CVE-2026-46386 affects OpenProject Docker deployments that inherited an unsafe default application secret configuration. Patch the affected deployment and review workflow and admin logs.
OpenProject
2026-06-26 CVSS 9.9
CVE-2026-56027
Booster for WooCommerce - Customer Arbitrary File Upload
CVE-2026-56027 affects Booster for WooCommerce <= 8.0.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Booster for WooCommerce
2026-06-26 CVSS 9.9
CVE-2026-56058
Quform - Subscriber Arbitrary File Upload
CVE-2026-56058 affects Quform <= 2.23.0. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Quform
2026-06-26 CVSS 9.9
CVE-2026-56059
Travel Booking - Subscriber Arbitrary File Upload
CVE-2026-56059 affects Travel Booking <= 2.2.5. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Travel Booking
2026-06-25 CVSS 9.9
CVE-2026-54823
Widget Options - Contributor Remote Code Execution (remote code execution)
CVE-2026-54823 affects Widget Options <= 4.2.3. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Widget Options
2026-06-24 CVSS 9.9
CVE-2026-55454
Appsmith - bundled Caddy admin API takeover risk
CVE-2026-55454 affects Appsmith before 2.1. Review Caddy configuration changes, SSRF exposure, and low-privilege user activity after upgrading.
Appsmith Public PoC
2026-06-23 CVSS 9.9
CVE-2026-56274
Flowise - Custom MCP Server command injection risk
CVE-2026-56274 affects Flowise before 3.1.2 through Custom MCP Server validation bypasses. Patch, restrict Flowise accounts and API keys, and review chatflow and MCP tool changes.
Flowise Public PoC
2026-06-17 CVSS 9.9
CVE-2024-52488
Grip theme - subscriber arbitrary file upload
CVE-2024-52488 affects Grip through 1.0.9. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Grip
2026-06-17 CVSS 9.9
CVE-2025-60218
PT Luxa Addons - subscriber arbitrary file upload
CVE-2025-60218 affects PT Luxa Addons through 1.2.2. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
PT Luxa Addons
2026-06-17 CVSS 9.9
CVE-2026-22327
Restaurt theme - subscriber arbitrary file upload
CVE-2026-22327 affects Restaurt through 1.0.4. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Restaurt
2026-06-17 CVSS 9.9
CVE-2026-25446
WishList Member X - subscriber arbitrary file upload
CVE-2026-25446 affects WishList Member X through 3.29.0. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
WishList Member X
2026-06-17 CVSS 9.9
CVE-2026-27041
Unlimited Elements for Elementor Premium - contributor arbitrary file upload
CVE-2026-27041 affects Unlimited Elements for Elementor (Premium) through 2.0.6. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Unlimited Elements for Elementor (Premium)
2026-06-17 CVSS 9.9
CVE-2026-39589
Webenvo theme - subscriber arbitrary file upload
CVE-2026-39589 affects Webenvo through 0.0.6. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Webenvo
2026-06-17 CVSS 9.9
CVE-2026-40746
Restaurant Zone theme - subscriber arbitrary file upload
CVE-2026-40746 affects Restaurant Zone through 0.7.8. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Restaurant Zone
2026-06-17 CVSS 9.9
CVE-2026-40747
Ecommerce Zone theme - subscriber arbitrary file upload
CVE-2026-40747 affects Ecommerce Zone through 0.9.7. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Ecommerce Zone
2026-06-17 CVSS 9.9
CVE-2026-40748
Kids Gift Shop theme - subscriber arbitrary file upload
CVE-2026-40748 affects Kids Gift Shop through 0.5.4. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Kids Gift Shop
2026-06-17 CVSS 9.9
CVE-2026-40749
Charity Zone theme - subscriber arbitrary file upload
CVE-2026-40749 affects Charity Zone through 1.1.1. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Charity Zone
2026-06-17 CVSS 9.9
CVE-2026-40783
Blocksy Companion Pro - contributor remote code execution
CVE-2026-40783 affects Blocksy Companion Pro through 2.1.37. Confirm the installed version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Blocksy Companion Pro Public PoC
2026-06-17 CVSS 9.9
CVE-2026-46850
MySQL Shell for VS Code - June 2026 Oracle CPU critical issue
CVE-2026-46850 affects MySQL Shell for VS Code 2026.2.0+9.6.1. Database teams should patch developer tooling and review saved connection profiles and extension access.
MySQL Shell for VS Code
2026-06-16 CVSS 9.9
CVE-2026-40750
WordPress Kids Online Store theme - dangerous file upload
CVE-2026-40750 affects the WordPress Kids Online Store theme through 0.8.9. Site owners should patch or replace the theme, block script execution from uploads, and review recent files and admin users.
Kids Online Store theme
2026-06-16 CVSS 9.9
CVE-2026-49774
RD Station - Remote code execution
CVE-2026-49774 affects RD Station through 5.6.0. Confirm the installed version, patch or disable the plugin, and review changed files, cron jobs, users, and web server logs before closing the incident.
RD Station
2026-06-15 CVSS 9.9
CVE-2026-39591
WP-BusinessDirectory - subscriber arbitrary file upload
CVE-2026-39591 affects WP-BusinessDirectory through 4.0.0. WordPress sites should patch or disable the component, then review upload directories, new PHP files, and web access logs before closing the incident.
WP-BusinessDirectory
2026-06-15 CVSS 9.9
CVE-2026-49766
WP User Manager - subscriber arbitrary file deletion
CVE-2026-49766 affects WP User Manager through 2.9.16. WordPress sites should patch or disable the component, then review missing plugin files, media files, and backups before closing the incident.
WP User Manager
2026-06-11 CVSS 9.9
CVE-2026-10523
Ivanti Sentry - unauthenticated administrative account creation
CVE-2026-10523 affects Ivanti Sentry and can allow unauthorized administrative account creation. Patch first, then review admin users, MFA state, login history, and configuration changes.
Ivanti Sentry
2026-06-12 CVSS 9.9
CVE-2026-47365
cPanel WP Toolkit - cross-tenant command authorization bypass
CVE-2026-47365 affects WP Toolkit before 6.11.0 as used in cPanel & WHM. Hosting providers should update WP Toolkit, review account boundaries, and check recent wp-toolkit CLI activity.
cPanel WP Toolkit
2026-06-10 CVSS 9.9
CVE-2026-45552
Roxy-WI - cross-tenant authorization bypass in install workflows
CVE-2026-45552 affects Roxy-WI install and exporter workflows. Review panel exposure, guest or low-privilege users, stored SSH credentials, and recent infrastructure changes.
Roxy-WI Public PoC
2026-06-10 CVSS 9.9
CVE-2026-45556
Roxy-WI - WAF configuration path handling issue
CVE-2026-45556 affects Roxy-WI WAF configuration save paths. Operators should restrict the panel, preserve logs, and review load balancer config, cron, and service changes.
Roxy-WI Public PoC
2026-06-10 CVSS 9.9
CVE-2026-45558
Roxy-WI - HAProxy generated configuration injection risk
CVE-2026-45558 affects Roxy-WI HAProxy configuration generation. Review HAProxy section changes, reload history, panel accounts, and managed server ownership.
Roxy-WI Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50545
Fission - Environment podSpec passthrough validation gap
CVE-2026-50545 affects Fission Environment podSpec handling before 1.24.0. Review who can create or update environments and whether unsafe pod fields can reach runtime or builder pods.
Fission Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50563
Fission - Container Executor function podSpec privilege issue
CVE-2026-50563 affects Fission Container Executor podSpec handling before 1.24.0. Review Function spec permissions, executor service accounts, and runtime pod security.
Fission Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50564
Fission - Environment CRD unsafe podSpec propagation
CVE-2026-50564 affects Fission Environment CRD podSpec propagation before 1.24.0. Review host namespace, hostPath, privileged, and service account fields in function environments.
Fission Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50566
Fission - tenant function can request dangerous container settings
CVE-2026-50566 affects Fission before 1.24.0 when tenant-facing Environment or Function resources can request unsafe container settings. Review RBAC and admission webhook enforcement.
Fission Public PoC
2026-05-27 CVSS 9.9
CVE-2026-42748
WordPress Triple-9.9: Unrestricted Upload & Path Traversal (3 plugins)
Three separate WordPress plugins with CVSS 9.9 each published on the same day. CVE-2026-42748 is unrestricted file upload; CVE-2026-42756 and CVE-2026-42757 are path traversal vulnerabilities with changed scope (S:C), meaning a compromise can reach beyond WordPress to the wider server.
WordPress
2026-06-27 CVSS 9.8
CVE-2026-12415
Invoice Generator - unauthenticated privilege escalation
CVE-2026-12415 affects the Invoice Generator plugin for WordPress through 1.0.0. Site owners should patch or disable the plugin, review administrator email changes, password reset events, and new sessions before closing the incident.
Invoice Generator
2026-06-26 CVSS 9.8
CVE-2026-0685
Genshi Template Engine - remote code execution risk
CVE-2026-0685 affects Genshi Template Engine. Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions. Patch the affected deployment and review web and app logs.
Genshi Template Engine
2026-06-26 CVSS 9.8
CVE-2026-48930
Node.js - authentication boundary risk
CVE-2026-48930 affects Node.js. A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. Patch the affected deployment and review runtime logs.
Node.js
2026-06-26 CVSS 9.8
CVE-2026-56028
Easy Elements for Elementor - Addons and Website Templates - Unauthenticated Privilege Escalation
CVE-2026-56028 affects Easy Elements for Elementor - Addons and Website Templates <= 1.4.9. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Easy Elements for Elementor - Addons and Website Templates
2026-06-26 CVSS 9.8
CVE-2026-56030
Paytium - Unauthenticated Privilege Escalation
CVE-2026-56030 affects Paytium <= 5.0.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Paytium
2026-06-26 CVSS 9.8
CVE-2026-56032
Buddyboss Platform - Subscriber PHP Object Injection
CVE-2026-56032 affects Buddyboss Platform <= 3.0.4. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Buddyboss Platform
2026-06-26 CVSS 9.8
CVE-2026-56033
Dokan Pro - Unauthenticated Privilege Escalation
CVE-2026-56033 affects Dokan Pro <= 5.0.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Dokan Pro
2026-06-26 CVSS 9.8
CVE-2026-56057
Uncanny Automator Pro - Subscriber PHP Object Injection
CVE-2026-56057 affects Uncanny Automator Pro <= 7.3.0.6. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Uncanny Automator Pro
2026-06-26 CVSS 9.8
CVE-2026-57878
GeoVision - authentication boundary risk
CVE-2026-57878 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 9.8
CVE-2026-57879
GeoVision - authentication boundary risk
CVE-2026-57879 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 9.8
CVE-2026-57880
GeoVision - authentication boundary risk
CVE-2026-57880 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 9.8
CVE-2026-57881
GeoVision - authentication boundary risk
CVE-2026-57881 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-24 CVSS 9.8
CVE-2026-39955
Cacti - pre-authentication graph view SQL injection risk
CVE-2026-39955 affects Cacti 1.2.30 and earlier. Upgrade to 1.2.31, review guest graph viewing exposure, database errors, and graph_view.php access logs.
Cacti Public PoC
2026-06-24 CVSS 9.8
CVE-2026-12416
Invoice Generator - password reset account takeover risk
CVE-2026-12416 affects the WordPress Invoice Generator plugin through 1.0.0. Site owners should patch or remove the plugin, review administrator password reset activity, and rotate credentials if account changes look suspicious.
Invoice Generator
2026-06-24 CVSS 9.8
CVE-2026-12417
SignUp & SignIn - weak password reset account takeover risk
CVE-2026-12417 affects the WordPress SignUp & SignIn plugin through 1.0.0. Site owners should patch or remove the plugin, review password reset events, and check for unexpected administrator access.
SignUp & SignIn Public PoC
2026-06-23 CVSS 9.8
CVE-2026-53753
Crawl4AI - computed field sandbox escape RCE risk
CVE-2026-53753 affects Crawl4AI before 0.8.7 when computed field expression handling can escape the intended sandbox. Patch, enable authentication, and review crawl jobs and container logs.
Crawl4AI Public PoC
2026-06-23 CVSS 9.8
CVE-2026-12866
expr-eval - toJSFunction code execution risk
CVE-2026-12866 affects expr-eval when untrusted expressions reach toJSFunction. Review Node services that compile user-controlled expressions, remove that path, and isolate affected workers.
expr-eval Public PoC
2026-06-21 CVSS 9.8
CVE-2026-56265
Crawl4AI - Docker API authentication bypass
CVE-2026-56265 affects Crawl4AI before 0.8.7 when the Docker API server uses a default JWT signing key. Patch, rotate secrets, and review API access logs before re-exposing the service.
Crawl4AI Public PoC
2026-06-20 CVSS 9.8
CVE-2026-11551
Branda - account takeover / privilege escalation
CVE-2026-11551 affects Branda through 3.4.29. Confirm the installed version, patch or disable the component, and review password reset events, administrators, and login sessions before closing the issue.
Branda
2026-06-20 CVSS 9.8
CVE-2022-50972
WooCommerce - remote code execution risk
CVE-2022-50972 affects WooCommerce 7.1.0. Confirm the installed version, patch or disable the component, and review WooCommerce product edits, changed PHP files, and web root file timestamps before closing the issue.
WooCommerce Public PoC
2026-06-19 CVSS 9.8
CVE-2026-48773
ProxySQL - pre-authentication memory corruption risk
CVE-2026-48773 affects ProxySQL 2.0.18 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review ProxySQL process crashes, listener exposure, and connection spikes.
ProxySQL
2026-06-19 CVSS 9.8
CVE-2026-7515
BetterDocs Pro - Local file inclusion
CVE-2026-7515 affects BetterDocs Pro through 3.8.0. Confirm the installed version, patch or disable the component, and review PHP files and uploads before closing the issue.
BetterDocs Pro
2026-06-19 CVSS 9.8
CVE-2026-54414
FileRise - shared-folder upload file-write risk
CVE-2026-54414 affects FileRise before 3.16.0. Patch or remove public exposure, preserve logs, and review shared links, users.txt, upload folders, and new admin users.
FileRise Public PoC
2026-06-18 CVSS 9.8
CVE-2026-54419
PIAF-HMS - unauthenticated SQL injection
CVE-2026-54419 affects PIAF-HMS current public code. Patch or remove public exposure, preserve logs, and review hotel records, PBX-HMS database users, and web logs.
PIAF-HMS Public PoC
2026-06-18 CVSS 9.8
CVE-2026-55740
bus-ticket - unauthenticated SQL injection
CVE-2026-55740 affects the Nur-Alam39 bus-ticket PHP application. Public deployments should be taken out of exposure until SQL handling and database credentials are fixed, then database access and records should be reviewed.
bus-ticket Public PoC
2026-06-17 CVSS 9.8
CVE-2025-69127
Plumbing theme - unauthenticated PHP object injection
CVE-2025-69127 affects Plumbing through 1.6. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Plumbing
2026-06-17 CVSS 9.8
CVE-2026-49108
Moderno theme - unauthenticated PHP object injection
CVE-2026-49108 affects Moderno before 1.43. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Moderno
2026-06-17 CVSS 9.8
CVE-2025-60229
Lagom theme - PHP object injection
CVE-2025-60229 affects Lagom through 2.0. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Lagom
2026-06-17 CVSS 9.8
CVE-2025-60230
The Barber Shop theme - PHP object injection
CVE-2025-60230 affects The Barber Shop through 1.9. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
The Barber Shop
2026-06-17 CVSS 9.8
CVE-2025-60231
The Hospital theme - PHP object injection
CVE-2025-60231 affects The Hospital through 1.8.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
The Hospital
2026-06-17 CVSS 9.8
CVE-2025-60236
Creatify theme - PHP object injection
CVE-2025-60236 affects Creatify through 1.5. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Creatify
2026-06-17 CVSS 9.8
CVE-2025-69111
Reisen theme - unauthenticated PHP object injection
CVE-2025-69111 affects Reisen through 1.4.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Reisen
2026-06-17 CVSS 9.8
CVE-2026-27395
Support Board - unauthenticated privilege escalation
CVE-2026-27395 affects Support Board before 3.8.9. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Support Board
2026-06-17 CVSS 9.8
CVE-2026-27429
Nifty theme - unauthenticated PHP object injection
CVE-2026-27429 affects Nifty through 1.4.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Nifty
2026-06-17 CVSS 9.8
CVE-2026-39529
Elementra theme - unauthenticated PHP object injection
CVE-2026-39529 affects Elementra through 1.0.9. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Elementra
2026-06-17 CVSS 9.8
CVE-2026-40725
WooCommerce Product Filters - unauthenticated PHP object injection
CVE-2026-40725 affects WooCommerce Product Filters before 2.0.6. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WooCommerce Product Filters
2026-06-17 CVSS 9.8
CVE-2026-42380
AI Lab theme - unauthenticated PHP object injection
CVE-2026-42380 affects AI Lab before 5.4.2. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
AI Lab
2026-06-17 CVSS 9.8
CVE-2026-49058
LoginPress Pro - unauthenticated privilege escalation
CVE-2026-49058 affects LoginPress Pro through 6.2.2. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
LoginPress Pro
2026-06-17 CVSS 9.8
CVE-2026-49075
JetEngine - contributor PHP object injection
CVE-2026-49075 affects JetEngine through 3.8.9.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
JetEngine
2026-06-17 CVSS 9.8
CVE-2026-49107
Thrive Apprentice - unauthenticated PHP object injection
CVE-2026-49107 affects Thrive Apprentice before 10.8.10.2. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Thrive Apprentice
2026-06-17 CVSS 9.8
CVE-2026-49767
wpForo Forum - unauthenticated broken authentication
CVE-2026-49767 affects wpForo Forum through 3.1.0. Confirm the installed version, patch or disable the component, and review new sessions, password changes, and account history before closing the incident.
wpForo Forum
2026-06-17 CVSS 9.8
CVE-2026-52706
JetEngine - unauthenticated PHP object injection
CVE-2026-52706 affects JetEngine through 3.8.10. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
JetEngine
2026-06-17 CVSS 9.8
CVE-2026-54194
Fusion Builder - contributor PHP object injection
CVE-2026-54194 affects Fusion Builder through 3.15.4. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Fusion Builder
2026-06-17 CVSS 9.8
CVE-2026-54803
SMS Alert Order Notifications - subscriber privilege escalation
CVE-2026-54803 affects SMS Alert Order Notifications through 3.9.4. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
SMS Alert Order Notifications
2026-06-17 CVSS 9.8
CVE-2026-54806
WP Activity Log - unauthenticated PHP object injection
CVE-2026-54806 affects WP Activity Log through 5.6.3.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP Activity Log
2026-06-17 CVSS 9.8
CVE-2026-54807
Registration Form for WooCommerce - unauthenticated privilege escalation
CVE-2026-54807 affects Registration Form for WooCommerce through 1.0.9. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Registration Form for WooCommerce
2026-06-17 CVSS 9.8
CVE-2025-60205
ThemeREX Addons - unauthenticated PHP object injection
CVE-2025-60205 affects ThemeREX Addons through 2.36.1.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
ThemeREX Addons
2026-06-17 CVSS 9.8
CVE-2025-69108
Hot Coffee theme - unauthenticated PHP object injection
CVE-2025-69108 affects Hot Coffee through 1.7. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Hot Coffee
2026-06-17 CVSS 9.8
CVE-2025-69122
SeaFood Company theme - unauthenticated PHP object injection
CVE-2025-69122 affects SeaFood Company through 1.4. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
SeaFood Company
2026-06-17 CVSS 9.8
CVE-2025-69179
Support Ticket Management System - unauthenticated privilege escalation
CVE-2025-69179 affects Support Ticket Management System through 1.9. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Support Ticket Management System
2026-06-17 CVSS 9.8
CVE-2026-46860
MySQL Router - June 2026 Oracle CPU critical issue
CVE-2026-46860 affects MySQL Router 9.0.0 through 9.7.0. Patch public or internal routers and review routing logs, crashes, and unexpected client activity.
MySQL Router
2026-06-17 CVSS 9.8
CVE-2026-32966
Apache DolphinScheduler - DataSource API authorization gap
CVE-2026-32966 affects Apache DolphinScheduler DataSource API authorization. Operators should patch, restrict API exposure, and review datasource metadata access.
Apache DolphinScheduler
2026-06-17 CVSS 9.8
CVE-2026-47103
Python StateMachine - SCXML document code execution risk
CVE-2026-47103 affects Python StateMachine 3.0.0 before 3.2.0 when untrusted SCXML documents are processed. Upgrade and review services that import state machine definitions.
Python StateMachine
2026-06-15 CVSS 9.8
CVE-2026-38329
Bludit CMS - API plugin file upload RCE risk
CVE-2026-38329 affects Bludit before 3.18.4 when API plugin file handling is exposed. Review API token use, plugin access, uploaded files, and web-server logs before closing the issue.
Bludit CMS Public PoC
2026-06-15 CVSS 9.8
CVE-2026-50869
Bludit CMS - API plugin directory traversal
CVE-2026-50869 affects Bludit 3.19.0 API plugin handling. Treat public API plugin exposure as high risk, restrict access, review file paths, and preserve logs if suspicious reads or writes are found.
Bludit CMS Public PoC
2026-06-15 CVSS 9.8
CVE-2026-27053
Broadcast Live Video - unauthenticated PHP object injection
CVE-2026-27053 affects Broadcast Live Video before 7.1.3. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Broadcast Live Video
2026-06-15 CVSS 9.8
CVE-2026-34901
iControlWP - unauthenticated privilege escalation
CVE-2026-34901 affects iControlWP through 5.5.3. WordPress sites should patch or disable the component, then review new users, role changes, and administrator sessions before closing the incident.
iControlWP
2026-06-15 CVSS 9.8
CVE-2026-39583
Datalogics Ecommerce Delivery - unauthenticated privilege escalation
CVE-2026-39583 affects Datalogics Ecommerce Delivery through 2.6.62. WordPress sites should patch or disable the component, then review new users, role changes, and administrator sessions before closing the incident.
Datalogics Ecommerce Delivery
2026-06-15 CVSS 9.8
CVE-2026-49085
WP Insightly form integrations - unauthenticated PHP object injection
CVE-2026-49085 affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms through 1.1.4. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
2026-06-15 CVSS 9.8
CVE-2026-49104
Keap and form integrations - unauthenticated PHP object injection
CVE-2026-49104 affects Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms through 1.2.1. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
2026-06-15 CVSS 9.8
CVE-2026-49105
WP Zendesk form integrations - unauthenticated PHP object injection
CVE-2026-49105 affects WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms through 1.1.4. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
2026-06-15 CVSS 9.8
CVE-2026-49106
Constant Contact and Contact Form 7 integration - unauthenticated PHP object injection
CVE-2026-49106 affects Integration for Contact Form 7 and Constant Contact through 1.1.6. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Contact Form 7 and Constant Contact
2026-06-15 CVSS 9.8
CVE-2026-49109
Salesforce and form integrations - unauthenticated PHP object injection
CVE-2026-49109 affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms through 1.4.3. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
2026-06-15 CVSS 9.8
CVE-2026-49763
Contact Form 7 HubSpot integration - unauthenticated PHP object injection
CVE-2026-49763 affects Integration for Contact Form 7 HubSpot through 1.3.7. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Contact Form 7 HubSpot
2026-06-15 CVSS 9.8
CVE-2026-49764
RegistrationMagic - unauthenticated broken authentication
CVE-2026-49764 affects RegistrationMagic through 6.0.8.6. WordPress sites should patch or disable the component, then review new sessions, password changes, and account history before closing the incident.
RegistrationMagic
2026-06-15 CVSS 9.8
CVE-2026-49765
Mailchimp and form integrations - unauthenticated PHP object injection
CVE-2026-49765 affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms through 1.1.8. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms
2026-06-15 CVSS 9.8
CVE-2026-49768
Happyforms - unauthenticated PHP object injection
CVE-2026-49768 affects Happyforms through 1.26.13. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Happyforms
2026-06-15 CVSS 9.8
CVE-2026-49769
wpForo Forum - unauthenticated PHP object injection
CVE-2026-49769 affects wpForo Forum through 3.1.0. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
wpForo Forum
2026-06-15 CVSS 9.8
CVE-2026-49770
WP Travel Engine - unauthenticated PHP object injection
CVE-2026-49770 affects WP Travel Engine through 6.7.12. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP Travel Engine
2026-06-15 CVSS 9.8
CVE-2026-49781
OttoKit - unauthenticated PHP object injection
CVE-2026-49781 affects OttoKit through 1.1.27. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
OttoKit
2026-06-15 CVSS 9.8
CVE-2026-9691
ActiveCampaign and form integrations - unauthenticated PHP object injection
CVE-2026-9691 affects Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms through 1.1.1. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms
2026-06-12 CVSS 9.8
CVE-2026-47210
vm2 - async sandbox escape with WebAssembly JSPI
CVE-2026-47210 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 9.8
CVE-2026-50632
Apache CXF - incomplete JMS RCE fix
CVE-2026-50632 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-12 CVSS 9.8
CVE-2026-50633
Apache CXF - JCA JNDI injection
CVE-2026-50633 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-12 CVSS 9.8
CVE-2026-53787
Magento Amasty Order Attributes - unauthenticated arbitrary file upload
CVE-2026-53787 affects Amasty Order Attributes for Magento 2 before 4.0.0. Magento stores should patch, review upload directories, and block script execution from media paths.
Amasty Order Attributes for Magento 2
2026-06-12 CVSS 9.8
CVE-2026-54133
jmespath.php - compiler runtime code execution risk
CVE-2026-54133 affects jmespath.php before 2.9.1 when untrusted expressions reach the compiler runtime. Patch and use the non-compiler runtime for user-controlled expressions.
jmespath.php Public PoC
2026-06-13 CVSS 9.8
CVE-2026-12183
BUK TS-G - authentication weakness in system configuration handling
CVE-2026-12183 affects BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux. Treat exposed panels as high risk, restrict access to trusted networks, patch, and review system configuration or administrative changes.
BUK TS-G Gas Station Automation System Public PoC
2026-06-15 CVSS 9.8
CVE-2026-48114
Metacat 2.x - unauthenticated SQL injection
CVE-2026-48114 affects Metacat 2.x through 2.19.1 in the harvester registration path. Operators should upgrade to Metacat 3.x, restrict legacy servlet exposure, and review PostgreSQL and repository logs.
Metacat Public PoC
2026-06-08 CVSS 9.8
CVE-2026-52778
YesWiki - Bazar CalcField unsafe formula handling
CVE-2026-52778 affects YesWiki before 4.6.6 through the Bazar CalcField formula calculator. Public YesWiki sites should upgrade, review Bazar forms, and check logs for repeated form submissions or PHP file changes.
YesWiki
2026-06-08 CVSS 9.8
CVE-2026-44631
Apache HTTP Server - regex configuration buffer underwrite
CVE-2026-44631 affects Apache HTTP Server 2.4.0 through 2.4.67 through crafted regular expressions in configuration. Operators should upgrade to 2.4.68 and review regex-heavy vhost, rewrite, and match directives.
Apache HTTP Server
2026-06-11 CVSS 9.8
CVE-2026-11561
Apinizer - expression language injection code injection
CVE-2026-11561 affects Apinizer 2026.04.0 before 2026.04.6. API gateway owners should identify exposed Apinizer nodes, upgrade to a fixed release, and review gateway logs, admin activity, and policy changes.
Apinizer
2026-06-11 CVSS 9.8
CVE-2026-45060
ClipBucket v5 - unauthenticated SQL injection in video progress handling
CVE-2026-45060 affects ClipBucket v5 before 5.5.3 #129. Public video-sharing installs should patch, review anonymous video progress traffic, database access logs, and unexpected admin or media changes.
ClipBucket v5 Public PoC
2026-06-05 CVSS 9.8
CVE-2026-10580
Hippoo Mobile App for WooCommerce - unauthenticated admin takeover
CVE-2026-10580 affects Hippoo Mobile App for WooCommerce through 1.9.4. Public stores should update to 1.9.5 or newer, review administrator accounts, WooCommerce API activity, password resets, and payment settings.
Hippoo Mobile App for WooCommerce
2026-06-11 CVSS 9.8
CVE-2026-49060
Hippoo Mobile App for WooCommerce - privilege escalation
CVE-2026-49060 affects Hippoo Mobile App for WooCommerce through 1.9.4. Store owners should patch, review administrator and shop manager accounts, mobile app API activity, and recent order-setting changes.
Hippoo Mobile App for WooCommerce
2026-06-11 CVSS 9.8
CVE-2026-38581
thaipalliative_lte - SQL injection in study form handling
CVE-2026-38581 affects thaipalliative_lte through 3.0. Operators should restrict public access, review study form traffic, database logs, and patient-data exposure before reopening.
thaipalliative_lte Public PoC
2026-06-10 CVSS 9.8
CVE-2026-20253
Splunk - unauthenticated PostgreSQL sidecar file operation exposure
CVE-2026-20253 affects some Splunk Enterprise and Splunk Cloud Platform versions where a PostgreSQL sidecar service endpoint lacks authentication controls. Patch and review service exposure, file changes, apps, and admin activity.
Splunk
2026-06-10 CVSS 9.8
CVE-2026-38615
DedeCMS - command execution in file management code
CVE-2026-38615 affects DedeCMS V5.7.118 file management code. Legacy public installs should be removed or patched, and operators should review file manager activity, upload directories, and unexpected PHP files.
DedeCMS Public PoC
2026-06-10 CVSS 9.8
CVE-2025-6254
Doctreat Core - unauthenticated administrator registration
CVE-2025-6254 affects Doctreat Core through 1.6.8 and can allow unauthenticated administrator registration. Review new admins, registration logs, role changes, and plugin version.
Doctreat Core
2026-06-10 CVSS 9.8
CVE-2026-46614
Fission - internal function routes exposed on public router
CVE-2026-46614 affects Fission before 1.23.0 where internal function routes may be exposed through the public router listener. Review ingress, router services, and NetworkPolicy.
Fission Public PoC
2026-06-09 CVSS 9.8
CVE-2026-45447
OpenSSL - PKCS#7 signature verification use-after-free
CVE-2026-45447 affects applications that process PKCS#7 or S/MIME signed messages through OpenSSL PKCS#7 APIs. Upgrade OpenSSL and review applications that ingest signed email, certificate bundles, or uploaded cryptographic containers.
OpenSSL Public PoC
2026-06-09 CVSS 9.8
CVE-2026-29167
Apache HTTP Server - mod_ldap per-directory use-after-free
CVE-2026-29167 affects Apache HTTP Server 2.4.0 through 2.4.67 when mod_ldap is used in per-directory configuration. Apache rates the issue low, while NVD scores it critical. Upgrade to 2.4.68 and review LDAP-related Apache locations.
Apache HTTP Server
2026-06-08 CVSS 9.8
CVE-2023-54352
WordPress Seotheme - Unauthenticated Remote Code Execution
WordPress Seotheme unauthenticated RCE with a public technical signal. Site owners should check for the known shell IOC, related seoplugins paths, unexpected admins, modified theme files, and web-log hits before cleanup.
WordPress Seotheme Public PoC
2026-06-02 CVSS 9.8
CVE-2026-8206
Kirki Page Builder β Unauthenticated Admin Account Takeover via Password Reset
Kirki 6.0.0β6.0.6 password reset endpoint sends reset link to attacker-supplied email instead of account owner. One unauthenticated request hijacks any admin. 500K+ installs, Wordfence blocking 222+ attacks/day.
WordPress Active Exploit Public PoC
2026-05-19 CVSS 9.8
CVE-2026-4885
Piotnet Addons for Elementor Pro β Unauthenticated File Upload β RCE
Unauthenticated arbitrary file upload in Piotnet Addons for Elementor Pro (β€ 7.1.70). Dangerous PHP-like uploads may execute on common hosting stacks, so owners should patch and inspect upload directories.
WordPress Public PoC
2026-04-28 CVSS 9.8
CVE-2026-41940
cPanel/WHM Pre-Auth CRLF Injection β Root Access
Pre-authentication CRLF injection in cPanel & WHM session handling leading to root access. 44,000 IPs compromised, 7,135 hit by .sorry ransomware. Persistent Mr_Rot13 Filemanager backdoor survives the patch. Second emergency TSR on May 8.
cPanel CISA KEV Active Exploit Public PoC
2026-04-20 CVSS 9.8
CVE-2026-1492
WordPress User Registration & Membership β Auth Bypass β Admin Takeover
Authentication bypass in the User Registration & Membership plugin (60,000+ active installs). An unauthenticated attacker can take over any account, including admin. Patched in 4.2.4 β older versions are wide open.
WordPress
2026-06-24 CVSS 9.6
CVE-2026-53943
Ghost CMS - shared cache preview poisoning risk
CVE-2026-53943 affects Ghost before 6.37.0 in shared-cache deployments. Review cache rules, preview headers, staff sessions, and frontend/admin domain separation.
Ghost CMS Public PoC
2026-06-18 CVSS 9.6
CVE-2026-55742
Cotonti - administration rights CSRF
CVE-2026-55742 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review rights changes, group permissions, and admin sessions.
Cotonti Public PoC
2026-06-17 CVSS 9.6
CVE-2026-46861
MySQL NDB Cluster Operator - June 2026 Oracle CPU critical issue
CVE-2026-46861 affects MySQL NDB Cluster Operator versions in the 8.0, 8.4, and 9.x lines listed by Oracle. Patch the operator and review cluster control-plane access.
MySQL NDB Cluster
2026-06-15 CVSS 9.6
CVE-2026-52703
FastDup - unauthenticated path traversal
CVE-2026-52703 affects FastDup through 2.7.2. WordPress sites should patch or disable the component, then review file access logs and unexpected downloads before closing the incident.
FastDup
2026-06-10 CVSS 9.6
CVE-2026-46703
Boxlite - OCI image extraction path handling
CVE-2026-46703 affects Boxlite before 0.9.0 when untrusted OCI images are loaded into sandbox hosts. Patch and review image sources, host file changes, and sandbox runtime logs.
Boxlite Public PoC
2026-06-10 CVSS 9.6
CVE-2026-53474
migration-planner - RVTools spreadsheet SQL injection
CVE-2026-53474 affects migration-planner when uploaded RVTools spreadsheets are processed. Review import history, service account exposure, and patched build status.
migration-planner Public PoC
2026-06-08 CVSS 9.5
CVE-2026-47430
Cordova Plugin InAppBrowser iOS - callback boundary weakness
CVE-2026-47430 affects cordova-plugin-inappbrowser 3.1.0 through 6.0.0 on iOS. Apps that open OAuth, payment, deep-link, or marketing pages in InAppBrowser should upgrade to 6.0.1 and review plugin callback trust boundaries.
Apache Cordova
2026-06-11 CVSS 9.5
CVE-2026-47172
Quest Bot - privileged deploy workflow exposure
CVE-2026-47172 affects Quest Bot before 1.0.3. Review GitHub Actions workflows that promote pull-request builds into privileged Docker deployment jobs.
Quest Bot Public PoC
2026-06-11 CVSS 9.5
CVE-2026-47174
Duck Site - privileged deploy workflow exposure
CVE-2026-47174 affects Duck Site before 1.0.1. Review build-to-deploy workflow boundaries, package-write permissions, and production image publishing rules.
Duck Site Public PoC
2026-06-25 CVSS 9.4
CVE-2026-41566
Apache Kvrocks - security boundary risk
CVE-2026-41566 affects Apache Kvrocks. Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. Patch the affected deployment and review component presence.
Apache Kvrocks
2026-06-25 CVSS 9.4
CVE-2026-55413
ToolJet - remote code execution risk
CVE-2026-55413 affects ToolJet. ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role (free tier) can overwrite a ... Patch the affected deployment and review workflow and admin logs.
ToolJet
2026-06-23 CVSS 9.4
CVE-2026-28496
FOSSBilling - Twig template SSTI and RCE risk
CVE-2026-28496 affects FOSSBilling through 0.7.2 when Twig templates are rendered without the intended sandbox. Patch and review email templates, payment adapters, admin actions, and tokens.
FOSSBilling Public PoC
2026-06-22 CVSS 9.4
CVE-2026-56422
MISP - mass assignment and object re-ownership
CVE-2026-56422 affects MISP through 2.5.41. Authenticated users may be able to cause saves against objects outside the row checked by authorization. Patch and review ownership, sharing scope, event, proposal, and organisation changes.
MISP Public PoC
2026-06-19 CVSS 9.4
CVE-2026-12045
pgAdmin 4 - AI Assistant SQL safety bypass
CVE-2026-12045 affects pgAdmin 4 9.13 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review AI Assistant use, database role privileges, and pgAdmin logs.
pgAdmin 4 Public PoC
2026-06-05 CVSS 9.4
CVE-2026-46399
HAX CMS PHP - file overwrite and Git filter risk
CVE-2026-46399 affects HAX CMS PHP before 26.0.0. Review file overwrite paths, Git filters, remote URLs, repository history access, and any content changes made by privileged users.
HAX CMS Public PoC
2026-06-26 CVSS 9.3
CVE-2026-54820
JetBooking - Unauthenticated SQL Injection
CVE-2026-54820 affects JetBooking <= 4.0.4.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
JetBooking
2026-06-26 CVSS 9.3
CVE-2026-54825
wpDataTables - Unauthenticated SQL Injection
CVE-2026-54825 affects wpDataTables <= 7.4. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
wpDataTables
2026-06-26 CVSS 9.3
CVE-2026-54827
Real Estate 7 - Unauthenticated SQL Injection
CVE-2026-54827 affects Real Estate 7 <= 3.5.9. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Real Estate 7
2026-06-26 CVSS 9.3
CVE-2026-54831
GeoDirectory - Unauthenticated SQL Injection
CVE-2026-54831 affects GeoDirectory <= 2.8.162. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
GeoDirectory
2026-06-26 CVSS 9.3
CVE-2026-56034
Library Management System - Unauthenticated SQL Injection
CVE-2026-56034 affects Library Management System <= 3.5.7. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Library Management System
2026-06-26 CVSS 9.3
CVE-2026-56036
Korean SimplePay WooCommerce plugin - Unauthenticated SQL Injection
CVE-2026-56036 affects Korean SimplePay WooCommerce plugin <= 5.5.6. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Korean SimplePay WooCommerce plugin
2026-06-26 CVSS 9.3
CVE-2026-56062
Quotes llama - Unauthenticated SQL Injection
CVE-2026-56062 affects Quotes llama <= 3.1.5. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Quotes llama
2026-06-26 CVSS 9.3
CVE-2026-56067
JetSmartFilters - Unauthenticated SQL Injection
CVE-2026-56067 affects JetSmartFilters <= 3.8.3. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
JetSmartFilters
2026-06-26 CVSS 9.3
CVE-2026-56068
JetEngine - Unauthenticated SQL Injection
CVE-2026-56068 affects JetEngine <= 3.8.10.2. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
JetEngine
2026-06-26 CVSS 9.3
CVE-2026-56070
Advance Product Search - Unauthenticated SQL Injection
CVE-2026-56070 affects Advance Product Search <= 1.4.4. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Advance Product Search
2026-06-25 CVSS 9.3
CVE-2026-54836
YMC Filter - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability
CVE-2026-54836 affects YMC Filter vendor-fixed release. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
YMC Filter
2026-06-25 CVSS 9.3
CVE-2026-54843
MDTF - Unauthenticated SQL Injection
CVE-2026-54843 affects MDTF <= 1.3.7. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
MDTF
2026-06-25 CVSS 9.3
CVE-2026-54849
Premmerce Wishlist for WooCommerce - Unauthenticated SQL Injection
CVE-2026-54849 affects Premmerce Wishlist for WooCommerce <= 1.1.11. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Premmerce Wishlist for WooCommerce
2026-06-24 CVSS 9.3
CVE-2026-39948
Cacti - guest graph SQL injection risk
CVE-2026-39948 affects Cacti 1.2.30 and earlier where guest graph viewing can expose SQL injection risk. Patch to 1.2.31 and review database and web logs.
Cacti Public PoC
2026-06-24 CVSS 9.3
CVE-2026-33543
FOSSBilling - administrator bootstrap API exposure
CVE-2026-33543 affects FOSSBilling 0.7.2 and earlier. Upgrade to 0.8.0, review staff accounts, API logs, billing templates, and payment integrations.
FOSSBilling Public PoC
2026-06-23 CVSS 9.3
CVE-2026-54257
Electron - Node Buffer byte length calculation issue
CVE-2026-54257 affects Electron 42.3.1 and 42.3.2 through incorrect Node Buffer byte length calculations. Patch Electron and rebuild distributed desktop packages.
Electron Public PoC
2026-06-22 CVSS 9.3
CVE-2026-56425
MISP AAD auth - OAuth state and session hardening issue
CVE-2026-56425 affects the MISP Azure Active Directory authentication plugin. Operators should patch the AAD auth fix, enforce HTTPS redirect URIs, rotate exposed sessions if needed, and review OAuth callback logs.
MISP Public PoC
2026-06-19 CVSS 9.3
CVE-2026-12048
pgAdmin 4 - stored XSS in error and plan rendering
CVE-2026-12048 affects pgAdmin 4 6.0 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review connected server names, object names, and user browser sessions.
pgAdmin 4 Public PoC
2026-06-17 CVSS 9.3
CVE-2026-54812
Motors - SQL injection
CVE-2026-54812 affects Motors through 1.4.109. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Motors
2026-06-17 CVSS 9.3
CVE-2026-54815
Cargo Shipping Location for WooCommerce - SQL injection
CVE-2026-54815 affects Cargo Shipping Location for WooCommerce through 5.6. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Cargo Shipping Location for WooCommerce
2026-06-17 CVSS 9.3
CVE-2026-54819
Listdom - SQL injection
CVE-2026-54819 affects Listdom through 5.4.0. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Listdom
2026-06-17 CVSS 9.3
CVE-2025-59554
Advanced Ads Tracking - unauthenticated SQL injection
CVE-2025-59554 affects Advanced Ads - Tracking before 3.0.7. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Advanced Ads - Tracking
2026-06-17 CVSS 9.3
CVE-2026-22332
Tutor LMS Pro - unauthenticated SQL injection
CVE-2026-22332 affects Tutor LMS Pro through 3.9.6. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Tutor LMS Pro
2026-06-17 CVSS 9.3
CVE-2026-22340
WPJobster - unauthenticated SQL injection
CVE-2026-22340 affects WPJobster through 6.3.5. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WPJobster
2026-06-17 CVSS 9.3
CVE-2026-39438
ListingPro - unauthenticated SQL injection
CVE-2026-39438 affects ListingPro through 2.9.10. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
ListingPro
2026-06-17 CVSS 9.3
CVE-2026-39596
Blocksy Companion Pro - unauthenticated SQL injection
CVE-2026-39596 affects Blocksy Companion Pro before 2.1.29. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Blocksy Companion Pro
2026-06-17 CVSS 9.3
CVE-2026-48875
JetSmartFilters - unauthenticated SQL injection
CVE-2026-48875 affects JetSmartFilters through 3.8.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetSmartFilters
2026-06-17 CVSS 9.3
CVE-2026-49076
JetEngine - unauthenticated SQL injection
CVE-2026-49076 affects JetEngine through 3.8.9.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetEngine
2026-06-17 CVSS 9.3
CVE-2026-49079
JetSearch - unauthenticated SQL injection
CVE-2026-49079 affects JetSearch through 3.5.17. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetSearch
2026-06-17 CVSS 9.3
CVE-2026-49080
wpDataTables - unauthenticated SQL injection
CVE-2026-49080 affects wpDataTables through 7.3.6. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
wpDataTables
2026-06-17 CVSS 9.3
CVE-2026-49084
JetEngine - unauthenticated SQL injection
CVE-2026-49084 affects JetEngine before 3.8.9.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetEngine
2026-06-17 CVSS 9.3
CVE-2026-54186
JobSearch - unauthenticated SQL injection
CVE-2026-54186 affects JobSearch through 3.2.9. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JobSearch
2026-06-17 CVSS 9.3
CVE-2026-54187
JetEngine - unauthenticated SQL injection
CVE-2026-54187 affects JetEngine through 3.8.10.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetEngine
2026-06-17 CVSS 9.3
CVE-2026-54808
WP Travel Gutenberg Blocks - SQL injection
CVE-2026-54808 affects WP Travel Gutenberg Blocks through 3.9.4. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Travel Gutenberg Blocks
2026-06-17 CVSS 9.3
CVE-2026-54809
GIFT4U - SQL injection
CVE-2026-54809 affects GIFT4U through 1.0.10. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GIFT4U
2026-06-17 CVSS 9.3
CVE-2026-54811
WP eMember - unauthenticated SQL injection
CVE-2026-54811 affects WP eMember before 10.9.4. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP eMember
2026-06-17 CVSS 9.3
CVE-2026-48616
Rocket.Chat - Livechat protected file access control issue
CVE-2026-48616 affects Rocket.Chat Livechat file download authorization in multiple branches before the fixed releases. Patch and review protected file download logs.
Rocket.Chat
2026-06-18 CVSS 9.3
CVE-2026-48768
TypeBot - unauthenticated file upload URL generation issue
CVE-2026-48768 affects TypeBot 3.16.1 and earlier through unauthenticated file upload URL generation. Patch, review storage buckets, and rotate exposed upload credentials if needed.
TypeBot Public PoC
2026-06-16 CVSS 9.3
CVE-2026-39574
InPost Gallery - SQL injection
CVE-2026-39574 affects InPost Gallery through 2.1.4.6. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
InPost Gallery
2026-06-16 CVSS 9.3
CVE-2026-49772
The Events Calendar - SQL injection
CVE-2026-49772 affects The Events Calendar 6.15.12 - 6.16.2. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
The Events Calendar
2026-06-16 CVSS 9.3
CVE-2026-52715
GEO my WordPress - SQL injection
CVE-2026-52715 affects GEO my WordPress through 4.5.5. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GEO my WordPress
2026-06-15 CVSS 9.3
CVE-2026-39441
Feed KuantoKusta for WooCommerce - unauthenticated SQL injection
CVE-2026-39441 affects Feed KuantoKusta for WooCommerce Free through 5.3. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Feed KuantoKusta for WooCommerce Free
2026-06-15 CVSS 9.3
CVE-2026-39492
WP Maps - unauthenticated SQL injection
CVE-2026-39492 affects WP Maps through 4.9.1. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Maps
2026-06-15 CVSS 9.3
CVE-2026-39493
Simply Schedule Appointments - unauthenticated SQL injection
CVE-2026-39493 affects Simply Schedule Appointments through 1.6.9.27. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Simply Schedule Appointments
2026-06-15 CVSS 9.3
CVE-2026-39502
Form Maker by 10Web - unauthenticated SQL injection
CVE-2026-39502 affects Form Maker by 10Web through 1.15.38. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Form Maker by 10Web
2026-06-15 CVSS 9.3
CVE-2026-39511
WP Photo Album Plus - unauthenticated SQL injection
CVE-2026-39511 affects WP Photo Album Plus through 9.1.08.001. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Photo Album Plus
2026-06-15 CVSS 9.3
CVE-2026-39512
GeoDirectory - unauthenticated SQL injection
CVE-2026-39512 affects GeoDirectory through 2.8.152. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GeoDirectory
2026-06-15 CVSS 9.3
CVE-2026-39519
GeekyBot - unauthenticated SQL injection
CVE-2026-39519 affects GeekyBot through 1.2.0. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GeekyBot
2026-06-15 CVSS 9.3
CVE-2026-39530
SpeakOut! Email Petitions - unauthenticated SQL injection
CVE-2026-39530 affects SpeakOut! Email Petitions through 4.6.5. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
SpeakOut! Email Petitions
2026-06-15 CVSS 9.3
CVE-2026-40771
Contest Gallery - unauthenticated SQL injection
CVE-2026-40771 affects Contest Gallery through 28.1.6. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Contest Gallery
2026-06-15 CVSS 9.3
CVE-2026-40798
wpForo Forum - unauthenticated SQL injection
CVE-2026-40798 affects wpForo Forum through 3.0.4. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
wpForo Forum
2026-06-15 CVSS 9.3
CVE-2026-42381
Funnel Builder by FunnelKit - unauthenticated SQL injection
CVE-2026-42381 affects Funnel Builder by FunnelKit through 3.15.0.1. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Funnel Builder by FunnelKit
2026-06-15 CVSS 9.3
CVE-2026-42386
Order Delivery Date for WooCommerce - unauthenticated SQL injection
CVE-2026-42386 affects Order Delivery Date for WooCommerce through 4.5.1. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Order Delivery Date for WooCommerce
2026-06-15 CVSS 9.3
CVE-2026-42639
GD Rating System - unauthenticated SQL injection
CVE-2026-42639 affects GD Rating System through 3.6.2. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GD Rating System
2026-06-15 CVSS 9.3
CVE-2026-42665
WP Data Access - unauthenticated SQL injection
CVE-2026-42665 affects WP Data Access through 5.5.70. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Data Access
2026-06-15 CVSS 9.3
CVE-2026-45439
Realtyna Organic IDX - unauthenticated SQL injection
CVE-2026-45439 affects Realtyna Organic IDX through 5.1.0. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Realtyna Organic IDX
2026-06-15 CVSS 9.3
CVE-2026-48886
JS Help Desk - unauthenticated SQL injection
CVE-2026-48886 affects JS Help Desk through 3.0.9. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JS Help Desk
2026-06-15 CVSS 9.3
CVE-2026-49067
Advanced 301 and 302 Redirect - unauthenticated SQL injection
CVE-2026-49067 affects Advanced 301 and 302 Redirect through 1.6.9. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Advanced 301 and 302 Redirect
2026-06-15 CVSS 9.3
CVE-2026-49776
GPTranslate - unauthenticated SQL injection
CVE-2026-49776 affects GPTranslate through 2.32.6. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GPTranslate
2026-06-15 CVSS 9.3
CVE-2026-52693
eCommerce Product Catalog - unauthenticated SQL injection
CVE-2026-52693 affects eCommerce Product Catalog through 3.5.5. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
eCommerce Product Catalog
2026-06-12 CVSS 9.3
CVE-2026-44990
ApostropheCMS / sanitize-html - sanitizer bypass stored XSS
CVE-2026-44990 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-15 CVSS 9.3
CVE-2026-49952
Discuz! X5.0 - authentication bypass in backup/restore boundary
CVE-2026-49952 affects Discuz! X5.0 releases 20260320 through 20260501. Forum operators should upgrade to 20260510 or newer, restrict administrative paths, and review database backup and restore activity.
Discuz! X5.0 Public PoC
2026-06-15 CVSS 9.3
CVE-2026-5482
Responsive FileManager - unrestricted file upload to RCE risk
CVE-2026-5482 affects Tecrail Responsive FileManager through 9.14.0. The project was reported as unmaintained at assignment time, so exposed deployments should be removed or isolated and upload directories reviewed.
Responsive FileManager Public PoC
2026-06-05 CVSS 9.3
CVE-2026-45777
Open XDMoD - unauthenticated remote code execution
CVE-2026-45777 affects Open XDMoD 9.5.0 through 11.0.2. HPC portals should upgrade to 11.0.3 or newer, restrict web access, and review web-server process activity and application logs.
Open XDMoD Active Exploit
2026-06-05 CVSS 9.3
CVE-2026-46395
HAX CMS Node.js - private signing key disclosure
CVE-2026-46395 affects the HAX CMS Node.js backend through 25.0.0. Public HAX CMS operators should upgrade, rotate JWT signing material and site tokens, then review admin activity that may not have normal login events.
HAX CMS Public PoC
2026-06-05 CVSS 9.3
CVE-2026-46396
HAX CMS - stored XSS through iframe handling
CVE-2026-46396 affects HAX CMS content rendering before 26.0.0. Operators should patch, review iframe-heavy pages, and inspect admin sessions and tokens after suspicious content edits.
HAX CMS Public PoC
2026-06-05 CVSS 9.3
CVE-2026-46496
HAX CMS - stored XSS through video-player component
CVE-2026-46496 affects HAX CMS media content before 26.0.0. Review video-player usage, media edits, admin sessions, and token exposure after patching.
HAX CMS Public PoC
2026-06-08 CVSS 9.3
CVE-2026-50751
Check Point - deprecated IKEv1 VPN authentication bypass
CVE-2026-50751 affects Check Point Remote Access VPN and Mobile Access deployments that still accept deprecated IKEv1. Check Point reported exploitation in the wild; operators should patch, disable or restrict IKEv1, and review VPN logs from 2026-05-07 onward.
Check Point Remote Access VPN / Mobile Access Active Exploit
2026-06-11 CVSS 9.3
CVE-2026-39494
Product Filter by WBW - blind SQL injection
CVE-2026-39494 affects Product Filter by WBW through 3.1.2. WooCommerce stores should patch, review filter traffic, database errors, and unusual product catalog queries.
Product Filter by WBW
2026-06-11 CVSS 9.3
CVE-2026-42647
JoomSport - blind SQL injection
CVE-2026-42647 affects JoomSport through 5.7.7. Site owners should patch, review league-management traffic, database logs, and editor/admin activity.
JoomSport
2026-05-29 CVSS 9.3
FreePBX-Cluster-2026-05
FreePBX May 2026 Cluster β 4 CVEs in one day (UCP takeover Β· CDR SQLi Β· OAuth bypass Β· path traversal)
Four FreePBX CVEs published the same day. CVE-2026-46376 (9.3) is a pre-auth UCP takeover via hard-coded initial template credentials. CVE-2026-44238 (8.5) is SQL injection in the CDR Reports module via order/sort parameters. CVE-2026-44237 (7.6) β the OAuth2 validateClient() method unconditionally returns true. CVE-2026-44239 (7.6) is PHP path traversal in the Dashboard module's getcontent handler. Patch lines: 16.0.50 / 17.0.11.
FreePBX Public PoC
2026-05-27 CVSS 9.3
CVE-2026-48027
Nx Console VS Code Extension β Supply Chain Attack (Actively Exploited)
Malicious Nx Console version 18.95.0 was published to VS Code Marketplace for ~18 minutes and OpenVSX for ~36 minutes on May 19, 2026. The compromised extension contained embedded malicious code (CWE-506) that executed at activation. Auto-update users may have installed it. CISA has added this to the Known Exploited Vulnerabilities catalog.
VS Code CISA KEV Active Exploit Public PoC
2026-06-22 CVSS 9.2
CVE-2026-45034
PhpSpreadsheet - stream wrapper patch bypass
CVE-2026-45034 affects PhpSpreadsheet before 1.30.5 when unsafe file paths can bypass wrapper blocking. Review spreadsheet import features, uploaded files, and PHP 7.x exposure.
PhpSpreadsheet Public PoC
2026-06-20 CVSS 9.2
CVE-2026-56345
AVideo - Meet plugin authorization bypass and account takeover risk
CVE-2026-56345 affects AVideo through 29.0. Check the installed version, restrict exposed plugins during patching, and review Meet plugin settings, recorded-video uploads, user sessions, and admin logins.
AVideo Public PoC
2026-06-18 CVSS 9.2
CVE-2026-56020
Webmin - SSL client certificate impersonation risk
CVE-2026-56020 affects Webmin before 2.641. Patch to 2.641 or newer, restrict the Webmin listener, and review login history, miniserv configuration, and certificate-auth users.
Webmin Public PoC
2026-06-17 CVSS 9.2
CVE-2026-42055
NGINX - HTTP/2 proxy and gRPC module request handling risk
CVE-2026-42055 affects NGINX proxy and gRPC module configurations in the June 2026 F5 advisory. Review HTTP/2 proxying, gRPC exposure, and edge logs before closing.
NGINX
2026-06-17 CVSS 9.2
CVE-2026-42530
NGINX - HTTP/3 QUIC module request handling risk
CVE-2026-42530 affects NGINX HTTP/3 QUIC module deployments. Operators should confirm whether HTTP/3 is enabled, patch, and review edge stability and request logs.
NGINX
2026-05-13 CVSS 9.2
CVE-2026-42945
NGINX Rift β 18-Year-Old RCE in ngx_http_rewrite_module
Heap buffer overflow in ngx_http_rewrite_module. Risk rises on systems using the affected rewrite configuration pattern. In the codebase since 2008. Affects ~1/3 of all websites.
NGINX Public PoC
2026-06-26 CVSS 9.1
CVE-2025-55017
Apache IoTDB - path traversal risk
CVE-2025-55017 affects Apache IoTDB. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. Patch the affected deployment and review trust and service logs.
Apache IoTDB
2026-06-26 CVSS 9.1
CVE-2025-64152
Apache IoTDB - path traversal risk
CVE-2025-64152 affects Apache IoTDB. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. Patch the affected deployment and review trust and service logs.
Apache IoTDB
2026-06-26 CVSS 9.1
CVE-2026-57658
TemplateSpare - Administrator Arbitrary File Upload
CVE-2026-57658 affects TemplateSpare <= 4.2.0. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
TemplateSpare
2026-06-24 CVSS 9.1
CVE-2026-45688
Rocket.Chat - CAS login NoSQL authorization bypass risk
CVE-2026-45688 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review SSO login events and active sessions after patching.
Rocket.Chat Public PoC
2026-06-24 CVSS 9.1
CVE-2026-45689
Rocket.Chat - OAuth token NoSQL authorization bypass risk
CVE-2026-45689 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review OAuth tokens, app installs, and administrator activity.
Rocket.Chat Public PoC
2026-06-24 CVSS 9.1
CVE-2026-12486
GeoVision GV-I/O Box 4E - network-setting command execution risk
CVE-2026-12486 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 9.1
CVE-2026-12849
GeoVision GV-I/O Box 4E - netmask command execution risk
CVE-2026-12849 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 9.1
CVE-2026-12850
GeoVision GV-I/O Box 4E - gateway command execution risk
CVE-2026-12850 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-24 CVSS 9.1
CVE-2026-12851
GeoVision GV-I/O Box 4E - DNS command execution risk
CVE-2026-12851 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
GeoVision GV-I/O Box 4E
2026-06-19 CVSS 9.1
CVE-2026-8713
Avada / Fusion Builder - File deletion risk
CVE-2026-8713 affects Avada / Fusion Builder through 3.15.3. Confirm the installed version, patch or disable the component, and review Avada forms, deleted files, and wp-config state before closing the issue.
Avada / Fusion Builder
2026-06-17 CVSS 9.1
CVE-2026-24611
MetForm Pro - unauthenticated broken access control
CVE-2026-24611 affects MetForm Pro through 3.9.1. Confirm the installed version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
MetForm Pro
2026-06-17 CVSS 9.1
CVE-2026-50203
Apache Airflow SFTP provider - path traversal write risk
CVE-2026-50203 affects Apache Airflow SFTP provider workflows where a malicious or compromised SFTP server can influence retrieved paths. Patch the provider and review DAG output directories.
Apache Airflow Public PoC
2026-06-18 CVSS 9.1
CVE-2026-32967
Apache DolphinScheduler - v2 experimental interface authorization gap
CVE-2026-32967 affects the Apache DolphinScheduler v2 experimental interface. Patch, restrict exposed API routes, and review scheduler user activity.
Apache DolphinScheduler
2026-06-18 CVSS 9.1
CVE-2026-36418
JimuReport - Aviator expression remote code execution risk
CVE-2026-36418 affects JimuReport 2.3.4 and below through unsafe expression handling. Patch, restrict report execution APIs, and review report templates and server logs.
JimuReport Public PoC
2026-06-18 CVSS 9.1
CVE-2026-48814
Network-AI - unauthenticated cross-origin MCP tool invocation
CVE-2026-48814 affects Network-AI 5.7.1 and earlier when MCP SSE endpoints allow unauthenticated cross-origin tool invocation. Patch and review tool invocation logs.
Network-AI Public PoC
2026-06-18 CVSS 9.1
CVE-2026-20266
Splunk AI Toolkit - admin OS command execution risk
CVE-2026-20266 affects Splunk AI Toolkit versions below 5.7.4. Splunk admins should patch and review AI Toolkit actions, app changes, and host-level process activity.
Splunk AI Toolkit
2026-06-15 CVSS 9.1
CVE-2026-48714
i18next-http-middleware - remote prototype pollution risk in missing-key handling
CVE-2026-48714 affects i18next-http-middleware before 3.9.7 when missing-key write handling is exposed with vulnerable backend behavior. Upgrade, restrict the handler, and review translation persistence logs for unexpected writes.
i18next-http-middleware Public PoC
2026-06-15 CVSS 9.1
CVE-2026-39465
Responsive Slider by MetaSlider - editor remote code execution
CVE-2026-39465 affects Responsive Slider by MetaSlider through 3.106.0. WordPress owners should confirm the plugin version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Responsive Slider by MetaSlider
2026-06-15 CVSS 9.1
CVE-2026-48881
TrueBooker - unauthenticated broken access control
CVE-2026-48881 affects TrueBooker through 1.1.9. WordPress owners should confirm the plugin version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
TrueBooker
2026-06-12 CVSS 9.1
CVE-2026-53609
ApostropheCMS - prototype pollution authorization bypass
CVE-2026-53609 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-12 CVSS 9.1
CVE-2026-9067
Schema & Structured Data for WP & AMP - arbitrary media upload
CVE-2026-9067 affects Schema & Structured Data for WP & AMP before 1.60. WordPress sites should update the plugin, review media uploads, and check for unexpected files under wp-content/uploads.
Schema & Structured Data for WP & AMP
2026-06-10 CVSS 9.1
CVE-2026-45550
Roxy-WI - monitoring check cross-tenant update issue
CVE-2026-45550 affects Roxy-WI monitoring check update paths. Multi-tenant operators should review check ownership, recent changes, and user group boundaries.
Roxy-WI Public PoC
2026-06-09 CVSS 9.1
CVE-2026-42535
Apache HTTP Server - mod_dav_fs WebDAV property database manipulation
CVE-2026-42535 affects Apache HTTP Server 2.4.67 and earlier when mod_dav_fs is in use. WebDAV content authors may be able to manipulate trusted DAV property databases and trigger child process crashes. Upgrade to 2.4.68 and review DAV-enabled locations.
Apache HTTP Server
2026-05-29 CVSS 9.1
CVE-2026-4290
WP Travel Pro β Unauthenticated Arbitrary User Deletion
Unauthenticated user deletion in WP Travel Pro (β€ 10.6.0). The affected REST permission path can allow destructive user deletion without a valid admin session. Patch to 10.6.1 and audit recent user changes.
WordPress
2026-06-26 CVSS 9.0
CVE-2026-45405
Dokku - authentication boundary risk
CVE-2026-45405 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink travers... Patch the affected deployment and review workflow and admin logs.
Dokku
2026-06-26 CVSS 9.0
CVE-2026-45406
Dokku - security boundary risk
CVE-2026-45406 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into... Patch the affected deployment and review workflow and admin logs.
Dokku
2026-06-26 CVSS 9.0
CVE-2026-45408
Dokku - authentication boundary risk
CVE-2026-45408 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is e... Patch the affected deployment and review workflow and admin logs.
Dokku
2026-06-26 CVSS 9.0
CVE-2026-54636
Dokku - security boundary risk
CVE-2026-54636 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - inclu... Patch the affected deployment and review workflow and admin logs.
Dokku
2026-06-17 CVSS 9.0
CVE-2026-52705
SigmaForms Pro - unauthenticated arbitrary file upload
CVE-2026-52705 affects SigmaForms Pro - AI Generated Forms through 1.4.5. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
SigmaForms Pro - AI Generated Forms
π‘ High (CVSS 7.0β8.9) β Patch this month
2026-06-24 CVSS 8.9
CVE-2026-50189
Appsmith - bundled supervisord XML-RPC exposure
CVE-2026-50189 affects Appsmith before 2.1. Review supervisord exposure, administrator activity, container process history, and environment access.
Appsmith Public PoC
2026-06-23 CVSS 8.9
CVE-2026-44792
n8n - Source Control Pull SQL injection
CVE-2026-44792 affects n8n instances using PostgreSQL and Source Control. Patch and review connected repositories, admin pulls, and Data Table import activity.
n8n Public PoC
2026-06-26 CVSS 8.8
CVE-2025-68052
Eagle Booking - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2025-68052 affects Eagle Booking <= 1.3.4.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Eagle Booking
2026-06-26 CVSS 8.8
CVE-2026-56008
Fusion Builder - Contributor Privilege Escalation
CVE-2026-56008 affects Fusion Builder <= 3.15.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Fusion Builder
2026-06-26 CVSS 8.8
CVE-2026-56010
Abandoned Cart Pro for WooCommerce - Subscriber Privilege Escalation
CVE-2026-56010 affects Abandoned Cart Pro for WooCommerce <= 10.4.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Abandoned Cart Pro for WooCommerce
2026-06-26 CVSS 8.8
CVE-2026-56038
Frisbii Pay - Contributor Privilege Escalation
CVE-2026-56038 affects Frisbii Pay <= 1.8.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Frisbii Pay
2026-06-26 CVSS 8.8
CVE-2026-56055
RealHomes - Subscriber PHP Object Injection
CVE-2026-56055 affects RealHomes <= 4.5.3. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
RealHomes
2026-06-26 CVSS 8.8
CVE-2026-57518
Pagekit CMS - privilege escalation risk
CVE-2026-57518 affects Pagekit CMS. Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated users with the 'user: manage users' permission to escalate privileges by assigning arbitrary custom roles to themselves due to mi... Patch the affected deployment and review web and app logs.
Pagekit CMS
2026-06-26 CVSS 8.8
CVE-2026-57659
Paid Memberships Pro - Add Member From Admin - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2026-57659 affects Paid Memberships Pro - Add Member From Admin <= 0.7.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Paid Memberships Pro - Add Member From Admin
2026-06-25 CVSS 8.8
CVE-2026-56053
EventPrime - Subscriber PHP Object Injection
CVE-2026-56053 affects EventPrime <= 4.3.4.1. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
EventPrime
2026-06-25 CVSS 8.8
CVE-2026-9155
Rapid7 InsightConnect Sed Plugin - command execution risk in Linux workflow action
CVE-2026-9155 affects the Rapid7 InsightConnect Sed Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
Rapid7 InsightConnect Sed Plugin
2026-06-24 CVSS 8.8
CVE-2026-9772
Unraid - FileUpload command execution risk
CVE-2026-9772 affects Unraid web administration paths where authenticated access can reach command execution risk. Restrict admin access, patch, and review plugin, upload, and process activity.
Unraid Public PoC
2026-06-24 CVSS 8.8
CVE-2026-9773
Unraid - ToggleState command execution risk
CVE-2026-9773 affects Unraid web administration paths where authenticated access can reach command execution risk. Restrict admin access, patch, and review plugin, upload, and process activity.
Unraid Public PoC
2026-06-24 CVSS 8.8
CVE-2026-57280
Jenkins Script Security Plugin - sandbox constructor bypass
CVE-2026-57280 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 8.8
CVE-2026-57296
Jenkins External Workspace Manager - controller file read to RCE risk
CVE-2026-57296 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 8.8
CVE-2026-57301
Jenkins OWASP ZAP Plugin - controller build execution risk
CVE-2026-57301 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 8.8
CVE-2026-12242
AdRotate Banner Manager - shortcode PHP code injection risk
CVE-2026-12242 affects AdRotate Banner Manager through 5.17.7 when certain cache support settings are enabled. Review shortcode content, cache settings, and contributor activity.
AdRotate Banner Manager
2026-06-24 CVSS 8.8
CVE-2026-4297
Welcome Software Publishing - arbitrary option update privilege escalation
CVE-2026-4297 affects the Welcome Software Publishing plugin through 0.0.31. Review XML-RPC exposure, changed site options, default role settings, and newly registered users.
Welcome Software Publishing
2026-06-24 CVSS 8.8
CVE-2026-7761
Ultimate Member - password reset link exposure risk
CVE-2026-7761 affects Ultimate Member through 2.11.4. Review contributor accounts, member directory configuration, password reset events, and administrator sessions before closing the issue.
Ultimate Member
2026-06-23 CVSS 8.8
CVE-2026-34916
Revive Adserver - PHP code injection through delivery limitation logical parameter
CVE-2026-34916 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check delivery limitation changes, compiledlimitations records, banner delivery logs.
Revive Adserver Public PoC
2026-06-23 CVSS 8.8
CVE-2026-44959
Revive Adserver - PHP code injection through unexpected delivery limitation component
CVE-2026-44959 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check unexpected limitation parameters, compiledlimitations records, PHP error logs.
Revive Adserver Public PoC
2026-06-23 CVSS 8.8
CVE-2026-41862
Spring Statemachine - Kryo persisted context deserialization
CVE-2026-41862 affects Spring Statemachine Kryo persistence backends when persisted contexts deserialize without an allowlist. Patch and plan the persisted-state migration before restart.
Spring Statemachine
2026-06-22 CVSS 8.8
CVE-2026-54232
vLLM Dockerfile - dependency confusion build risk
CVE-2026-54232 affects vLLM Docker builds before 0.22.1 through a dependency-confusion risk in a Dockerfile package install path. Rebuild images with fixed vLLM, verify package sources, and rotate secrets if affected images reached production.
vLLM Public PoC
2026-06-21 CVSS 8.8
CVE-2026-56396
phpMyFAQ - administrator privilege escalation
CVE-2026-56396 affects phpMyFAQ before 4.1.4. Patch or remove public exposure, preserve logs, and review admin user changes, rights changes, and FAQ admin logs.
phpMyFAQ Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20252
Joomla NextGen Editor - SQL injection
CVE-2017-20252 affects Joomla NextGen Editor 2.1.0. Check whether the extension is installed, remove abandoned copies, and review database errors, extension settings, and user activity.
Joomla NextGen Editor Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20253
Joomla My Projects - SQL injection
CVE-2017-20253 affects Joomla My Projects 2.0. Check whether the extension is installed, remove abandoned copies, and review project records, database errors, and user activity.
Joomla My Projects Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20254
Joomla User Bench - SQL injection
CVE-2017-20254 affects Joomla User Bench 1.0. Check whether the extension is installed, remove abandoned copies, and review user records, database errors, and access logs.
Joomla User Bench Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20255
Joomla JB Visa - SQL injection
CVE-2017-20255 affects Joomla JB Visa 1.0. Check whether the extension is installed, remove abandoned copies, and review booking records, database errors, and access logs.
Joomla JB Visa Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20256
Joomla Survey Force Deluxe - SQL injection
CVE-2017-20256 affects Joomla Survey Force Deluxe 3.2.4. Check whether the extension is installed, remove abandoned copies, and review survey records, database errors, and access logs.
Joomla Survey Force Deluxe Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20257
Joomla Quiz Deluxe - SQL injection
CVE-2017-20257 affects Joomla Quiz Deluxe 3.7.4. Check whether the extension is installed, remove abandoned copies, and review quiz records, database errors, and access logs.
Joomla Quiz Deluxe Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20258
Joomla RPC Responsive Portfolio - SQL injection
CVE-2017-20258 affects Joomla RPC Responsive Portfolio 1.6.1. Check whether the extension is installed, remove abandoned copies, and review portfolio records, database errors, and access logs.
Joomla RPC Responsive Portfolio Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20259
Joomla OSDownloads - SQL injection
CVE-2017-20259 affects Joomla OSDownloads 1.7.4. Check whether the extension is installed, remove abandoned copies, and review download records, database errors, and access logs.
Joomla OSDownloads Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20260
Joomla Price Alert - SQL injection
CVE-2017-20260 affects Joomla Price Alert 3.0.2. Check whether the extension is installed, remove abandoned copies, and review price alert records, database errors, and access logs.
Joomla Price Alert Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20261
Joomla Bargain Product VM3 - SQL injection
CVE-2017-20261 affects Joomla Bargain Product VM3 1.0. Check whether the extension is installed, remove abandoned copies, and review VirtueMart product records, database errors, and access logs.
Joomla Bargain Product VM3 Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20262
Joomla Ajax Quiz - SQL injection
CVE-2017-20262 affects Joomla Ajax Quiz 1.8. Check whether the extension is installed, remove abandoned copies, and review quiz records, database errors, and access logs.
Joomla Ajax Quiz Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20263
Joomla FocalPoint Pro/Free - SQL injection
CVE-2017-20263 affects Joomla FocalPoint Pro/Free 1.2.3. Check whether the extension is installed, remove abandoned copies, and review content records, database errors, and access logs.
Joomla FocalPoint Pro/Free Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20266
Joomla SP Movie Database - SQL injection
CVE-2017-20266 affects Joomla SP Movie Database 1.3. Check whether the extension is installed, remove abandoned copies, and review movie records, database errors, and access logs.
Joomla SP Movie Database Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20267
Joomla Calendar Planner - SQL injection
CVE-2017-20267 affects Joomla Calendar Planner 1.0.1. Check whether the extension is installed, remove abandoned copies, and review calendar records, database errors, and access logs.
Joomla Calendar Planner Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20268
Joomla Zap Calendar Lite - SQL injection
CVE-2017-20268 affects Joomla Zap Calendar Lite 4.3.4. Check whether the extension is installed, remove abandoned copies, and review calendar records, database errors, and access logs.
Joomla Zap Calendar Lite Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20269
Joomla KissGallery - SQL injection
CVE-2017-20269 affects Joomla KissGallery 1.0.0. Check whether the extension is installed, remove abandoned copies, and review gallery records, database errors, and access logs.
Joomla KissGallery Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20270
Joomla Twitch Tv - SQL injection
CVE-2017-20270 affects Joomla Twitch Tv 1.1. Check whether the extension is installed, remove abandoned copies, and review video records, database errors, and access logs.
Joomla Twitch Tv Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20271
Joomla StreetGuessr Game - SQL injection
CVE-2017-20271 affects Joomla StreetGuessr Game 1.1.8. Check whether the extension is installed, remove abandoned copies, and review game records, database errors, and access logs.
Joomla StreetGuessr Game Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20272
Joomla Ultimate Property Listing - SQL injection
CVE-2017-20272 affects Joomla Ultimate Property Listing 1.0.2. Check whether the extension is installed, remove abandoned copies, and review property records, database errors, and access logs.
Joomla Ultimate Property Listing Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20273
Joomla Event Registration Pro Calendar - SQL injection
CVE-2017-20273 affects Joomla Event Registration Pro Calendar 4.1.3. Check whether the extension is installed, remove abandoned copies, and review event records, database errors, and access logs.
Joomla Event Registration Pro Calendar Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20274
Joomla LMS King Professional - SQL injection
CVE-2017-20274 affects Joomla LMS King Professional 3.2.4.0. Check whether the extension is installed, remove abandoned copies, and review course records, database errors, and access logs.
Joomla LMS King Professional Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20275
Joomla PHP-Bridge - SQL injection
CVE-2017-20275 affects Joomla PHP-Bridge 1.2.3. Check whether the extension is installed, remove abandoned copies, and review bridge records, database errors, and access logs.
Joomla PHP-Bridge Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20276
Joomla SIMGenealogy - SQL injection
CVE-2017-20276 affects Joomla SIMGenealogy 2.1.5. Check whether the extension is installed, remove abandoned copies, and review genealogy records, database errors, and access logs.
Joomla SIMGenealogy Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20277
Joomla JoomRecipe - blind SQL injection
CVE-2017-20277 affects Joomla JoomRecipe 1.0.4. Check whether the extension is installed, remove abandoned copies, and review recipe records, database errors, and access logs.
Joomla JoomRecipe Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20278
Joomla JoomRecipe - SQL injection
CVE-2017-20278 affects Joomla JoomRecipe 1.0.3. Check whether the extension is installed, remove abandoned copies, and review recipe records, database errors, and access logs.
Joomla JoomRecipe Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20279
Joomla Payage - SQL injection
CVE-2017-20279 affects Joomla Payage 2.05. Check whether the extension is installed, remove abandoned copies, and review payment records, database errors, and access logs.
Joomla Payage Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20280
Joomla Myportfolio - SQL injection
CVE-2017-20280 affects Joomla Myportfolio 3.0.2. Check whether the extension is installed, remove abandoned copies, and review portfolio records, database errors, and access logs.
Joomla Myportfolio Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20281
Joomla Extra Search - SQL injection
CVE-2017-20281 affects Joomla Extra Search 2.2.8. Check whether the extension is installed, remove abandoned copies, and review search records, database errors, and access logs.
Joomla Extra Search Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20282
Joomla jCart for OpenCart - SQL injection
CVE-2017-20282 affects Joomla jCart for OpenCart 2.0. Check whether the extension is installed, remove abandoned copies, and review cart records, database errors, and access logs.
Joomla jCart for OpenCart Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25748
Joomla JHotelReservation - SQL injection
CVE-2019-25748 affects Joomla JHotelReservation 6.0.7. Check whether the extension is installed, remove abandoned copies, and review reservation records, database errors, and access logs.
Joomla JHotelReservation Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25750
Joomla J-MultipleHotelReservation - SQL injection
CVE-2019-25750 affects Joomla J-MultipleHotelReservation 6.0.7. Check whether the extension is installed, remove abandoned copies, and review reservation records, database errors, and access logs.
Joomla J-MultipleHotelReservation Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25751
Joomla J-ClassifiedsManager - SQL injection
CVE-2019-25751 affects Joomla J-ClassifiedsManager 3.0.5. Check whether the extension is installed, remove abandoned copies, and review classified records, database errors, and access logs.
Joomla J-ClassifiedsManager Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25752
Joomla J-BusinessDirectory - SQL injection
CVE-2019-25752 affects Joomla J-BusinessDirectory 4.9.7. Check whether the extension is installed, remove abandoned copies, and review directory records, database errors, and access logs.
Joomla J-BusinessDirectory Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25753
Joomla VMap - SQL injection
CVE-2019-25753 affects Joomla VMap 1.9.6. Check whether the extension is installed, remove abandoned copies, and review map records, database errors, and access logs.
Joomla VMap Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25754
Joomla vRestaurant - SQL injection
CVE-2019-25754 affects Joomla vRestaurant 1.9.4. Check whether the extension is installed, remove abandoned copies, and review restaurant records, database errors, and access logs.
Joomla vRestaurant Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25755
Joomla vReview - SQL injection
CVE-2019-25755 affects Joomla vReview 1.9.11. Check whether the extension is installed, remove abandoned copies, and review review records, database errors, and access logs.
Joomla vReview Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25756
Joomla vAccount - SQL injection
CVE-2019-25756 affects Joomla vAccount 2.0.2. Check whether the extension is installed, remove abandoned copies, and review account records, database errors, and access logs.
Joomla vAccount Public PoC
2026-06-19 CVSS 8.8
CVE-2019-25758
Joomla vBizz - unrestricted file upload
CVE-2019-25758 affects Joomla vBizz 1.0.7. Check whether the extension is installed, remove abandoned copies, and review uploads, executable files, and authenticated user activity.
Joomla vBizz Public PoC
2026-06-19 CVSS 8.8
CVE-2026-12044
pgAdmin 4 - SQL injection in dialog template rendering
CVE-2026-12044 affects pgAdmin 4 1.0 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review object descriptions, database role permissions, and pgAdmin activity.
pgAdmin 4 Public PoC
2026-06-18 CVSS 8.8
CVE-2026-55741
Cotonti - administration configuration CSRF
CVE-2026-55741 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review configuration changes and admin sessions.
Cotonti Public PoC
2026-06-17 CVSS 8.8
CVE-2025-69130
Entrepreneur - Booking for Small Businesses - PHP object injection
CVE-2025-69130 affects Entrepreneur - Booking for Small Businesses through 3.1.3. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Entrepreneur - Booking for Small Businesses
2026-06-18 CVSS 8.8
CVE-2026-12407
E2Pdf - Export PDF Tool for WordPress - Missing authorization / privilege escalation
CVE-2026-12407 affects E2Pdf - Export PDF Tool for WordPress through 1.32.26. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
E2Pdf - Export PDF Tool for WordPress
2026-06-18 CVSS 8.8
CVE-2026-9860
Offload, AI & Optimize with Cloudflare Images - Remote code execution
CVE-2026-9860 affects Offload, AI & Optimize with Cloudflare Images through 1.10.2. Confirm the installed version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Offload, AI & Optimize with Cloudflare Images Public PoC
2026-06-17 CVSS 8.8
CVE-2026-49268
Apache Shiro - DefaultLdapRealm DN construction issue
CVE-2026-49268 affects Apache Shiro through 2.2.0 and 3.0.0-alpha-1 when DefaultLdapRealm builds LDAP Distinguished Names from user input. Upgrade and review LDAP realm templates, authentication logs, and account mappings.
Apache Shiro
2026-06-17 CVSS 8.8
CVE-2025-59563
Sonaar - subscriber privilege escalation
CVE-2025-59563 affects Sonaar through 4.27.4. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Sonaar
2026-06-17 CVSS 8.8
CVE-2025-69138
Genemy - subscriber privilege escalation
CVE-2025-69138 affects Genemy through 1.6.6. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Genemy
2026-06-17 CVSS 8.8
CVE-2026-12165
Contest Gallery - privilege escalation
CVE-2026-12165 affects Contest Gallery through 30.0.2. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Contest Gallery Public PoC
2026-06-17 CVSS 8.8
CVE-2026-12256
Avada - contributor PHP object injection
CVE-2026-12256 affects Avada through 3.15.3. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Avada
2026-06-17 CVSS 8.8
CVE-2026-22342
WordPress Dating Theme - CSRF account takeover risk
CVE-2026-22342 affects WordPress Dating Theme through 11.2.0. Confirm the installed version, patch or disable the component, and review users, files, logs, and plugin settings before closing the incident.
WordPress Dating Theme
2026-06-17 CVSS 8.8
CVE-2026-42629
PowerPack Pro for Elementor - broken authentication
CVE-2026-42629 affects PowerPack Pro for Elementor before 2.13.0. Confirm the installed version, patch or disable the component, and review new sessions, password changes, and account history before closing the incident.
PowerPack Pro for Elementor
2026-06-17 CVSS 8.8
CVE-2026-54805
Falang multilanguage - subscriber privilege escalation
CVE-2026-54805 affects Falang multilanguage through 1.4.2. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Falang multilanguage
2026-06-15 CVSS 8.8
CVE-2026-36670
OpenSIPS Control Panel - alias management SQL injection
CVE-2026-36670 affects OpenSIPS Control Panel before 9.3.3. Authenticated users with access to the alias management module can trigger SQL injection behavior, so exposed panels should be upgraded and logs reviewed.
OpenSIPS Control Panel Public PoC
2026-06-16 CVSS 8.8
CVE-2026-6933
Premmerce Dev Tools - Remote code execution
CVE-2026-6933 affects Premmerce Dev Tools through 2.0. Confirm the installed version, patch or disable the plugin, and review changed files, cron jobs, users, and web server logs before closing the incident.
Premmerce Dev Tools
2026-06-16 CVSS 8.8
CVE-2026-8443
WP Review Slider Pro - SQL injection
CVE-2026-8443 affects WP Review Slider Pro through 12.6.8. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Review Slider Pro Public PoC
2026-06-16 CVSS 8.8
CVE-2026-8444
WP Review Slider Pro - SQL injection
CVE-2026-8444 affects WP Review Slider Pro through 12.6.8. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Review Slider Pro
2026-06-15 CVSS 8.8
CVE-2026-48017
DbGate - authenticated server-side code execution risk
CVE-2026-48017 affects DbGate 7.1.8 and earlier when authenticated users can reach vulnerable server-side runner behavior. Upgrade, limit access to trusted admins, review runner activity, and rotate stored credentials if suspicious use cannot be ruled out.
DbGate Public PoC
2026-06-15 CVSS 8.8
CVE-2026-39474
Post Duplicator - contributor PHP object injection
CVE-2026-39474 affects Post Duplicator through 3.0.10. WordPress owners should confirm the plugin version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Post Duplicator
2026-06-15 CVSS 8.8
CVE-2026-39478
Anti-Malware Security and Brute-Force Firewall - contributor PHP object injection
CVE-2026-39478 affects Anti-Malware Security and Brute-Force Firewall through 4.23.87. WordPress owners should confirm the plugin version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Anti-Malware Security and Brute-Force Firewall
2026-06-15 CVSS 8.8
CVE-2026-39532
Events Calendar for GeoDirectory - contributor PHP object injection
CVE-2026-39532 affects Events Calendar for GeoDirectory through 2.3.25. WordPress owners should confirm the plugin version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Events Calendar for GeoDirectory
2026-06-15 CVSS 8.8
CVE-2026-39579
B Blocks - contributor privilege escalation
CVE-2026-39579 affects B Blocks through 2.0.31. WordPress owners should confirm the plugin version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
B Blocks
2026-06-15 CVSS 8.8
CVE-2026-42661
WP Customer Area - custom role path traversal
CVE-2026-42661 affects WP Customer Area through 8.3.4. WordPress owners should confirm the plugin version, patch or disable the component, and review file access logs and unexpected downloads before closing the incident.
WP Customer Area
2026-06-15 CVSS 8.8
CVE-2026-48889
Amelia - subscriber privilege escalation
CVE-2026-48889 affects Amelia through 2.3. WordPress owners should confirm the plugin version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Amelia
2026-06-15 CVSS 8.8
CVE-2026-49780
Dokan - customer privilege escalation
CVE-2026-49780 affects Dokan through 5.0.2. WordPress owners should confirm the plugin version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Dokan
2026-06-15 CVSS 8.8
CVE-2026-52720
GStreamer librfb - heap overflow in RFB/VNC client handling
CVE-2026-52720 affects GStreamer's librfb RFB/VNC client handling. Hosts that connect to untrusted VNC/RFB sources or process remote media streams should update packages and review crashes or unusual client-side failures.
GStreamer librfb
2026-06-15 CVSS 8.8
CVE-2016-20071
404 Redirection Manager - unauthenticated SQL injection
CVE-2016-20071 affects the 404 Redirection Manager plugin version 1.0. WordPress sites still carrying the old plugin should remove it, check redirect tables, and preserve database logs if unusual requests appear.
404 Redirection Manager Public PoC
2026-06-15 CVSS 8.8
CVE-2026-49062
Faust.Js - password recovery authentication bypass
CVE-2026-49062 affects WP Engine Faust.Js through 1.8.7. Headless WordPress sites should patch, then review password recovery emails, reset tokens, and administrator session history.
Faust.Js
2026-06-15 CVSS 8.8
CVE-2026-49111
Masteriyo LMS - privilege escalation risk
CVE-2026-49111 affects Masteriyo - LMS through 2.2.0. Sites should patch, then compare WordPress roles, LMS instructors, course managers, and recent role changes.
Masteriyo - LMS
2026-06-10 CVSS 8.8
CVE-2026-20251
Splunk Secure Gateway - unsafe deserialization remote code execution
CVE-2026-20251 affects Splunk Secure Gateway through unsafe deserialization. Confirm Splunk Enterprise and Secure Gateway versions, patch fixed releases, and review app activity and admin logs.
Splunk Secure Gateway
2026-06-12 CVSS 8.8
CVE-2026-47342
Apache OFBiz - privilege escalation before 24.09.07
CVE-2026-47342 affects Apache OFBiz versions before 24.09.07. Upgrade to the fixed release and review low-privilege users, role changes, and recent administrative actions.
Apache OFBiz
2026-06-05 CVSS 8.8
CVE-2026-7654
Admin Columns - Contributor+ PHP object injection to RCE
CVE-2026-7654 affects the Admin Columns WordPress plugin through 7.0.18. Sites with Contributor or higher accounts should patch to 7.0.19 or newer, then review recent custom-field and account activity.
WordPress Public PoC
2026-06-05 CVSS 8.8
CVE-2026-5411
WP Captcha PRO - Subscriber+ arbitrary file upload
CVE-2026-5411 affects WP Captcha PRO through 5.38. Sites should update to 5.39 or newer and inspect uploads, plugin folders, and unexpected account activity after patching.
WordPress Public PoC
2026-06-05 CVSS 8.8
CVE-2026-5415
WP Captcha PRO - Subscriber+ authentication bypass
CVE-2026-5415 affects WP Captcha PRO through 5.38. Public registration sites should update to 5.39 or newer, review administrators, and rotate sessions if user activity looks suspicious.
WordPress
2026-06-05 CVSS 8.8
CVE-2026-46398
HAX CMS - refresh token cookie missing Secure flag
CVE-2026-46398 affects HAX CMS 25.0.0 before 26.0.0 when refresh tokens may be sent without the Secure cookie flag. Enforce HTTPS, upgrade, and rotate sessions on exposed sites.
HAX CMS Public PoC
2026-06-12 CVSS 8.8
CVE-2026-11933
MongoDB Server - server-side JavaScript engine use-after-free
CVE-2026-11933 affects MongoDB Server when an authenticated reader can run server-side JavaScript. Review $where and $function usage, disable server-side scripting where possible, and patch affected server lines.
MongoDB Server
2026-06-11 CVSS 8.8
CVE-2026-45418
ClipBucket v5 - authenticated SQL injection in subtitle editing
CVE-2026-45418 affects ClipBucket v5 before 5.5.3 #132 when users can upload videos and edit subtitles. Review uploader accounts, subtitle changes, database logs, and media admin actions.
ClipBucket v5 Public PoC
2026-06-11 CVSS 8.8
CVE-2026-46519
mcp-server-kubernetes - tool restriction bypass
CVE-2026-46519 affects mcp-server-kubernetes before 3.6.0 where tool restrictions may be enforced in discovery but not execution. Patch and review connected MCP clients and Kubernetes permissions.
mcp-server-kubernetes Public PoC
2026-06-09 CVSS 8.8
CVE-2026-32193
Azure Kubernetes Service - path traversal
CVE-2026-32193 affects Azure Kubernetes Service. Public records describe a path traversal issue that can allow an authorized attacker to execute code locally. Review AKS update state, RBAC, node pool access, and recent cluster activity.
Azure Kubernetes Service
2026-06-10 CVSS 8.8
CVE-2026-50223
Apache OFBiz - Content/DataResource template injection
CVE-2026-50223 affects Apache OFBiz before 24.09.07 when low-privileged users with Content/DataResource editing rights can reach unsafe template behavior. Patch and audit editor accounts.
Apache OFBiz
2026-06-10 CVSS 8.8
CVE-2026-49498
Ghidra - PostgreSQL password-change SQL injection
CVE-2026-49498 affects Ghidra 11.0 before 12.1 in PostgreSQL-backed password-change handling. Patch shared Ghidra servers and review database roles and account changes.
Ghidra Public PoC
2026-06-10 CVSS 8.8
CVE-2026-52758
Ghidra BSim - PostgreSQL SQL injection
CVE-2026-52758 affects Ghidra before 12.1 in BSim database query handling. Shared reverse-engineering environments should patch and review PostgreSQL audit logs.
Ghidra Public PoC
2026-06-10 CVSS 8.8
CVE-2026-53435
Jenkins - deserialization vulnerability in config.xml handling
CVE-2026-53435 affects Jenkins weekly through 2.567 and LTS through 2.555.2. Review users with read and configure-style permissions, config.xml changes, credentials, and Script Console activity.
Jenkins
2026-06-10 CVSS 8.8
CVE-2026-45564
Roxy-WI - config version restore command injection risk
CVE-2026-45564 affects Roxy-WI configuration version restore paths. Review config restore events, service reloads, and shell command traces on managed hosts.
Roxy-WI Public PoC
2026-06-10 CVSS 8.8
CVE-2026-46612
Fission - unauthenticated storage service archive access
CVE-2026-46612 affects Fission before 1.23.0 storage service archive handling. Review service reachability, NetworkPolicy, and package archive access across tenants.
Fission Public PoC
2026-06-09 CVSS 8.8
CVE-2026-50636
LimeSurvey - RemoteControl invite/remind SQL injection
CVE-2026-50636 affects LimeSurvey RemoteControl invite_participants and remind_participants flows when the RPC interface is enabled and a caller has token update permission. Disable RemoteControl if unused, reduce permissions, and apply the vendor fix.
LimeSurvey Public PoC
2026-06-09 CVSS 8.8
CVE-2026-11616
The Events Calendar for GeoDirectory - Subscriber privilege escalation
The Events Calendar for GeoDirectory CVE-2026-11616 can let a low-privilege WordPress account alter role-related user metadata through the event interest flow. Update to 2.3.29 or newer, then review admin users, role changes, and AJAX logs.
The Events Calendar for GeoDirectory
2026-05-30 CVSS 8.8
CVE-2026-7465
Spectra / Ultimate Addons for Gutenberg β Contributor-level RCE in block rendering
Authenticated (Contributor+) remote code execution in Spectra Gutenberg Blocks β€ 2.19.25. Review Contributor accounts, block rendering behavior, and plugin version before reopening publishing access.
WordPress Public PoC
2026-05-17 CVSS 8.8
CVE-2026-8719
AI Engine Plugin β Subscriber-to-Admin Privilege Escalation
Privilege escalation in the AI Engine WordPress plugin (50,000+ active installs). Missing capability check in MCP OAuth bearer-token path lets any logged-in user, even Subscriber, escalate to Administrator. Patched in v3.4.10. Public registration sites are most exposed.
WordPress
2026-06-26 CVSS 8.7
CVE-2026-55069
Kestra - privilege escalation risk
CVE-2026-55069 affects Kestra. Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains... Patch the affected deployment and review workflow and admin logs.
Kestra
2026-06-25 CVSS 8.7
CVE-2026-11310
wolfSSL - trust validation risk
CVE-2026-11310 affects wolfSSL. X.509 trust-chain bypass in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra (OPENSSL_EXTRA) and whose application validates certificates by... Patch the affected deployment and review trust and service logs.
wolfSSL
2026-06-25 CVSS 8.7
CVE-2026-13311
shell-quote - parse() event-loop denial of service risk
CVE-2026-13311 affects shell-quote before 1.8.5. Node.js services that pass untrusted text into parse() should update dependency locks and review request timeout or event-loop stall evidence.
shell-quote Public PoC
2026-06-25 CVSS 8.7
CVE-2026-10086
GitLab EE - developer-role stored client-side code risk
CVE-2026-10086 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
GitLab
2026-06-23 CVSS 8.7
CVE-2026-56248
Capgo - audit_logs RLS unauthenticated DoS risk
CVE-2026-56248 affects Capgo backend before 12.128.12 through costly audit_logs RLS behavior exposed via Supabase PostgREST. Patch and review database timeouts and public anon-key access.
Capgo Public PoC
2026-06-22 CVSS 8.7
CVE-2026-54281
NestJS Fastify adapter - middleware route bypass risk
CVE-2026-54281 affects @nestjs/platform-fastify before 11.1.24 when route middleware coverage can differ from intended Fastify routing. Patch and review middleware-protected routes.
@nestjs/platform-fastify Public PoC
2026-06-20 CVSS 8.7
CVE-2026-56341
AVideo - payment plugin information disclosure
CVE-2026-56341 affects AVideo through 26.0. Check the installed version, restrict exposed plugins during patching, and review payment plugin logs, PayPal or Authorize.Net records, and Bitcoin transaction records.
AVideo Public PoC
2026-06-22 CVSS 8.7
CVE-2026-56446
MISP JsonLogTool - arbitrary NDJSON log path RCE risk
CVE-2026-56446 affects MISP JsonLogTool log destination handling. Site administrators should patch, verify log files stay under approved log directories, and review recent webroot writes before closing the incident.
MISP Public PoC
2026-06-22 CVSS 8.7
CVE-2026-49241
Angular Language Service VS Code extension - workspace trust bypass RCE risk
CVE-2026-49241 affects Angular Language Service VS Code extension versions before 21.2.4. Developer workstations should update the extension, review Workspace Trust settings, and inspect recent untrusted repository opens.
Angular Language Service Public PoC
2026-06-19 CVSS 8.7
CVE-2019-25762
Joomla JoomProject - information disclosure
CVE-2019-25762 affects Joomla JoomProject 1.1.3.2. Check whether the extension is installed, remove abandoned copies, and review project data, user exports, and access logs.
Joomla JoomProject Public PoC
2026-06-19 CVSS 8.7
CVE-2023-54357
Joomla com_booking - information disclosure
CVE-2023-54357 affects Joomla com_booking 2.4.9. Check whether the extension is installed, remove abandoned copies, and review booking users, account enumeration signs, and access logs.
Joomla com_booking Public PoC
2026-06-18 CVSS 8.7
CVE-2026-48716
nanobot - WhatsApp document filename file-write risk
CVE-2026-48716 affects nanobot through 0.1.5.post3. Review media folders, bridge logs, and document ingestion settings, then apply the vendor fix or remove the risky exposure until patched.
nanobot Public PoC
2026-06-12 CVSS 8.7
CVE-2026-45674
Netty DNS resolver - CNAME bailiwick validation issue
Netty DNS resolver before 4.1.135.Final and 4.2.15.Final can mishandle CNAME bailiwick validation. Patch Java services using Netty DNS.
Netty Public PoC
2026-06-12 CVSS 8.7
CVE-2026-47691
Netty DNS resolver - NS record bailiwick validation issue
Netty DNS resolver before 4.1.135.Final and 4.2.15.Final can insufficiently validate NS record bailiwick. Patch resolver users and monitor DNS behavior.
Netty Public PoC
2026-06-12 CVSS 8.7
CVE-2026-48006
Netty Redis aggregator - direct-memory leak
Netty RedisArrayAggregator before 4.1.135.Final and 4.2.15.Final can leak pooled direct-memory buffers when Redis pipeline connections close mid-aggregate.
Netty Public PoC
2026-06-12 CVSS 8.7
CVE-2026-48059
Netty HAProxy codec - nested TLV memory leak
Netty HAProxy PROXY protocol v2 codec before 4.1.135.Final and 4.2.15.Final can leak memory on nested TLV handling. Patch and review gateway memory alerts.
Netty Public PoC
2026-06-12 CVSS 8.7
CVE-2026-47135
vm2 - cross-realm Symbol isolation weakness
CVE-2026-47135 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 8.7
CVE-2026-53608
ApostropheCMS SEO package - stored XSS in tracking fields
CVE-2026-53608 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-12 CVSS 8.7
CVE-2026-47138
Parse Server - unauthenticated API exposure
CVE-2026-47138 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
Parse Server
2026-06-15 CVSS 8.7
CVE-2016-20076
Simple-Backup - arbitrary file delete and download
CVE-2016-20076 affects Simple-Backup 2.7.11. Old WordPress sites should remove the plugin, review backup directories, and check whether sensitive files were downloaded or deleted.
Simple-Backup Public PoC
2026-06-15 CVSS 8.7
CVE-2016-20081
HB Audio Gallery Lite - path traversal file download
CVE-2016-20081 affects HB Audio Gallery Lite 1.0.0. Sites should remove the abandoned plugin and inspect access logs for file reads outside the intended audio gallery.
HB Audio Gallery Lite Public PoC
2026-06-15 CVSS 8.7
CVE-2018-25437
CherryFramework Themes - backup archive disclosure
CVE-2018-25437 affects CherryFramework Themes 3.1.4. Review whether theme backup archives are publicly reachable, remove exposed archives, and check access logs before rotating secrets.
CherryFramework Themes Public PoC
2026-06-09 CVSS 8.7
CVE-2026-9740
MongoDB Server - unauthenticated BSON validation crash
CVE-2026-9740 affects MongoDB Server BSON validation logic and can crash mongod before authentication. Public or partner-exposed MongoDB listeners should be patched and checked for unexplained restarts.
MongoDB Server
2026-06-05 CVSS 8.7
CVE-2026-50234
Lyrion Music Server 9.2.0 - unauthenticated path traversal file read
CVE-2026-50234 affects Lyrion Music Server 9.2.0 / through 9.2.0. Public web UI or CLI exposure should be closed, logs reviewed, and the server moved back to a stable or fixed build.
Lyrion Music Server Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46400
HAX CMS PHP - file upload validation bypass
CVE-2026-46400 affects HAX CMS PHP 11.0.6 before 25.0.0. Operators should patch, review uploaded files and MIME handling, and remove suspicious PHP-like or active content from public upload paths.
HAX CMS Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46391
HAX CMS open-apis - weak host validation
CVE-2026-46391 affects @haxtheweb/open-apis 9.0.1 before 26.0.0. Review integrations that send basic authorization to remote hosts, rotate exposed credentials, and patch the package.
HAX CMS Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46392
HAX CMS PHP - upload rendering bypass
CVE-2026-46392 affects HAX CMS PHP before 26.0.0. Review uploaded HTML-like content, mixed-case extensions, and pages edited by untrusted users before reopening authoring.
HAX CMS Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46511
HAX CMS - stored XSS and token exposure chain
CVE-2026-46511 affects HAX CMS before 26.0.0 through a stored XSS plus token exposure chain. Review tenants, site tokens, edited content, and admin sessions after upgrading.
HAX CMS Public PoC
2026-06-10 CVSS 8.7
CVE-2025-71319
image-size - JXL/HEIF parser infinite loop
CVE-2025-71319 affects image-size through 2.0.2. Node.js apps that inspect untrusted JXL or HEIF uploads should patch or isolate image parsing workers.
image-size Public PoC
2026-06-10 CVSS 8.7
CVE-2025-71329
image-size - JXL/HEIF parser infinite loop variant
CVE-2025-71329 affects image-size through 2.0.2 in JXL/HEIF parsing. Review user upload pipelines, background image processors, and server-side metadata extraction.
image-size Public PoC
2026-06-10 CVSS 8.7
CVE-2025-71330
image-size - ICNS parser infinite loop
CVE-2025-71330 affects image-size through 2.0.2 in ICNS parsing. Isolate image metadata extraction when accepting untrusted uploads.
image-size Public PoC
2026-06-11 CVSS 8.7
CVE-2026-44494
Axios - Node proxy handling prototype-pollution gadget
CVE-2026-44494 affects Axios 1.0.0 before 1.16.0 when prototype pollution elsewhere can influence Node proxy handling. Patch Axios and review dependencies that can pollute object prototypes.
Axios Public PoC
2026-06-11 CVSS 8.7
CVE-2026-6552
GitLab EE - Group SAML identity management access control issue
CVE-2026-6552 affects GitLab EE Group SAML identity management. Self-managed GitLab owners should upgrade and review group Owner activity, SAML mappings, and recent identity changes.
GitLab EE
2026-06-11 CVSS 8.7
CVE-2026-10087
GitLab EE - Analytics Dashboard XSS
CVE-2026-10087 affects GitLab EE Analytics Dashboard. Upgrade and review developer-role users, analytics dashboard activity, and unusual browser-session events.
GitLab EE
2026-06-10 CVSS 8.7
CVE-2026-46617
Fission - runtime pod service account can read namespace secrets
CVE-2026-46617 affects Fission runtime pod service account permissions before 1.23.0. Review function namespace secrets, configmaps, and runtime pod token exposure.
Fission Public PoC
2026-06-08 CVSS 8.7
CVE-2026-46490
samlify - SAML AttributeValue XML injection privilege escalation
CVE-2026-46490 affects samlify before 2.13.0. Node.js SAML SSO services should upgrade, review IdP attribute templates, SP role/group mapping, and recent login events where SAML attributes drive authorization.
samlify Public PoC
2026-06-26 CVSS 8.6
CVE-2026-56035
BitFire Security - Unauthenticated Multiple Vulnerabilities
CVE-2026-56035 affects BitFire Security <= 5.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
BitFire Security
2026-06-26 CVSS 8.6
CVE-2026-57877
GeoVision - authentication boundary risk
CVE-2026-57877 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-25 CVSS 8.6
CVE-2026-12053
GitLab EE - Duo Workflows output filtering information exposure
CVE-2026-12053 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
GitLab
2026-06-24 CVSS 8.6
CVE-2026-40079
Cacti - graph template command injection risk
CVE-2026-40079 affects Cacti 1.2.30 and earlier. Review graph templates, RRD activity, web-server process activity, and patch to 1.2.31.
Cacti Public PoC
2026-06-21 CVSS 8.6
CVE-2026-56382
Craft CMS - authenticated admin remote code execution risk
CVE-2026-56382 affects Craft CMS 5.5.0 through 5.9.13. Patch or remove public exposure, preserve logs, and review Composer lock files, admin field-layout changes, environment access, and logs.
Craft CMS Public PoC
2026-06-18 CVSS 8.6
CVE-2026-40455
LMS - SQL injection
CVE-2026-40455 affects LMS before commit 4cb30a7. Patch or remove public exposure, preserve logs, and review tariff changes, database errors, and authenticated admin activity.
LMS Public PoC
2026-06-18 CVSS 8.6
CVE-2026-54222
UBB.threads - control-panel SQL injection
CVE-2026-54222 affects UBB.threads confirmed in 7.7.5. Patch or remove public exposure, preserve logs, and review control panel members activity and database access.
UBB.threads
2026-06-18 CVSS 8.6
CVE-2026-55744
Cotonti - personal file storage CSRF
CVE-2026-55744 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review PFS uploads, changed files, and user sessions.
Cotonti Public PoC
2026-06-17 CVSS 8.6
CVE-2025-69128
JobCareer - Path traversal / file deletion
CVE-2025-69128 affects JobCareer through 7.3. Confirm the installed version, patch or disable the component, and review file access logs and unexpected downloads before closing the incident.
JobCareer
2026-06-17 CVSS 8.6
CVE-2025-69139
Car Zone - Arbitrary file deletion
CVE-2025-69139 affects Car Zone through 3.7. Confirm the installed version, patch or disable the component, and review missing plugin files, media files, and backups before closing the incident.
Car Zone
2026-06-17 CVSS 8.6
CVE-2026-22343
WordPress Dating Theme - Broken access control
CVE-2026-22343 affects WordPress Dating Theme through 11.2.0. Confirm the installed version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
WordPress Dating Theme
2026-06-17 CVSS 8.6
CVE-2026-27400
BookPro - Arbitrary file deletion
CVE-2026-27400 affects BookPro through 1.1.0. Confirm the installed version, patch or disable the component, and review missing plugin files, media files, and backups before closing the incident.
BookPro
2026-06-17 CVSS 8.6
CVE-2026-54415
Azuriom CMS - server management authorization gap
CVE-2026-54415 affects Azuriom before 1.2.11 in server management authorization. Site owners should upgrade and review server tokens, account email changes, and password changes during the exposure window.
Azuriom CMS Public PoC
2026-06-17 CVSS 8.6
CVE-2026-11407
Pimcore CMS/DXP - Twig sandbox bypass
CVE-2026-11407 affects Pimcore CMS/DXP 12.3.8 through a Twig sandbox bypass reachable by authenticated administrators. Review class definitions, template changes, file reads, and database access after patching.
Pimcore CMS/DXP Public PoC
2026-06-17 CVSS 8.6
CVE-2026-11311
NGINX Gateway Fabric - CRD field configuration injection
CVE-2026-11311 affects NGINX Gateway Fabric configuration generation when NGINX Plus is used as the data plane. Review who can create or modify NginxProxy and AuthenticationFilter resources, patch, and audit recent CRD changes.
NGINX Gateway Fabric
2026-06-17 CVSS 8.6
CVE-2026-50107
NGINX Gateway Fabric - access log format configuration injection
CVE-2026-50107 affects NGINX Gateway Fabric configuration generation for NGINX Plus or NGINX Open Source data planes. Patch and review recent NginxProxy access log format changes and related Kubernetes RBAC.
NGINX Gateway Fabric
2026-06-15 CVSS 8.6
CVE-2026-40769
Contact Form Extender for Divi - unauthenticated arbitrary file deletion
CVE-2026-40769 affects Contact Form Extender for Divi through 1.0.6. WordPress owners should confirm the plugin version, patch or disable the component, and review missing plugin files, media files, and backups before closing the incident.
Contact Form Extender for Divi
2026-06-12 CVSS 8.6
CVE-2026-47139
vm2 - network builtin restriction bypass
CVE-2026-47139 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-12 CVSS 8.6
CVE-2026-47209
vm2 - proxy set trap isolation weakness
CVE-2026-47209 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
vm2 Public PoC
2026-06-15 CVSS 8.6
CVE-2026-49954
Discuz! X5.0 - administrator plugin local file inclusion
CVE-2026-49954 affects Discuz! X5.0 releases 20260320 through 20260610, with older X3.4 and X3.5 releases possibly affected. Operators should restrict administrator access, review plugin imports, and watch for unexpected PHP files.
Discuz! X5.0
2026-06-05 CVSS 8.6
CVE-2026-11400
AWS Advanced JDBC Wrapper - Aurora PostgreSQL privilege escalation
CVE-2026-11400 affects AWS Advanced JDBC Wrapper for Aurora PostgreSQL versions 3.0.0 through before 4.0.1. Review wrapper dependency versions, database search_path, and low-privilege function creation.
AWS Aurora PostgreSQL Wrapper
2026-06-05 CVSS 8.6
CVE-2026-11401
AWS Advanced Go Wrapper - Aurora PostgreSQL privilege escalation
CVE-2026-11401 affects the AWS Advanced Go Wrapper 2026-04-06 release for Aurora PostgreSQL. Upgrade to the 2026-05-26 release and review public schema search_path exposure.
AWS Aurora PostgreSQL Wrapper
2026-06-10 CVSS 8.6
CVE-2026-49948
Mem0 self-hosted server - missing authorization on configuration changes
CVE-2026-49948 affects Mem0 self-hosted server versions through 0.2.8. Check exposed server instances, admin/API-key usage, LLM provider settings, embedder settings, and unexpected configuration changes.
Mem0
2026-06-11 CVSS 8.6
CVE-2026-44492
Axios - NO_PROXY IPv4-mapped IPv6 bypass
CVE-2026-44492 affects Axios before 0.32.0 and 1.16.0 in Node proxy bypass logic. Review applications that rely on NO_PROXY for metadata services or internal hosts.
Axios Public PoC
2026-06-10 CVSS 8.6
CVE-2026-46491
SimpleSAMLphp CAS Server - FileSystemTicketStore path traversal
CVE-2026-46491 affects simplesamlphp-module-casserver before 7.0.3 when the file-based ticket store is used and public CAS validation or proxy endpoints are reachable. Check whether FileSystemTicketStore is enabled, upgrade to 7.0.3, and review PHP filesystem permissions.
SimpleSAMLphp CAS Server Public PoC
2026-06-10 CVSS 8.6
CVE-2026-53673
BuddyPress - Private message IDOR through REST API user_id
CVE-2026-53673 affects BuddyPress 14.4.0 private messaging REST API permission checks. Community and membership sites should disable private messaging if needed, review message API access, and update when a fixed release is available.
BuddyPress
2026-06-26 CVSS 8.5
CVE-2026-56064
Tourfic - Subscriber SQL Injection
CVE-2026-56064 affects Tourfic <= 2.22.5. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Tourfic
2026-06-26 CVSS 8.5
CVE-2026-57315
Blocksy Companion Pro - Contributor Remote Code Execution (remote code execution)
CVE-2026-57315 affects Blocksy Companion Pro <= 2.1.45. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Blocksy Companion Pro
2026-06-26 CVSS 8.5
CVE-2026-57636
wpForo Forum - Contributor SQL Injection
CVE-2026-57636 affects wpForo Forum <= 3.0.9. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
wpForo Forum
2026-06-26 CVSS 8.5
CVE-2026-57642
Gallery - Contributor SQL Injection
CVE-2026-57642 affects Gallery <= 4.7.8. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Gallery
2026-06-26 CVSS 8.5
CVE-2026-57643
WP Post Author - Contributor SQL Injection
CVE-2026-57643 affects WP Post Author <= 3.9.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WP Post Author
2026-06-26 CVSS 8.5
CVE-2026-57644
Restaurant Menu by MotoPress - Contributor SQL Injection
CVE-2026-57644 affects Restaurant Menu by MotoPress <= 2.4.10. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Restaurant Menu by MotoPress
2026-06-26 CVSS 8.5
CVE-2026-57653
WP Job Portal - Contributor SQL Injection
CVE-2026-57653 affects WP Job Portal <= 2.5.2. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WP Job Portal
2026-06-26 CVSS 8.5
CVE-2026-57662
Contest Gallery - Contributor SQL Injection
CVE-2026-57662 affects Contest Gallery <= 30.0.0. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Contest Gallery
2026-06-26 CVSS 8.5
CVE-2026-57663
Recipe Maker For Your Food Blog from Zip Recipes - Contributor SQL Injection
CVE-2026-57663 affects Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Recipe Maker For Your Food Blog from Zip Recipes
2026-06-26 CVSS 8.5
CVE-2026-57667
Groundhogg - Sales Representative SQL Injection
CVE-2026-57667 affects Groundhogg <= 4.5. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Groundhogg
2026-06-26 CVSS 8.5
CVE-2026-8797
ExpressUpdate Agent - security boundary risk
CVE-2026-8797 affects ExpressUpdate Agent. An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges. Patch the affected deployment and review component presence.
ExpressUpdate Agent
2026-06-25 CVSS 8.5
CVE-2026-54822
SALESmanago & Leadoo - Subscriber SQL Injection
CVE-2026-54822 affects SALESmanago & Leadoo <= 3.11.2. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
SALESmanago & Leadoo
2026-06-25 CVSS 8.5
CVE-2026-54838
WC Vendors Marketplace - Subscriber SQL Injection
CVE-2026-54838 affects WC Vendors Marketplace <= 2.6.8. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WC Vendors Marketplace
2026-06-25 CVSS 8.5
CVE-2026-56049
Post Snippets - Contributor Remote Code Execution (remote code execution)
CVE-2026-56049 affects Post Snippets <= 4.0.19. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Post Snippets
2026-06-24 CVSS 8.5
CVE-2026-45687
Rocket.Chat - file upload record authorization bypass risk
CVE-2026-45687 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review upload records, DDP events, and file storage changes.
Rocket.Chat Public PoC
2026-06-19 CVSS 8.5
CVE-2016-20088
Comodo Chromodo Browser - local service privilege escalation
CVE-2016-20088 affects Comodo Chromodo Browser through 52.15.25.664. Confirm exposure, apply the vendor fix or remove the component, and review Windows services, old browser installs, and updater paths.
Comodo Chromodo Browser Public PoC
2026-06-19 CVSS 8.5
CVE-2016-20090
Comodo Dragon Browser - local service privilege escalation
CVE-2016-20090 affects Comodo Dragon Browser through 52.15.25.663. Confirm exposure, apply the vendor fix or remove the component, and review Windows services, old browser installs, and updater paths.
Comodo Dragon Browser Public PoC
2026-06-18 CVSS 8.5
CVE-2026-56012
Media Library Assistant - Blind SQL injection
CVE-2026-56012 affects Media Library Assistant through 3.35. Confirm the installed version, patch or disable the component, and review database errors and media records before closing the issue.
Media Library Assistant
2026-06-18 CVSS 8.5
CVE-2026-54813
SureDash - Blind SQL injection
CVE-2026-54813 affects SureDash through 1.8.0. Confirm the installed version, patch or disable the component, and review database errors and dashboard records before closing the issue.
SureDash
2026-06-18 CVSS 8.5
CVE-2026-54818
Slimstat Analytics - Blind SQL injection
CVE-2026-54818 affects Slimstat Analytics through 5.4.11. Confirm the installed version, patch or disable the component, and review analytics tables and database errors before closing the issue.
Slimstat Analytics
2026-06-17 CVSS 8.5
CVE-2025-69135
Events Schedule - SQL injection
CVE-2025-69135 affects Events Schedule through 2.7.2. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Events Schedule
2026-06-17 CVSS 8.5
CVE-2026-22335
WooCommerce Frontend Manager - Ultimate - SQL injection
CVE-2026-22335 affects WooCommerce Frontend Manager - Ultimate before 6.7.7. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WooCommerce Frontend Manager - Ultimate
2026-06-17 CVSS 8.5
CVE-2026-48967
Geo Mashup - SQL injection
CVE-2026-48967 affects Geo Mashup through 1.13.19. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Geo Mashup
2026-06-17 CVSS 8.5
CVE-2026-49073
Directorist Booking - Blind SQL injection
CVE-2026-49073 affects Directorist Booking through 3.0.3. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Directorist Booking
2026-06-17 CVSS 8.5
CVE-2026-49113
Cornerstone - Arbitrary code execution
CVE-2026-49113 affects Cornerstone before 7.8.8. Confirm the installed version, patch or disable the component, and review users, files, logs, and plugin settings before closing the incident.
Cornerstone
2026-06-17 CVSS 8.5
CVE-2026-54185
Cornerstone - SQL injection
CVE-2026-54185 affects Cornerstone before 7.8.8. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Cornerstone
2026-06-17 CVSS 8.5
CVE-2026-46870
MySQL Shell for VS Code - Oracle June 2026 CPU issue
CVE-2026-46870 affects MySQL Shell for VS Code 2026.2.0+9.6.1. Database teams should patch developer tooling and review saved connections, extension access, and unusual database activity.
MySQL Shell for VS Code Public PoC
2026-06-16 CVSS 8.5
CVE-2026-39581
WP Sessions Time Monitoring Full Automatic - SQL injection
CVE-2026-39581 affects WP Sessions Time Monitoring Full Automatic through 1.1.4. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Sessions Time Monitoring Full Automatic
2026-06-15 CVSS 8.5
CVE-2026-24637
PowerPress Podcasting - contributor SQL injection
CVE-2026-24637 affects PowerPress Podcasting through 11.15.10. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
PowerPress Podcasting
2026-06-15 CVSS 8.5
CVE-2026-40766
MasterStudy LMS - subscriber SQL injection
CVE-2026-40766 affects MasterStudy LMS through 3.7.25. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
MasterStudy LMS
2026-06-15 CVSS 8.5
CVE-2026-48874
GamiPress - subscriber SQL injection
CVE-2026-48874 affects GamiPress through 7.8.7. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GamiPress
2026-06-15 CVSS 8.5
CVE-2026-48882
WP Time Slots Booking Form - subscriber SQL injection
CVE-2026-48882 affects WP Time Slots Booking Form through 1.2.50. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Time Slots Booking Form
2026-06-15 CVSS 8.5
CVE-2026-48964
ELEX WordPress HelpDesk - subscriber SQL injection
CVE-2026-48964 affects ELEX WordPress HelpDesk & Customer Ticketing System through 3.3.6. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
ELEX WordPress HelpDesk & Customer Ticketing System
2026-06-15 CVSS 8.5
CVE-2026-52697
Taskbuilder - subscriber SQL injection
CVE-2026-52697 affects Taskbuilder through 5.0.7. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Taskbuilder
2026-06-15 CVSS 8.5
CVE-2026-52700
WCMultiShipping - subscriber SQL injection
CVE-2026-52700 affects WCMultiShipping through 3.0.2. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WCMultiShipping
2026-06-14 CVSS 8.5
CVE-2026-54420
LiteSpeed cPanel Plugin - shared hosting privilege escalation risk
CVE-2026-54420 affects LiteSpeed cPanel user-end plugin deployments before 2.4.8, including bundled WHM Plugin deployments before the fixed 5.3.2.1 line. Shared hosts using CloudLinux/CageFS should patch and review cPanel logs because the vendor reported active exploitation.
LiteSpeed cPanel Plugin Active Exploit Public PoC
2026-06-11 CVSS 8.5
CVE-2026-48546
KanaDojo - GitHub Actions sandbox escape
CVE-2026-48546 affects KanaDojo before 0.1.18. Repositories using similar issue auto-response workflows should review runner permissions, token scope, and pull-request execution paths.
KanaDojo Public PoC
2026-06-10 CVSS 8.5
CVE-2026-45549
Roxy-WI - monitoring agent action authorization bypass
CVE-2026-45549 affects Roxy-WI monitoring agent actions. Review who can start, stop, or restart agents and compare service restart times against panel logs.
Roxy-WI Public PoC
2026-06-10 CVSS 8.5
CVE-2026-49824
Fission - Function environment namespace validation gap
CVE-2026-49824 affects Fission before 1.24.0 where Function environment namespace validation can miss cross-namespace references. Review function specs and admission webhook behavior.
Fission Public PoC
2026-06-10 CVSS 8.5
CVE-2026-50570
Fission - incomplete container capability denylist
CVE-2026-50570 affects Fission before 1.25.0 capability validation. Review admission settings, runtime security contexts, and function or environment specs that request added Linux capabilities.
Fission Public PoC
2026-06-18 CVSS 8.4
CVE-2026-44688
Eclipse Theia - AI chat workspace prompt-context risk
CVE-2026-44688 affects Eclipse Theia before 1.71.0. Review workspace trust, AI agent settings, and opened repositories, then apply the vendor fix or remove the risky exposure until patched.
Eclipse Theia Public PoC
2026-06-18 CVSS 8.4
CVE-2026-44691
Eclipse Theia - workspace task execution risk
CVE-2026-44691 affects Eclipse Theia before 1.69.0. Review workspace trust, task definitions, and AI tool confirmation, then apply the vendor fix or remove the risky exposure until patched.
Eclipse Theia Public PoC
2026-06-18 CVSS 8.4
CVE-2026-46580
Eclipse Theia - workspace prompt template risk
CVE-2026-46580 affects Eclipse Theia before 1.71.0. Review prompt template folders, workspace trust, and AI agent settings, then apply the vendor fix or remove the risky exposure until patched.
Eclipse Theia Public PoC
2026-06-12 CVSS 8.4
CVE-2026-54360
MISP - sharing group mass assignment issue
CVE-2026-54360 affects MISP sharing group creation. Operators should patch, review sharing group IDs, ownership, membership, and event visibility around the advisory window.
MISP
2026-06-10 CVSS 8.4
CVE-2026-10721
Concrete CMS - PHP object injection in permission, cache, and search components
CVE-2026-10721 affects Concrete CMS before 9.5.2 through unsafe serialized data paths. Check the running CMS version, recent cache or permission errors, and patch the site.
Concrete CMS
2026-06-26 CVSS 8.3
CVE-2026-56063
MailChimp Block - Unauthenticated Broken Access Control
CVE-2026-56063 affects MailChimp Block <= 1.1.15. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
MailChimp Block
2026-06-25 CVSS 8.3
CVE-2026-54848
Saad Iqbal APIExperts Square for WooCommerce - Insertion of Sensitive Information Into Sent Data vulnerability
CVE-2026-54848 affects Saad Iqbal APIExperts Square for WooCommerce vendor-fixed release. Site owners should patch the component, preserve logs, and review data exposure before closing the issue.
Saad Iqbal APIExperts Square for WooCommerce
2026-06-23 CVSS 8.3
CVE-2026-34914
Revive Adserver - Blind SQL injection in zone-include.php clientid handling
CVE-2026-34914 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check zone-include.php clientid, database errors, delivery logs.
Revive Adserver Public PoC
2026-06-18 CVSS 8.3
CVE-2024-32949
Integrate Google Drive - Missing authorization
CVE-2024-32949 affects Integrate Google Drive through 1.3.8. Confirm the installed version, patch or disable the component, and review Google Drive file access and plugin permissions before closing the issue.
Integrate Google Drive
2026-06-10 CVSS 8.3
CVE-2026-45567
Roxy-WI - API-style authentication bypass condition
CVE-2026-45567 affects Roxy-WI authentication handling around API-style paths. Place the panel behind a trusted network and review access logs for unexpected API activity.
Roxy-WI Public PoC
2026-06-26 CVSS 8.2
CVE-2026-52783
OpenProject - authentication boundary risk
CVE-2026-52783 affects OpenProject. OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the d... Patch the affected deployment and review workflow and admin logs.
OpenProject
2026-06-26 CVSS 8.2
CVE-2026-57655
Child Theme Wizard - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2026-57655 affects Child Theme Wizard <= 1.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Child Theme Wizard
2026-06-25 CVSS 8.2
CVE-2026-11999
wolfSSL - trust validation risk
CVE-2026-11999 affects wolfSSL. X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cer... Patch the affected deployment and review trust and service logs.
wolfSSL
2026-06-25 CVSS 8.2
CVE-2026-55961
wolfSSL - trust validation risk
CVE-2026-55961 affects wolfSSL. wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticati... Patch the affected deployment and review trust and service logs.
wolfSSL
2026-06-25 CVSS 8.2
CVE-2026-56091
Apache Shiro Guice - authentication boundary risk
CVE-2026-56091 affects Apache Shiro Guice. When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. Patch the affected deployment and review component presence.
Apache Shiro Guice
2026-06-24 CVSS 8.2
CVE-2026-56351
n8n - SQL node identifier injection risk
CVE-2026-56351 affects n8n before 2.4.0 in MySQL, PostgreSQL, and Microsoft SQL nodes. Review workflow editors, SQL node configuration, database logs, and connected credentials.
n8n Public PoC
2026-06-22 CVSS 8.2
CVE-2026-54268
Angular common - date formatting denial-of-service risk
CVE-2026-54268 affects @angular/common date formatting when untrusted date format strings reach formatDate or DatePipe. Patch Angular and review SSR routes, user preferences, and API data that can influence date formats.
@angular/common Public PoC
2026-06-19 CVSS 8.2
CVE-2026-49260
PhpWeasyPrint - PDF command construction risk
CVE-2026-49260 affects pontedilana/php-weasyprint before 2.5.1. Patch the Composer dependency, check which routes generate PDFs, and review composer.lock, PDF generation jobs, and web-server logs.
pontedilana/php-weasyprint Public PoC
2026-06-18 CVSS 8.2
CVE-2026-40726
User Registration Stripe - Broken access control
CVE-2026-40726 affects User Registration Stripe through 1.3.14. Confirm the installed version, patch or disable the component, and review registration payments and user records before closing the issue.
User Registration Stripe
2026-06-18 CVSS 8.2
CVE-2026-49081
User Registration Stripe - Broken access control
CVE-2026-49081 affects User Registration Stripe through 1.3.12. Confirm the installed version, patch or disable the component, and review registration payments and user records before closing the issue.
User Registration Stripe
2026-06-18 CVSS 8.2
CVE-2026-54184
Clean Login - IDOR risk
CVE-2026-54184 affects Clean Login through 1.15. Confirm the installed version, patch or disable the component, and review login flows and user records before closing the issue.
Clean Login
2026-06-18 CVSS 8.2
CVE-2026-48788
Remark42 - stored XSS in comments
CVE-2026-48788 affects Remark42 1.6.0 through 1.15.0. Patch or remove public exposure, preserve logs, and review comment content, moderator sessions, and site embeds.
Remark42 Public PoC
2026-06-16 CVSS 8.2
CVE-2026-49065
Hippoo Mobile App for WooCommerce - Broken access control
CVE-2026-49065 affects Hippoo Mobile App for WooCommerce through 1.9.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Hippoo Mobile App for WooCommerce
2026-06-15 CVSS 8.2
CVE-2026-42664
AI Product Search for WooCommerce - unauthenticated broken access control
CVE-2026-42664 affects AI Product Search for WooCommerce - Motive Commerce Search through 1.38.2. WordPress owners should confirm the plugin version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
AI Product Search for WooCommerce - Motive Commerce Search
2026-06-12 CVSS 8.2
CVE-2026-50629
Apache CXF - OAuth2 clientId log injection
CVE-2026-50629 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-09 CVSS 8.2
CVE-2026-9742
MongoDB Server - OIDC configuration pre-auth crash
CVE-2026-9742 affects MongoDB Server deployments with OIDC authentication enabled. Check whether OIDC is configured, patch the affected branch, and review mongod restart and authentication error logs.
MongoDB Server
2026-06-11 CVSS 8.2
CVE-2026-44487
Axios - Proxy-Authorization redirect credential leak
CVE-2026-44487 affects Axios Node usage with authenticated proxy flows. Patch and review services that follow redirects while using outbound proxy credentials.
Axios Public PoC
2026-06-11 CVSS 8.2
CVE-2026-49982
tmp npm package - non-string path option traversal
CVE-2026-49982 affects tmp 0.2.6 when non-string option values can escape the intended temp directory. Update to 0.2.7 and type-check temporary file options.
tmp Public PoC
2026-06-11 CVSS 8.2
CVE-2026-40998
Spring Web Services - Jaxp13XPathTemplate XXE via StreamSource and SAXSource
CVE-2026-40998 affects Spring Web Services applications that evaluate XPath over untrusted XML through Jaxp13XPathTemplate with StreamSource or SAXSource. Upgrade and review XML entry points.
Spring Web Services
2026-06-28 CVSS 8.1
CVE-2026-8095
Frontend File Manager Plugin - authenticated arbitrary file deletion
CVE-2026-8095 affects the Frontend File Manager Plugin for WordPress through 23.6. Sites should patch the plugin, preserve file timestamps, review failed file operations, and check whether critical WordPress files changed during the exposure window.
Frontend File Manager Plugin
2026-06-26 CVSS 8.1
CVE-2026-56031
Uncanny Automator - Unauthenticated PHP Object Injection
CVE-2026-56031 affects Uncanny Automator <= 7.3.1.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Uncanny Automator
2026-06-26 CVSS 8.1
CVE-2026-57645
Newsletters - newsletters_subscribers Broken Access Control
CVE-2026-57645 affects Newsletters <= 4.13. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Newsletters
2026-06-25 CVSS 8.1
CVE-2026-45233
HTMLy CMS - path traversal risk
CVE-2026-45233 affects HTMLy CMS. HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the ad... Patch the affected deployment and review web and app logs.
HTMLy CMS
2026-06-25 CVSS 8.1
CVE-2026-54842
Royal Plugins Royal MCP - Missing Authorization vulnerability
CVE-2026-54842 affects Royal Plugins Royal MCP vendor-fixed release. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Royal Plugins Royal MCP
2026-06-25 CVSS 8.1
CVE-2026-54845
MDTF - Unauthenticated Local File Inclusion
CVE-2026-54845 affects MDTF <= 1.3.8. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
MDTF
2026-06-23 CVSS 8.1
CVE-2026-45135
Caddy FastCGI - unsafe split path handling for non-PHP files
CVE-2026-45135 affects Caddy 2.7.0 through 2.10.2 when FastCGI split path handling can treat attacker-controlled non-PHP files as scripts. Patch and review upload directories behind FastCGI.
Caddy Public PoC
2026-06-23 CVSS 8.1
CVE-2026-52845
Caddy FastCGI - forward_auth header normalization bypass
CVE-2026-52845 affects Caddy before 2.11.4 when forward_auth copied headers can collide with FastCGI header normalization. Patch and review PHP applications that trust upstream identity headers.
Caddy Public PoC
2026-06-22 CVSS 8.1
CVE-2026-55388
piscina - inherited filename option worker execution risk
CVE-2026-55388 affects piscina when polluted prototype properties can influence worker options. Node services should upgrade piscina, audit prototype-pollution sources, and review worker process activity.
piscina Public PoC
2026-06-22 CVSS 8.1
CVE-2025-66336
Apache Doris MCP Server - metadata query SQL injection
CVE-2025-66336 affects Apache Doris MCP Server metadata queries when database names reach SQL construction without the intended authorization context. Patch to 0.6.1 or newer and review MCP and Doris audit logs.
Apache Doris MCP Server
2026-06-20 CVSS 8.1
CVE-2026-9843
Database for Contact Form 7, WPForms, Elementor Forms - arbitrary file deletion
CVE-2026-9843 affects Database for Contact Form 7, WPForms, Elementor Forms through 1.5.1. Confirm the installed version, patch or disable the component, and review form entries, deleted files, and recent admin views before closing the issue.
Database for Contact Form 7, WPForms, Elementor Forms Public PoC
2026-06-19 CVSS 8.1
CVE-2026-49286
PhpWeasyPrint - output filename handling risk
CVE-2026-49286 affects pontedilana/php-weasyprint before 2.6.0. Patch the Composer dependency, check which routes generate PDFs, and review composer.lock, PDF output folders, and generated files.
pontedilana/php-weasyprint Public PoC
2026-06-18 CVSS 8.1
CVE-2025-58924
Geya theme - Local file inclusion
CVE-2025-58924 affects Geya theme through 1.15. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Geya theme
2026-06-18 CVSS 8.1
CVE-2025-58952
Neuronet theme - Local file inclusion
CVE-2025-58952 affects Neuronet theme before 1.14.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Neuronet theme
2026-06-18 CVSS 8.1
CVE-2025-58953
Joly theme - Local file inclusion
CVE-2025-58953 affects Joly theme through 1.22.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Joly theme
2026-06-18 CVSS 8.1
CVE-2025-58954
HomeRoofer theme - Local file inclusion
CVE-2025-58954 affects HomeRoofer theme through 2.11.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
HomeRoofer theme
2026-06-18 CVSS 8.1
CVE-2025-60085
Learnify theme - Local file inclusion
CVE-2025-60085 affects Learnify theme through 1.15.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Learnify theme
2026-06-18 CVSS 8.1
CVE-2025-69105
Modernee theme - Local file inclusion
CVE-2025-69105 affects Modernee theme through 1.6.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Modernee theme
2026-06-18 CVSS 8.1
CVE-2025-69107
Rosaleen theme - Local file inclusion
CVE-2025-69107 affects Rosaleen theme through 2.8. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Rosaleen theme
2026-06-18 CVSS 8.1
CVE-2025-69109
Raider Spirit theme - Local file inclusion
CVE-2025-69109 affects Raider Spirit theme through 1.1.2. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Raider Spirit theme
2026-06-18 CVSS 8.1
CVE-2025-69110
AirSupply theme - Local file inclusion
CVE-2025-69110 affects AirSupply theme through 2.0.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
AirSupply theme
2026-06-18 CVSS 8.1
CVE-2025-69112
Planty theme - Local file inclusion
CVE-2025-69112 affects Planty theme through 1.14.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Planty theme
2026-06-16 CVSS 8.1
CVE-2026-53864
OpenClaw - Node.js control variable sanitizer bypass
CVE-2026-53864 affects OpenClaw before 2026.5.26. Review workspace .env files, tool environment overrides, and skill environment blocks for unexpected Node.js control variables before re-enabling shared workspaces.
OpenClaw Public PoC
2026-06-16 CVSS 8.1
CVE-2026-27333
Paid Videochat Turnkey Site - Deserialization
CVE-2026-27333 affects Paid Videochat Turnkey Site through 7.3.23. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, users, and unexpected plugin settings before closing the incident.
Paid Videochat Turnkey Site
2026-06-16 CVSS 8.1
CVE-2026-39587
WP BASE Booking - Privilege escalation
CVE-2026-39587 affects WP BASE Booking through 5.9.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
WP BASE Booking
2026-06-16 CVSS 8.1
CVE-2026-42411
CloudSecure WP Security - Broken authentication
CVE-2026-42411 affects CloudSecure WP Security through 1.4.7. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
CloudSecure WP Security
2026-06-16 CVSS 8.1
CVE-2026-42687
EventPrime - PHP object injection
CVE-2026-42687 affects EventPrime through 4.3.2.1. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
EventPrime
2026-06-16 CVSS 8.1
CVE-2026-48970
Really Simple SSL - Broken authentication
CVE-2026-48970 affects Really Simple SSL through 9.5.10. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Really Simple SSL
2026-06-16 CVSS 8.1
CVE-2026-8442
WP Review Slider Pro - Arbitrary file deletion
CVE-2026-8442 affects WP Review Slider Pro through 12.6.8. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
WP Review Slider Pro
2026-06-12 CVSS 8.1
CVE-2026-44249
Netty handler - IPv6 subnet rule bypass
Netty handler before 4.1.135.Final and 4.2.15.Final can mishandle IPv6 subnet filter rules. Review Java services that rely on Netty IP filtering and update the dependency lock.
Netty Public PoC
2026-06-12 CVSS 8.1
CVE-2026-45013
ApostropheCMS - password reset Host header account takeover
CVE-2026-45013 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-09 CVSS 8.1
CVE-2026-9753
MongoDB Server - oplog update memory out-of-bounds condition
CVE-2026-9753 affects MongoDB Server oplog update processing and can cause memory out-of-bounds behavior or a crash. Patch affected branches and review replica set stability.
MongoDB Server
2026-06-11 CVSS 8.1
CVE-2026-11816
Keras - archive extraction path traversal
CVE-2026-11816 affects Keras before 3.14.0 archive extraction utilities. ML services should patch and review dataset/model import paths, CI runners, Jupyter jobs, and container working directories.
Keras Public PoC
2026-06-11 CVSS 8.1
CVE-2026-10795
UpdraftPlus - UpdraftCentral remote communication authentication bypass
CVE-2026-10795 affects UpdraftPlus through 1.26.4 when the site has been connected to UpdraftCentral. Review remote communication logs, backup activity, plugin changes, and administrator accounts before treating the site as clean.
UpdraftPlus
2026-06-10 CVSS 8.1
CVE-2026-45062
FrankenPHP - PHP script routing confusion with non-ASCII paths
CVE-2026-45062 affects FrankenPHP 1.11.2 through 1.12.2 when user-controlled files can be routed as PHP scripts. Upgrade to 1.12.3 and review upload, media, and file-sharing paths.
FrankenPHP Public PoC
2026-06-10 CVSS 8.1
CVE-2026-45565
Roxy-WI - shared input validation traversal weakness
CVE-2026-45565 affects Roxy-WI shared input validation. Review path-like inputs, changed files, and whether previous filtering rules actually blocked traversal patterns.
Roxy-WI Public PoC
2026-06-10 CVSS 8.1
CVE-2026-45569
Roxy-WI - incomplete traversal validation patch
CVE-2026-45569 affects an incomplete Roxy-WI traversal validation patch. Review updated code, path containment, and any config restore or upload actions after the first patch attempt.
Roxy-WI Public PoC
2026-06-10 CVSS 8.1
CVE-2026-41717
Spring Data MongoDB - SpEL injection in annotated query binding
CVE-2026-41717 affects Spring Data MongoDB applications that expose annotated repository methods with capture-all placeholders to untrusted input. Upgrade affected branches and search for risky @Query or @Aggregation patterns.
Spring Data MongoDB
2026-06-10 CVSS 8.1
CVE-2026-41729
Spring Data REST - SpEL injection through JSON Patch map keys
CVE-2026-41729 affects Spring Data REST when JSON Patch reaches Map-typed persistent properties. Upgrade affected branches and restrict PATCH exposure while reviewing map-backed resources.
Spring Data REST
2026-06-10 CVSS 8.1
CVE-2026-41731
Spring for Apache Kafka - broad trusted-package deserialization
CVE-2026-41731 affects Spring for Apache Kafka header mappers where broad trusted-package matching can expose JDK classes to deserialization. Upgrade and review JsonKafkaHeaderMapper or DefaultKafkaHeaderMapper configuration.
Spring for Apache Kafka
2026-06-10 CVSS 8.1
CVE-2026-41732
Spring for Apache Pulsar - trusted-package deserialization risk
CVE-2026-41732 affects Spring for Apache Pulsar when JsonPulsarHeaderMapper trusted-package matching is too broad or empty configuration falls back to trusting all packages. Upgrade and review header mapper configuration.
Spring for Apache Pulsar
2026-06-09 CVSS 8.1
CVE-2026-7383
OpenSSL - ASN.1 multibyte string conversion overflow
CVE-2026-7383 is part of the OpenSSL 2026-06-09 advisory. Exposure is narrow and tied to direct ASN1_mbstring_copy style usage with attacker-controlled large input, but operators should still update supported OpenSSL branches.
OpenSSL Public PoC
2026-06-09 CVSS 8.1
CVE-2026-9662
Recover Exit for WooCommerce - Unauthenticated LFI via tpf include path
Recover Exit for WooCommerce exposes a reported local file inclusion path through a POST value that reaches include(). Stores should remove or disable the plugin, check the affected PHP files, and review logs before reopening checkout flows.
Recover Exit for WooCommerce
2026-05-28 CVSS 8.1
CVE-2026-6455
WP Contact Form 7 DB Handler β CSRF β SQLi β Deserialization β Arbitrary File Deletion
The WP Contact Form 7 DB Handler plugin chains four flaws: CSRF bypass (nonce check skipped when field is absent), UNION-based SQL injection, PHP object injection, and arbitrary file deletion via path traversal. One admin click on a crafted link can delete wp-config.php and take down the entire site.
WordPress Public PoC
2026-06-25 CVSS 8.0
CVE-2026-10712
GitLab CE/EE - path validation cross-site scripting risk
CVE-2026-10712 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
GitLab
2026-06-12 CVSS 8.0
CVE-2026-44168
MariaDB Server - branch-level server vulnerability
CVE-2026-44168 affects supported MariaDB branches including 10.6, 10.11, 11.4, and 11.8 lines. Confirm the exact server branch, patch to the fixed release, and review database errors or restarts.
MariaDB Server
2026-06-12 CVSS 8.0
CVE-2026-48163
MariaDB Server - June 2026 high-severity advisory
CVE-2026-48163 affects MariaDB Server versions in the 10.6, 10.11, 11.4, and 11.8 lines. Confirm the running branch, patch, and review service health after restart.
MariaDB Server
2026-06-12 CVSS 8.0
CVE-2026-48165
MariaDB Server - June 2026 high-severity advisory
CVE-2026-48165 affects MariaDB Server versions in the June 2026 advisory batch. Patch the deployed branch and review database logs and failover events.
MariaDB Server
2026-06-24 CVSS 7.8
CVE-2026-2050
GIMP / GEGL - HDR file parsing heap overflow risk
CVE-2026-2050 affects GIMP HDR file parsing through the GEGL image processing path. Desktop fleets should update packages and review workflows that open untrusted HDR files.
GIMP / GEGL Public PoC
2026-06-10 CVSS 7.8
CVE-2026-2049
GIMP/GEGL - HDR file parsing memory corruption
CVE-2026-2049 affects GIMP/GEGL HDR file parsing. Teams processing untrusted image submissions should update workstations and automated image-processing containers.
GIMP / GEGL Public PoC
2026-06-26 CVSS 7.7
CVE-2026-48618
Node.js - authentication boundary risk
CVE-2026-48618 affects Node.js. A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. Patch the affected deployment and review runtime logs.
Node.js
2026-06-25 CVSS 7.7
CVE-2026-37149
Grocery Store Management System - SQL injection risk
CVE-2026-37149 affects Grocery Store Management System. GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to a... Patch the affected deployment and review web and app logs.
Grocery Store Management System
2026-06-25 CVSS 7.7
CVE-2026-56054
JS Help Desk - Subscriber Arbitrary File Deletion
CVE-2026-56054 affects JS Help Desk <= 3.1.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
JS Help Desk
2026-06-25 CVSS 7.7
CVE-2026-8592
Rapid7 InsightConnect AWK Plugin - command execution risk in Linux workflow action
CVE-2026-8592 affects the Rapid7 InsightConnect AWK Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
Rapid7 InsightConnect AWK Plugin
2026-06-25 CVSS 7.7
CVE-2026-8665
Rapid7 InsightConnect Translate Plugin - command execution risk in Linux workflow action
CVE-2026-8665 affects the Rapid7 InsightConnect Translate Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
Rapid7 InsightConnect Translate Plugin
2026-06-24 CVSS 7.7
CVE-2026-33235
AutoGPT - Fill Text Template denial of service risk
CVE-2026-33235 affects AutoGPT before 0.6.52. Review Fill Text Template blocks, tenant activity, worker CPU pressure, and failed runs.
AutoGPT Public PoC
2026-06-24 CVSS 7.7
CVE-2026-9710
Cornerstone - CSS preview metadata disclosure risk
CVE-2026-9710 affects the premium Cornerstone page builder before 7.8.8. Review logged-in user activity, wp-admin access, and sensitive metadata exposure.
Cornerstone
2026-06-23 CVSS 7.7
CVE-2026-54018
Open WebUI - Playwright URL loader SSRF redirect bypass
CVE-2026-54018 affects Open WebUI before 0.9.6 when the Playwright web loader can follow redirects after initial URL validation. Patch and review RAG web fetch settings and outbound access.
Open WebUI Public PoC
2026-06-16 CVSS 7.7
CVE-2026-40727
Groundhogg - Arbitrary file deletion
CVE-2026-40727 affects Groundhogg through 4.4. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
Groundhogg
2026-06-16 CVSS 7.7
CVE-2026-40779
Link Library - Arbitrary file deletion
CVE-2026-40779 affects Link Library through 7.8.8. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
Link Library
2026-06-05 CVSS 7.7
CVE-2026-46394
HAX CMS PHP - Git command handling risk
CVE-2026-46394 affects the HAX CMS PHP Git helper before 26.0.0. Review Git remotes, filters, helper logs, and repository settings after patching.
HAX CMS Public PoC
2026-06-08 CVSS 7.7
CVE-2026-40519
Nginx Proxy Manager - certificate plugin command injection
CVE-2026-40519 affects Nginx Proxy Manager certificate plugin setup when an account can manage certificates. Review admin exposure, certificate permissions, DNS challenge credentials, and update to a build containing the upstream fix.
Nginx Proxy Manager
2026-06-11 CVSS 7.7
CVE-2026-44705
tmp npm package - temporary path traversal
CVE-2026-44705 affects tmp before 0.2.6 when untrusted data reaches temporary file or directory options. Patch and enforce strict string allowlists around prefix, postfix, dir, and template settings.
tmp Public PoC
2026-06-10 CVSS 7.7
CVE-2026-49821
Fission - Package environment namespace validation gap
CVE-2026-49821 affects Fission before 1.24.0 package environment namespace validation. Review Package specs, builder behavior, and cross-namespace references.
Fission Public PoC
2026-06-10 CVSS 7.7
CVE-2026-49822
Fission - KubernetesWatchTrigger cross-namespace surveillance risk
CVE-2026-49822 affects Fission before 1.24.0 KubernetesWatchTrigger namespace boundaries. Review who can create KWT resources and whether watch targets cross tenant namespaces.
Fission Public PoC
2026-06-10 CVSS 7.7
CVE-2026-49823
Fission - PackageRef namespace validation gap in Function specs
CVE-2026-49823 affects Fission before 1.24.0 Function PackageRef namespace checks. Review function specs for cross-namespace package references.
Fission Public PoC
2026-06-10 CVSS 7.7
CVE-2026-50567
Fission - archive extraction path traversal
CVE-2026-50567 affects Fission archive extraction before 1.25.0. Treat package archive URLs as untrusted and review fetcher sidecar file writes and package storage.
Fission Public PoC
2026-06-26 CVSS 7.6
CVE-2026-54826
SupportCandy - Subscriber Insecure Direct Object References (IDOR)
CVE-2026-54826 affects SupportCandy <= 3.4.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
SupportCandy
2026-06-26 CVSS 7.6
CVE-2026-57628
WP All Import - Administrator SQL Injection
CVE-2026-57628 affects WP All Import <= 4.0.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WP All Import
2026-06-26 CVSS 7.6
CVE-2026-57631
Popup box - Administrator SQL Injection
CVE-2026-57631 affects Popup box <= 6.0.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Popup box
2026-06-24 CVSS 7.6
CVE-2026-11998
AngularJS - SCE resource URL bypass risk
CVE-2026-11998 affects AngularJS 1.2.0-rc.3 and later in Strict Contextual Escaping resource URL policy handling. Review legacy AngularJS apps, trusted resource URL rules, and migration plans.
AngularJS
2026-06-24 CVSS 7.6
CVE-2026-56052
FunnelKit Funnel Builder - blind SQL injection risk
CVE-2026-56052 affects FunnelKit Funnel Builder through 3.15.0.5. Review funnel changes, administrator activity, and database errors before reopening checkout or marketing flows.
FunnelKit Funnel Builder
2026-06-22 CVSS 7.6
CVE-2026-55409
Filament Forms - disabled RichEditor XSS risk
CVE-2026-55409 affects Filament Forms 3.x before 3.3.53 when disabled RichEditor field state can render unsanitized HTML. Patch and review fields that display stored rich text.
Filament Public PoC
2026-06-19 CVSS 7.6
CVE-2026-49290
Slopsmith - path traversal file read risk
CVE-2026-49290 affects Slopsmith before 0.2.9-alpha.5. Confirm exposure, apply the vendor fix or remove the component, and review media library paths, container mounts, and access logs.
Slopsmith Public PoC
2026-06-18 CVSS 7.6
CVE-2026-55746
Cotonti - stored XSS in personal file storage
CVE-2026-55746 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review PFS folder titles and user-uploaded content.
Cotonti Public PoC
2026-06-16 CVSS 7.6
CVE-2026-52712
Attendance Manager - SQL injection
CVE-2026-52712 affects Attendance Manager through 0.6.2. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Attendance Manager
2026-06-12 CVSS 7.6
CVE-2026-45012
ApostropheCMS - rich-text import SSRF
CVE-2026-45012 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-13 CVSS 7.6
CVE-2026-6428
Koha - SQL injection risk in catalogue report handling
CVE-2026-6428 affects Koha catalogue report handling when a staff account has Reports permission on vulnerable branches. Upgrade to the fixed Koha branch, review report exports and database errors, and remove unnecessary Reports access.
Koha Public PoC
2026-06-12 CVSS 7.6
CVE-2026-41003
Spring Security - SAML relying-party registration exposure
CVE-2026-41003 affects Spring Security applications that render attacker-influenced SAML relying-party registration values. Review SAML configuration sources and move to fixed Spring Security releases.
Spring Security
2026-06-28 CVSS 7.5
CVE-2026-13498
restaurent-management-system - forgot-password SQL injection risk
CVE-2026-13498 affects the yashpokharna2555 restaurent-management-system project, which does not publish fixed version metadata. Owners should remove public exposure, review forgot-password activity, preserve database logs, and migrate away from the unsupported code path.
yashpokharna2555 restaurent-management-system Public PoC
2026-06-26 CVSS 7.5
CVE-2025-68063
Splash - Sport Club WordPress Theme for Basketball, Football, Hockey - Contributor Local File Inclusion
CVE-2025-68063 affects Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Splash - Sport Club WordPress Theme for Basketball, Football, Hockey
2026-06-26 CVSS 7.5
CVE-2025-68064
Goya Core - Contributor Local File Inclusion
CVE-2025-68064 affects Goya Core < 1.0.9.4. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Goya Core
2026-06-26 CVSS 7.5
CVE-2026-48615
Node.js - sensitive data exposure risk
CVE-2026-48615 affects Node.js. A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. Patch the affected deployment and review runtime logs.
Node.js
2026-06-26 CVSS 7.5
CVE-2026-48619
Node.js - availability risk
CVE-2026-48619 affects Node.js. A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. Patch the affected deployment and review runtime logs.
Node.js
2026-06-26 CVSS 7.5
CVE-2026-48933
Node.js - security boundary risk
CVE-2026-48933 affects Node.js. A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. Patch the affected deployment and review runtime logs.
Node.js
2026-06-26 CVSS 7.5
CVE-2026-49486
Apache Airflow FTP provider - sensitive data exposure risk
CVE-2026-49486 affects Apache Airflow FTP provider. The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext.... Patch the affected deployment and review workflow and admin logs.
Apache Airflow FTP provider
2026-06-26 CVSS 7.5
CVE-2026-54824
Ads by WPQuads - Unauthenticated Sensitive Data Exposure
CVE-2026-54824 affects Ads by WPQuads <= 3.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Ads by WPQuads
2026-06-26 CVSS 7.5
CVE-2026-54832
Gutenverse Companion - Unauthenticated Broken Access Control
CVE-2026-54832 affects Gutenverse Companion <= 2.5.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Gutenverse Companion
2026-06-26 CVSS 7.5
CVE-2026-54834
Object Cache 4 everyone - Unauthenticated Sensitive Data Exposure
CVE-2026-54834 affects Object Cache 4 everyone <= 2.3.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Object Cache 4 everyone
2026-06-26 CVSS 7.5
CVE-2026-54835
Five Star Restaurant Menu - Unauthenticated Broken Access Control
CVE-2026-54835 affects Five Star Restaurant Menu <= 2.5.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Five Star Restaurant Menu
2026-06-26 CVSS 7.5
CVE-2026-54837
Intranet and Private Site - All-In-One Intranet - Unauthenticated Broken Access Control
CVE-2026-54837 affects Intranet and Private Site - All-In-One Intranet <= 1.8.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Intranet and Private Site - All-In-One Intranet
2026-06-26 CVSS 7.5
CVE-2026-54839
Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups - Unauthenticated Sensitive Data Exposure
CVE-2026-54839 affects Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups <= 2.0.9. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups
2026-06-26 CVSS 7.5
CVE-2026-54846
Syncee Premium Dropshipping and Wholesale - Unauthenticated Broken Access Control
CVE-2026-54846 affects Syncee Premium Dropshipping and Wholesale <= 1.0.27. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Syncee Premium Dropshipping and Wholesale
2026-06-26 CVSS 7.5
CVE-2026-54847
Stylish Cost Calculator - Unauthenticated Broken Access Control
CVE-2026-54847 affects Stylish Cost Calculator <= 8.3.9. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Stylish Cost Calculator
2026-06-26 CVSS 7.5
CVE-2026-56025
Paymob for WooCommerce - Unauthenticated Broken Access Control
CVE-2026-56025 affects Paymob for WooCommerce <= 4.1.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Paymob for WooCommerce
2026-06-26 CVSS 7.5
CVE-2026-56029
CorvusPay WooCommerce Payment Gateway - Unauthenticated Broken Authentication
CVE-2026-56029 affects CorvusPay WooCommerce Payment Gateway <= 2.7.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
CorvusPay WooCommerce Payment Gateway
2026-06-26 CVSS 7.5
CVE-2026-56060
Print Invoice & Delivery Notes for WooCommerce - Unauthenticated Sensitive Data Exposure
CVE-2026-56060 affects Print Invoice & Delivery Notes for WooCommerce <= 7.1.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Print Invoice & Delivery Notes for WooCommerce
2026-06-26 CVSS 7.5
CVE-2026-56061
Subscriptions for WooCommerce - Unauthenticated Broken Access Control
CVE-2026-56061 affects Subscriptions for WooCommerce <= 1.9.5. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Subscriptions for WooCommerce
2026-06-26 CVSS 7.5
CVE-2026-56069
Toolset Forms - Unauthenticated Insecure Direct Object References (IDOR)
CVE-2026-56069 affects Toolset Forms <= 2.6.24. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Toolset Forms
2026-06-26 CVSS 7.5
CVE-2026-57647
Panorama Viewer 360 Degree Image + Video Viewer - Contributor Local File Inclusion
CVE-2026-57647 affects Panorama Viewer 360 Degree Image + Video Viewer <= 1.6.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Panorama Viewer 360 Degree Image + Video Viewer
2026-06-26 CVSS 7.5
CVE-2026-57872
GeoVision - authentication boundary risk
CVE-2026-57872 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 7.5
CVE-2026-57873
GeoVision - authentication boundary risk
CVE-2026-57873 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 7.5
CVE-2026-57874
GeoVision - authentication boundary risk
CVE-2026-57874 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 7.5
CVE-2026-57875
GeoVision - authentication boundary risk
CVE-2026-57875 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-26 CVSS 7.5
CVE-2026-57876
GeoVision - authentication boundary risk
CVE-2026-57876 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
GeoVision
2026-06-25 CVSS 7.5
CVE-2026-12937
Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress - generic SQL Injection
CVE-2026-12937 affects Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress vendor-fixed release. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress
2026-06-25 CVSS 7.5
CVE-2026-27366
MainWP Child - Unauthenticated Broken Access Control
CVE-2026-27366 affects MainWP Child <= 6.1.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
MainWP Child
2026-06-25 CVSS 7.5
CVE-2026-38637
relibc - availability risk
CVE-2026-38637 affects relibc. An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input. Patch the affected deployment and review component presence.
relibc
2026-06-25 CVSS 7.5
CVE-2026-38640
relibc - availability risk
CVE-2026-38640 affects relibc. A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string. Patch the affected deployment and review component presence.
relibc
2026-06-25 CVSS 7.5
CVE-2026-54828
Motors - Unauthenticated Broken Access Control
CVE-2026-54828 affects Motors <= 1.4.109. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Motors
2026-06-25 CVSS 7.5
CVE-2026-54829
Jacob N. Breetvelt WP Photo Album Plus - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability
CVE-2026-54829 affects Jacob N. Breetvelt WP Photo Album Plus vendor-fixed release. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Jacob N. Breetvelt WP Photo Album Plus
2026-06-25 CVSS 7.5
CVE-2026-54830
Five Star Restaurant Reservations - Unauthenticated Broken Access Control
CVE-2026-54830 affects Five Star Restaurant Reservations <= 2.7.19. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Five Star Restaurant Reservations
2026-06-25 CVSS 7.5
CVE-2026-54841
Vitepos - Unauthenticated Sensitive Data Exposure
CVE-2026-54841 affects Vitepos <= 3.4.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Vitepos
2026-06-25 CVSS 7.5
CVE-2026-54844
CheckView Automated Testing - Unauthenticated Broken Access Control
CVE-2026-54844 affects CheckView Automated Testing <= 2.1.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
CheckView Automated Testing
2026-06-25 CVSS 7.5
CVE-2026-9702
InPost PL - WordPress plugin vulnerability
CVE-2026-9702 affects InPost PL before 1.9.1. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
InPost PL
2026-06-25 CVSS 7.5
CVE-2026-12077
Dokan Pro - unauthenticated SQL injection data exposure risk
CVE-2026-12077 affects Dokan Pro for WordPress through 5.0.4. Marketplace owners should patch, review vendor/store pages, database errors, and unusual requests around location-based filtering.
Dokan Pro
2026-06-24 CVSS 7.5
CVE-2026-52794
Sentry - event ingestion ReDoS risk
CVE-2026-52794 affects Sentry from 24.4.0 until 26.5.2. Review event ingestion rates, CPU spikes, queue backlogs, and project-level event sources.
Sentry Public PoC
2026-06-24 CVSS 7.5
CVE-2026-57281
Jenkins Script Security Plugin - Groovy AST sandbox bypass
CVE-2026-57281 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 7.5
CVE-2026-10735
ShapedPlugin compromised update supply-chain risk
CVE-2026-10735 affects Shapedsmart-post-show-pro before 4.0.2, Real Testimonials Pro before 3.2.5, and Product Slider for WooCommerce Pro before 3.5.3. Review updates, files, users, and credentials.
ShapedPlugin plugin bundle
2026-06-24 CVSS 7.5
CVE-2026-8705
ClearSale Total - unauthenticated SQL injection risk
CVE-2026-8705 affects ClearSale Total through 3.4.2. Stores should patch or remove the plugin, confirm the PHP runtime state, and review WooCommerce payment and plugin logs.
ClearSale Total Public PoC
2026-06-24 CVSS 7.5
CVE-2026-9178
WP Forms Connector - user data exposure risk
CVE-2026-9178 affects WP Forms Connector through 1.8. Site owners should disable the plugin until patched, review REST access logs, and treat exposed user data as sensitive.
WP Forms Connector
2026-06-24 CVSS 7.5
CVE-2026-9179
WP Forms Connector - REST route SQL injection risk
CVE-2026-9179 affects WP Forms Connector through 1.8. Review REST route access, database errors, and user data exposure before returning the plugin to production.
WP Forms Connector
2026-06-23 CVSS 7.5
CVE-2026-53754
Crawl4AI - Docker API SSRF filter bypass
CVE-2026-53754 affects Crawl4AI before 0.8.8 when Docker API SSRF protection misses several internal address forms. Patch, enable authentication, and review outbound access from the container.
Crawl4AI Public PoC
2026-06-22 CVSS 7.5
CVE-2026-55603
http-proxy-middleware - multipart request body desync risk
CVE-2026-55603 affects http-proxy-middleware deployments that rebuild multipart request bodies with fixRequestBody. Patch and verify gateway validation still matches what upstream services receive.
http-proxy-middleware Public PoC
2026-06-21 CVSS 7.5
CVE-2026-12775
Montodel House-Rental-Management - SQL injection
CVE-2026-12775 affects Montodel House-Rental-Management rolling release before the reported fix state. Patch or remove public exposure, preserve logs, and review login logs, rental records, database errors, and changed users.
Montodel House-Rental-Management Public PoC
2026-06-22 CVSS 7.5
CVE-2026-44914
Apache NiFi - restricted component authorization gap
CVE-2026-44914 affects Apache NiFi 1.12.0 through 2.9.0 when replacing process groups that include components requiring restricted permissions. Review users with write access, restricted component policy, and flow replacement activity.
Apache NiFi
2026-06-20 CVSS 7.5
CVE-2026-11911
Simple File List - arbitrary file deletion
CVE-2026-11911 affects Simple File List through 6.3.7. Confirm the installed version, patch or disable the component, and review file list activity, missing files, and recent PHP changes before closing the issue.
Simple File List
2026-06-20 CVSS 7.5
CVE-2026-11912
Simple File List - arbitrary file modification
CVE-2026-11912 affects Simple File List through 6.3.7. Confirm the installed version, patch or disable the component, and review file list activity, changed files, and recent PHP changes before closing the issue.
Simple File List Public PoC
2026-06-19 CVSS 7.5
CVE-2026-48774
ProxySQL - GenAI/MCP read-only contract violation
CVE-2026-48774 affects ProxySQL 3.0.0 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review MCP/GenAI settings, tool logs, and database write activity.
ProxySQL
2026-06-18 CVSS 7.5
CVE-2026-45617
LiquidJS - strip_html ReDoS
CVE-2026-45617 affects LiquidJS through 10.25.7. Review template inputs, Node.js worker CPU, and dependency locks, then apply the vendor fix or remove the risky exposure until patched.
LiquidJS Public PoC
2026-06-19 CVSS 7.5
CVE-2026-11576
Eclipse ThreadX NetX Duo - HTTP server cleanup handling
CVE-2026-11576 affects Eclipse ThreadX NetX Duo HTTP server PUT handling. Review embedded HTTP server firmware, PUT support, and vendor update state, then apply the vendor fix or remove the risky exposure until patched.
Eclipse ThreadX NetX Duo Public PoC
2026-06-16 CVSS 7.5
CVE-2025-59133
Projectopia - IDOR
CVE-2025-59133 affects Projectopia through 5.1.25.2. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
Projectopia
2026-06-16 CVSS 7.5
CVE-2026-25425
User Registration - Broken access control
CVE-2026-25425 affects User Registration through 5.1.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
User Registration
2026-06-16 CVSS 7.5
CVE-2026-27089
WpTravelly - Bypass vulnerability
CVE-2026-27089 affects WpTravelly through 2.1.7. Confirm the installed version, patch or disable the plugin, and review permission checks, account activity, and exposed private records before closing the incident.
WpTravelly
2026-06-16 CVSS 7.5
CVE-2026-34886
Simple Membership - Broken access control
CVE-2026-34886 affects Simple Membership through 4.7.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Simple Membership
2026-06-16 CVSS 7.5
CVE-2026-34891
IDPay Payment Gateway for WooCommerce - Sensitive data exposure
CVE-2026-34891 affects IDPay Payment Gateway for WooCommerce through 2.2.5. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
IDPay Payment Gateway for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-34898
Event Tickets Manager for WooCommerce - Broken access control
CVE-2026-34898 affects Event Tickets Manager for WooCommerce through 1.5.3. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Event Tickets Manager for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-39480
Backup Migration - Sensitive data exposure
CVE-2026-39480 affects Backup Migration through 2.1.1. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Backup Migration
2026-06-16 CVSS 7.5
CVE-2026-39503
Easy Digital Downloads - Broken access control
CVE-2026-39503 affects Easy Digital Downloads through 3.6.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Easy Digital Downloads
2026-06-16 CVSS 7.5
CVE-2026-39513
Easy Appointments - Broken access control
CVE-2026-39513 affects Easy Appointments through 3.12.21. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Easy Appointments
2026-06-16 CVSS 7.5
CVE-2026-39524
Masteriyo - LMS - Broken access control
CVE-2026-39524 affects Masteriyo - LMS through 2.1.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Masteriyo - LMS
2026-06-16 CVSS 7.5
CVE-2026-39533
AWP Classifieds - Broken access control
CVE-2026-39533 affects AWP Classifieds through 4.4.4. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
AWP Classifieds
2026-06-16 CVSS 7.5
CVE-2026-39534
WP Directory Kit - Broken access control
CVE-2026-39534 affects WP Directory Kit through 1.5.0. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WP Directory Kit
2026-06-16 CVSS 7.5
CVE-2026-40741
Redsys for WooCommerce Light - Broken access control
CVE-2026-40741 affects Redsys for WooCommerce Light through 7.0.0. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Redsys for WooCommerce Light
2026-06-16 CVSS 7.5
CVE-2026-40762
WPGraphQL - SQL injection
CVE-2026-40762 affects WPGraphQL before 2.11.1. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WPGraphQL
2026-06-16 CVSS 7.5
CVE-2026-40767
wpForo Forum - Broken access control
CVE-2026-40767 affects wpForo Forum before 3.0.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
wpForo Forum
2026-06-16 CVSS 7.5
CVE-2026-40774
Booking Package - Broken access control
CVE-2026-40774 affects Booking Package through 1.7.06. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Booking Package
2026-06-16 CVSS 7.5
CVE-2026-40776
WP Event Solution - Broken access control
CVE-2026-40776 affects WP Event Solution through 4.1.8. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WP Event Solution
2026-06-16 CVSS 7.5
CVE-2026-40781
ReviewX - Broken authentication
CVE-2026-40781 affects ReviewX through 2.3.6. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
ReviewX
2026-06-16 CVSS 7.5
CVE-2026-40789
Amelia - Sensitive data exposure
CVE-2026-40789 affects Amelia through 2.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Amelia
2026-06-16 CVSS 7.5
CVE-2026-42384
Simply Schedule Appointments - Sensitive data exposure
CVE-2026-42384 affects Simply Schedule Appointments before 1.6.11.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Simply Schedule Appointments
2026-06-16 CVSS 7.5
CVE-2026-42666
Salon booking system - Broken access control
CVE-2026-42666 affects Salon booking system through 10.30.25. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Salon booking system
2026-06-16 CVSS 7.5
CVE-2026-42667
Bookly - Sensitive data exposure
CVE-2026-42667 affects Bookly through 27.4. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Bookly
2026-06-16 CVSS 7.5
CVE-2026-42668
Email Marketing for WooCommerce by Omnisend - Broken authentication
CVE-2026-42668 affects Email Marketing for WooCommerce by Omnisend through 1.18.0. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Email Marketing for WooCommerce by Omnisend
2026-06-16 CVSS 7.5
CVE-2026-45441
WpEvently - Other vulnerability
CVE-2026-45441 affects WpEvently through 5.3.3. Confirm the installed version, patch or disable the plugin, and review users, files, logs, and plugin settings before closing the incident.
WpEvently
2026-06-16 CVSS 7.5
CVE-2026-48835
Contact Form by WPForms - Broken access control
CVE-2026-48835 affects Contact Form by WPForms through 1.10.0.4. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Contact Form by WPForms
2026-06-16 CVSS 7.5
CVE-2026-48868
Simple Shopping Cart - IDOR
CVE-2026-48868 affects Simple Shopping Cart through 5.2.9. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
Simple Shopping Cart
2026-06-16 CVSS 7.5
CVE-2026-48872
EmbedPress - Sensitive data exposure
CVE-2026-48872 affects EmbedPress through 4.5.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
EmbedPress
2026-06-16 CVSS 7.5
CVE-2026-48873
Montonio for WooCommerce - Broken access control
CVE-2026-48873 affects Montonio for WooCommerce through 10.1.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Montonio for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-48883
WPC Product Bundles for WooCommerce - Broken access control
CVE-2026-48883 affects WPC Product Bundles for WooCommerce through 8.5.3. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WPC Product Bundles for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-49056
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels - Sensitive data exposure
CVE-2026-49056 affects WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels through 4.9.4. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
2026-06-16 CVSS 7.5
CVE-2026-49061
WPC Product Options for WooCommerce - Arbitrary file download
CVE-2026-49061 affects WPC Product Options for WooCommerce through 3.2.1. Confirm the installed version, patch or disable the plugin, and review download logs, exposed files, and backup paths before closing the incident.
WPC Product Options for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-49066
Conekta Payment Gateway - Sensitive data exposure
CVE-2026-49066 affects Conekta Payment Gateway through 6.0.0. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Conekta Payment Gateway
2026-06-16 CVSS 7.5
CVE-2026-49068
Coupon Affiliates - Sensitive data exposure
CVE-2026-49068 affects Coupon Affiliates through 7.8.1. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Coupon Affiliates
2026-06-16 CVSS 7.5
CVE-2026-49070
Knit Pay - Broken access control
CVE-2026-49070 affects Knit Pay through 9.4.0.0. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Knit Pay
2026-06-16 CVSS 7.5
CVE-2026-49078
WP Travel Engine - Other vulnerability
CVE-2026-49078 affects WP Travel Engine through 6.7.10. Confirm the installed version, patch or disable the plugin, and review users, files, logs, and plugin settings before closing the incident.
WP Travel Engine
2026-06-16 CVSS 7.5
CVE-2026-49110
Upsell Order Bump Offer for WooCommerce - Broken authentication
CVE-2026-49110 affects Upsell Order Bump Offer for WooCommerce through 3.1.4. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Upsell Order Bump Offer for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-49112
Shared Files - Path traversal
CVE-2026-49112 affects Shared Files through 1.7.64. Confirm the installed version, patch or disable the plugin, and review file access logs and unexpected downloads before closing the incident.
Shared Files
2026-06-16 CVSS 7.5
CVE-2026-52692
Affiliates Manager - Sensitive data exposure
CVE-2026-52692 affects Affiliates Manager through 2.9.50. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Affiliates Manager
2026-06-16 CVSS 7.5
CVE-2026-52694
Signature Add-On for WooCommerce - Sensitive data exposure
CVE-2026-52694 affects Signature Add-On for WooCommerce through 2.0. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Signature Add-On for WooCommerce
2026-06-16 CVSS 7.5
CVE-2026-52695
ABC Crypto Checkout - Sensitive data exposure
CVE-2026-52695 affects ABC Crypto Checkout through 1.8.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
ABC Crypto Checkout
2026-06-16 CVSS 7.5
CVE-2026-52699
VikRentCar - IDOR
CVE-2026-52699 affects VikRentCar through 1.4.5. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
VikRentCar
2026-06-16 CVSS 7.5
CVE-2026-49083
LatePoint - Privilege escalation
CVE-2026-49083 affects LatePoint through 5.5.1. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
LatePoint
2026-06-16 CVSS 7.5
CVE-2025-68045
WP Event SOlution - Broken access control
CVE-2025-68045 affects WP Event SOlution through 4.1.12. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WP Event SOlution
2026-06-16 CVSS 7.5
CVE-2026-39490
JupiterX Core - Broken access control
CVE-2026-39490 affects JupiterX Core through 4.14.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
JupiterX Core
2026-06-16 CVSS 7.5
CVE-2026-52711
WooCommerce POS - Broken access control
CVE-2026-52711 affects WooCommerce POS through 1.8.14. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WooCommerce POS
2026-06-12 CVSS 7.5
CVE-2026-44893
Netty HAProxy codec - malformed TLV memory leak
Netty HAProxy PROXY protocol v2 parsing before 4.1.135.Final and 4.2.15.Final can trigger memory pressure. Patch services using HAProxyMessageDecoder and review direct-memory alerts.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-44894
Netty QUIC - token validation amplification risk
Netty QUIC handling before 4.2.15.Final can treat unexpected tokens as valid in a way that changes amplification behavior. Patch HTTP/3 services and review edge traffic.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-45416
Netty TLS ClientHello handling - memory exhaustion
Netty TLS ClientHello handling before 4.1.135.Final and 4.2.15.Final can allocate excessive memory in affected handlers. Patch SNI/TLS gateway services.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-46340
Netty SCTP transport - fragment memory growth
Netty SCTP transport before 4.1.135.Final and 4.2.15.Final can accumulate fragments without safe bounds. Patch services using netty-transport-sctp.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-48748
Netty HTTP/3 codec - blocked streams memory exhaustion
Netty HTTP/3 codec before 4.2.15.Final can exhaust memory through blocked stream handling. Patch HTTP/3 gateways and review OOM events.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-50010
Netty TLS trust manager - hostname verification gap
Netty before 4.1.135.Final and 4.2.15.Final can lose hostname verification in specific trust-manager wrapping paths. Review custom trust managers and patch.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-50011
Netty Redis aggregator - unbounded allocation
Netty RedisArrayAggregator before 4.1.135.Final and 4.2.15.Final can allocate excessive memory from attacker-controlled RESP array counts.
Netty Public PoC
2026-06-12 CVSS 7.5
CVE-2026-50645
Apache CXF - attachment header resource exhaustion
CVE-2026-50645 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-13 CVSS 7.5
CVE-2026-9848
WP Ticket - unauthenticated SQL injection via WordPress search
CVE-2026-9848 affects the WP Ticket plugin through 6.0.4. Sites using WP Ticket should update to 6.0.5 or newer, then review support-ticket searches, database errors, and unusual front-end search traffic.
WP Ticket
2026-06-15 CVSS 7.5
CVE-2026-12204
ShopXO - unauthenticated scheduled task endpoint authorization bypass
CVE-2026-12204 affects ShopXO up to 6.7.1 in app/api/controller/Crontab.php. Stores should restrict scheduled task endpoints, review order/payment state changes, and preserve logs before cleanup.
ShopXO Public PoC
2026-06-15 CVSS 7.5
CVE-2026-49064
GetPaid - sensitive information exposure
CVE-2026-49064 affects GetPaid through 2.8.49. Payment sites should patch, clear caches, and review whether invoice, customer, or payment-related data was exposed in sent responses.
GetPaid
2026-06-15 CVSS 7.5
CVE-2026-5079
multer - denial of service via deeply nested field names
CVE-2026-5079 affects multer upload parsing when deeply nested multipart field names are accepted. Node.js services should update from the affected multer line, enforce upload limits, and monitor upload endpoints for memory pressure.
multer Public PoC
2026-06-12 CVSS 7.5
CVE-2026-44892
Netty HTTP/3 - unbounded header memory pressure
CVE-2026-44892 affects Netty HTTP/3 handling when header size is not bounded. Java services using netty-codec-http3 should update and review memory alerts and HTTP/3 gateway restarts.
Netty
2026-06-12 CVSS 7.5
CVE-2026-41695
Spring Data Commons - untrusted property path handling
CVE-2026-41695 affects Spring Data Commons when untrusted property path strings reach MappingContext resolution. Patch affected branches and review filter, sort, and projection inputs.
Spring Data Commons
2026-06-12 CVSS 7.5
CVE-2026-41856
Spring for GraphQL - method-security boundary issue
CVE-2026-41856 affects Spring for GraphQL controller hierarchies that rely on method-security annotations. Upgrade fixed releases and review authorization behavior around inherited controller methods.
Spring for GraphQL
2026-06-05 CVSS 7.5
CVE-2026-46493
HAX CMS - weak salt generation
CVE-2026-46493 affects HAX CMS versions before 26.0.1 that use unsuitable salt generation. Upgrade to 26.0.1 or newer and rotate secrets after patching.
HAX CMS Public PoC
2026-06-08 CVSS 7.5
CVE-2026-46440
Flowise - Basic Auth credential brute-force exposure
CVE-2026-46440 affects Flowise before 3.1.2 when exposed Basic Auth can be repeatedly tested without adequate rate limiting. Operators should upgrade, add a real access layer, rotate credentials, and review Flowise flows and stored secrets.
Flowise
2026-06-08 CVSS 7.5
CVE-2026-34355
Apache HTTP Server - mod_proxy_html buffer overflow
CVE-2026-34355 affects Apache HTTP Server mod_proxy_html in 2.4.67 and earlier. Prioritize reverse proxy deployments that process untrusted backend content and upgrade to Apache 2.4.68.
Apache HTTP Server
2026-06-08 CVSS 7.5
CVE-2026-34356
Apache HTTP Server - ProxyPassReverseCookie heap overflow
CVE-2026-34356 affects Apache HTTP Server reverse proxy cookie rewriting in 2.4.67 and earlier. Review ProxyPassReverseCookie configuration and upgrade to Apache 2.4.68.
Apache HTTP Server
2026-06-08 CVSS 7.5
CVE-2026-42536
Apache HTTP Server - mod_xml2enc heap overflow
CVE-2026-42536 affects Apache HTTP Server mod_xml2enc in 2.4.67 and earlier. Operators should check whether xml2enc is loaded, review untrusted content paths, and upgrade to Apache 2.4.68.
Apache HTTP Server
2026-06-11 CVSS 7.5
CVE-2026-44250
Netty codec-redis - nested array memory exhaustion
CVE-2026-44250 affects netty-codec-redis before 4.1.135.Final and 4.2.15.Final. Java services that parse Redis protocol traffic should patch and review memory alerts.
Netty Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44890
Netty codec-redis - direct memory exhaustion
CVE-2026-44890 affects netty-codec-redis before 4.1.135.Final and 4.2.15.Final. Patch exposed services and review direct-memory pressure and Redis protocol gateway logs.
Netty Public PoC
2026-06-11 CVSS 7.5
CVE-2026-52860
Vim - Python omni-completion execution risk
CVE-2026-52860 affects Vim before 9.2.0597 when Python omni-completion processes hostile buffers. Patch developer images and discourage completion on untrusted files until updated.
Vim Public PoC
2026-06-10 CVSS 7.5
CVE-2026-46679
js-libp2p gossipsub - unauthenticated heap exhaustion
CVE-2026-46679 affects @libp2p/gossipsub before 15.0.23. Public peer nodes should patch and review memory alerts, peer churn, and gossipsub traffic exposure.
js-libp2p Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44486
Axios - proxy credential leak in redirect handling
CVE-2026-44486 affects Axios Node HTTP adapter behavior around authenticated proxies and redirects. Patch and rotate proxy credentials if suspicious redirect traffic is found.
Axios Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44488
Axios - fetch adapter body limit bypass
CVE-2026-44488 affects Axios 1.7.0 through 1.15.x when the fetch adapter does not enforce configured request or response body limits. Patch and review SSR/edge runtimes.
Axios Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44496
Axios - XSRF cookie-name regex denial of service
CVE-2026-44496 affects Axios browser environments where a configurable XSRF cookie name can trigger expensive cookie parsing. Patch frontend bundles and shared packages.
Axios Public PoC
2026-06-11 CVSS 7.5
CVE-2026-7250
GitLab CE/EE - Grape API JSON parsing denial of service
CVE-2026-7250 affects GitLab CE/EE API request parsing. Public self-managed GitLab instances should upgrade and review API error spikes and application availability metrics.
GitLab CE/EE
2026-06-10 CVSS 7.5
CVE-2026-46643
KnpLabs Snappy - binary path shell escaping regression
CVE-2026-46643 affects KnpLabs Snappy before 1.7.1 when the wkhtmltopdf or wkhtmltoimage binary path can be influenced by user or environment data. Patch and pin trusted binary paths.
KnpLabs Snappy Public PoC
2026-06-10 CVSS 7.5
CVE-2026-3018
Newsletters - unauthenticated SQL injection
CVE-2026-3018 affects the Newsletters WordPress plugin through 4.13. Review subscriber actions, access logs, database errors, and patch before relying on firewall filtering.
Newsletters
2026-06-10 CVSS 7.5
CVE-2026-34183
OpenSSL - QUIC PATH_CHALLENGE memory exhaustion
CVE-2026-34183 affects OpenSSL QUIC stacks where repeated PATH_CHALLENGE handling can exhaust memory. Review custom QUIC clients or servers and update affected OpenSSL branches.
OpenSSL
2026-06-09 CVSS 7.5
CVE-2026-34180
OpenSSL - ASN.1 content parsing heap over-read
CVE-2026-34180 affects applications that pass attacker-supplied data into OpenSSL d2i_* decoding functions. OpenSSL command-line tools are not the main exposure; custom services that decode uploaded certificates or PKCS#7 data need review.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-45445
OpenSSL - AES-OCB IV handling issue on EVP_Cipher path
CVE-2026-45445 affects applications that drive AES-OCB through the lower-level OpenSSL EVP_Cipher one-shot path. TLS in OpenSSL is not affected, but custom cryptographic integrations should update and review code.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-9076
OpenSSL - CMS password-based decryption over-read
CVE-2026-9076 affects applications that decrypt untrusted CMS password-recipient data through OpenSSL. Services that accept encrypted CMS files or S/MIME-like input should update and review crash logs.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-42764
OpenSSL - QUIC server invalid token NULL dereference
CVE-2026-42764 affects OpenSSL QUIC server implementations when address validation is disabled. Default validation is enabled, so review custom QUIC listeners before treating the system as exposed.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-42765
OpenSSL - OCSP partial-chain verification NULL dereference
CVE-2026-42765 affects applications that enable both OCSP response checking for the whole certificate chain and partial-chain verification. These flags are off by default, but custom certificate-validation code should be checked.
OpenSSL Public PoC
2026-06-09 CVSS 7.5
CVE-2026-9185
6Storage Rentals - Unauthenticated tenant profile exposure
6Storage Rentals may expose tenant profile read or update paths without login. Site owners should disable the plugin, preserve access logs, inspect tenant records, and notify affected users if data changed.
6Storage Rentals
2026-06-09 CVSS 7.5
CVE-2026-41849
Spring Framework - SpEL expression parsing denial of service
CVE-2026-41849 is a Spring Framework SpEL denial-of-service issue. Teams should upgrade Spring Framework, check whether user-controlled expressions are evaluated, and review API logs for repeated parser-heavy requests.
Spring Framework
2026-06-09 CVSS 7.5
CVE-2026-41850
Spring Framework - SpEL evaluation denial of service
CVE-2026-41850 is paired with the Spring Framework SpEL DoS advisory set. It is not an Express RCE issue; the practical action is patching Spring and removing user-controlled expression evaluation paths.
Spring Framework
2026-06-08 CVSS 7.5
CVE-2026-11471
SourceCodester Class and Exam Timetabling - index2.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in login handling. Public school portals should restrict access, inspect SQL handling, and review logs.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11472
SourceCodester Class and Exam Timetabling - index1.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in login handling. Treat internet-exposed installs as at risk until prepared statements and access restrictions are confirmed.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11482
SourceCodester Class and Exam Timetabling - archive5.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. This joins the login cluster and should be checked with the same log and prepared-statement review.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11483
SourceCodester Class and Exam Timetabling - archive4.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Check it together with the related archive and login files.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11484
SourceCodester Class and Exam Timetabling - archive3.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Treat exposed school portals as at risk until SQL handling and logs are reviewed.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11485
SourceCodester Class and Exam Timetabling - archive2.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Check file exposure, direct SQL construction, and web logs for archive traffic.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11486
SourceCodester Class and Exam Timetabling - archive1.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Restrict stale installs and review archive endpoints before reopening public access.
SourceCodester Timetabling Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11488
Simple Flight Ticket Booking - checkUser.php SQL Injection
code-projects Simple Flight Ticket Booking System 1.0 SQL injection in login handling. Check stale booking demos, login SQL handling, web logs, and database privileges.
code-projects Simple Flight Ticket Booking Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11489
Online Music Site - AdminDeleteAlbum.php SQL Injection
code-projects Online Music Site 1.0 SQL injection in an admin album action. Check admin path exposure, album changes, logs, and SQL handling.
code-projects Online Music Site Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11490
Online Music Site - Search.php Category SQL Injection
code-projects Online Music Site 1.0 SQL injection in public search handling. Check public search exposure, category validation, web logs, and prepared-statement coverage.
code-projects Online Music Site Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11474
Student Management System - Unrestricted Upload via stimg
Kushan2k student-management-system may allow dangerous file uploads through the stimg registration image field. Check public/profiles for PHP-like files, block script execution in upload directories, and preserve logs.
Kushan2k student-management-system Public PoC
2026-06-07 CVSS 7.5
CVE-2026-11462
BeikeShop Stripe Plugin - Missing Webhook Signature Verification
BeikeShop Stripe plugin callback may process webhook data without verifying the Stripe-Signature header. Store owners should patch, configure the webhook secret, review /callback/stripe logs, and match paid orders against Stripe.
BeikeShop Public PoC
2026-05-30 CVSS 7.5
CVE-2026-9757
GEO my WP β Unauthenticated SQL Injection via map boundary parameters
SQL injection in GEO my WP (β€ 4.5.5) through map boundary query handling. Public Posts Locator pages should be patched and checked for unusual database access.
WordPress Public PoC
2026-05-30 CVSS 7.5
CVE-2026-7459
Simple History β Subscriber+ account takeover via REST event context leak
Simple History β€ 5.26.0: react_to_event REST endpoints only verify login, not per-logger capabilities. Subscribers read password-reset email bodies and complete admin takeover.
WordPress Public PoC
2026-06-26 CVSS 7.4
CVE-2026-54833
Enable CORS - Unauthenticated Backdoor
CVE-2026-54833 affects Enable CORS <= 2.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Enable CORS
2026-06-25 CVSS 7.4
CVE-2026-54821
Visual Link Preview - Subscriber Sensitive Data Exposure
CVE-2026-54821 affects Visual Link Preview <= 2.3.1. Site owners should patch the component, preserve logs, and review data exposure before closing the issue.
Visual Link Preview
2026-06-23 CVSS 7.4
CVE-2026-44726
Deno Node TLS compatibility - plaintext retry risk
CVE-2026-44726 affects Deno 2.0.0 through 2.7.7 when Node TLS compatibility retry handling can leave application data unprotected. Patch and review outbound TLS clients.
Deno Public PoC
2026-06-22 CVSS 7.4
CVE-2026-48505
Filament MFA - recovery code reuse under concurrent submission
CVE-2026-48505 affects Filament app-based MFA recovery codes before 4.11.5 and 5.6.5. Patch and review recovery-code use, login sessions, and MFA reset activity.
Filament Public PoC
2026-06-16 CVSS 7.4
CVE-2026-49082
Chatway Live Chat - Sensitive data exposure
CVE-2026-49082 affects Chatway Live Chat through 1.4.8. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Chatway Live Chat
2026-06-12 CVSS 7.4
CVE-2026-50631
Apache CXF - refresh-token single-use race condition
CVE-2026-50631 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
Apache CXF
2026-06-26 CVSS 7.3
CVE-2026-54840
Newsletters - Unauthenticated Broken Access Control
CVE-2026-54840 affects Newsletters <= 4.13. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Newsletters
2026-06-26 CVSS 7.3
CVE-2026-57915
Apache Kerby - authentication boundary risk
CVE-2026-57915 affects Apache Kerby. It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue. Patch the affected deployment and review trust and service logs.
Apache Kerby
2026-06-16 CVSS 7.3
CVE-2026-40775
Royal MCP - Broken access control
CVE-2026-40775 affects Royal MCP through 1.4.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Royal MCP
2026-06-16 CVSS 7.3
CVE-2026-49063
Listdom - Privilege escalation
CVE-2026-49063 affects Listdom through 5.5.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
Listdom
2026-06-12 CVSS 7.3
CVE-2026-45011
ApostropheCMS - image widget stored XSS
CVE-2026-45011 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
ApostropheCMS Public PoC
2026-06-08 CVSS 7.3
CVE-2026-44185
Apache HTTP Server - mod_ssl OCSP buffer over-read
CVE-2026-44185 affects Apache HTTP Server outbound OCSP handling in 2.4.67 and earlier. TLS-heavy deployments should upgrade to 2.4.68 and review mod_ssl OCSP configuration.
Apache HTTP Server
2026-06-08 CVSS 7.3
CVE-2026-48913
Apache HTTP Server - mod_http2 use-after-free
CVE-2026-48913 affects Apache HTTP Server mod_http2 when file handles are exhausted. HTTP/2 deployments on Apache 2.4.55 through 2.4.67 should upgrade to 2.4.68 and review worker restart logs.
Apache HTTP Server
2026-06-11 CVSS 7.3
CVE-2026-8589
GitLab EE - group setting HTML injection
CVE-2026-8589 affects GitLab EE group setting fields. Upgrade and review group-setting changes, unexpected email additions, and high-privilege group activity.
GitLab EE
2026-06-10 CVSS 7.3
CVE-2026-9758
S2OPC - trusted certificate comparison weakness
CVE-2026-9758 affects S2OPC certificate trust comparison. OPC UA operators should patch, rebuild trust lists, and review certificate enrollment and connection logs.
S2OPC
2026-06-09 CVSS 7.3
CVE-2026-44186
Apache HTTP Server - mod_proxy_ftp infinite loop
CVE-2026-44186 affects Apache HTTP Server 2.4.0 through 2.4.67 when mod_proxy_ftp is used with an attacker-controlled FTP backend. Upgrade to 2.4.68 and review old FTP proxy configurations.
Apache HTTP Server
2026-06-07 CVSS 7.3
CVE-2026-11456
Chanjet CRM - SQL Injection in system table handling
Chanjet CRM 1.0 SQL injection in a system table endpoint. Exposed CRM systems should restrict the endpoint, review web logs, and preserve evidence.
Chanjet CRM Public PoC
2026-06-25 CVSS 7.2
CVE-2026-40083
Cacti - SQL injection risk
CVE-2026-40083 affects Cacti. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assig... Patch the affected deployment and review Cacti and web logs.
Cacti
2026-06-25 CVSS 7.2
CVE-2026-55477
3X-UI - authentication boundary risk
CVE-2026-55477 affects 3X-UI. 3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray config... Patch the affected deployment and review workflow and admin logs.
3X-UI
2026-06-24 CVSS 7.2
CVE-2026-10749
Post Duplicator - serialized metadata object injection risk
CVE-2026-10749 affects Post Duplicator before 3.0.15. Review contributor activity, duplicated posts, custom fields, and plugin update state.
Post Duplicator
2026-06-24 CVSS 7.2
CVE-2026-10091
Email JavaScript Cloak - shortcode stored XSS risk
CVE-2026-10091 affects Email JavaScript Cloak through 1.03. Review contributor posts, shortcode usage, administrator visits, and changed pages after patching.
Email JavaScript Cloak
2026-06-24 CVSS 7.2
CVE-2026-10092
Cincopa video and media plugin - comment shortcode stored XSS risk
CVE-2026-10092 affects the Cincopa video and media plugin through 1.163. Review recent comments, moderation queues, administrator visits, and changed posts after patching.
Cincopa video and media plugin Public PoC
2026-06-24 CVSS 7.2
CVE-2026-12095
Kargo Takip - unauthenticated SSRF risk
CVE-2026-12095 affects Kargo Takip through 1.2. Review outbound request logs, hosting metadata exposure controls, and plugin access before returning it to service.
Kargo Takip
2026-06-24 CVSS 7.2
CVE-2026-12100
URL Preview - unauthenticated SSRF risk
CVE-2026-12100 affects URL Preview through 1.0. Review outbound request logs, allow-lists, and internal service exposure before enabling preview features again.
URL Preview
2026-06-24 CVSS 7.2
CVE-2026-9643
WP Meta SEO - unauthenticated stored XSS through 404 records
CVE-2026-9643 affects WP Meta SEO through 4.5.18. Review 404 records, redirect tables, administrator visits, and changed SEO settings after patching.
WP Meta SEO
2026-06-24 CVSS 7.2
CVE-2026-3652
ARForms - incomplete form data stored XSS risk
CVE-2026-3652 affects ARForms through 7.1.3. Review partial form entries, form submissions, administrator visits, and changed pages after patching.
ARForms
2026-06-18 CVSS 7.2
CVE-2026-11395
CF7 to Webhook - SSRF risk
CVE-2026-11395 affects CF7 to Webhook through 5.0.0. Confirm the installed version, patch or disable the component, and review Contact Form 7 webhook settings before closing the issue.
CF7 to Webhook Public PoC
2026-06-16 CVSS 7.2
CVE-2026-39434
CTX Feed - PHP object injection
CVE-2026-39434 affects CTX Feed through 6.6.26. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
CTX Feed
2026-06-16 CVSS 7.2
CVE-2026-39470
WooCommerce Cart Abandonment Recovery - Privilege escalation
CVE-2026-39470 affects WooCommerce Cart Abandonment Recovery before 2.1.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
WooCommerce Cart Abandonment Recovery
2026-06-16 CVSS 7.2
CVE-2026-39472
WooCommerce PDF Invoices & Packing Slips - PHP object injection
CVE-2026-39472 affects WooCommerce PDF Invoices & Packing Slips before 5.9.0. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WooCommerce PDF Invoices & Packing Slips
2026-06-16 CVSS 7.2
CVE-2026-39499
Advanced Product Fields for WooCommerce - PHP object injection
CVE-2026-39499 affects Advanced Product Fields for WooCommerce through 1.6.19. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Advanced Product Fields for WooCommerce
2026-06-16 CVSS 7.2
CVE-2026-42650
AutomatorWP - Cross-site scripting
CVE-2026-42650 affects AutomatorWP through 5.6.7. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
AutomatorWP
2026-06-16 CVSS 7.2
CVE-2026-27407
AI Engine - Privilege escalation
CVE-2026-27407 affects AI Engine through 3.4.9. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
AI Engine
2026-06-16 CVSS 7.2
CVE-2026-39471
ShortPixel Image Optimizer - PHP object injection
CVE-2026-39471 affects ShortPixel Image Optimizer through 6.4.3. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
ShortPixel Image Optimizer
2026-06-16 CVSS 7.2
CVE-2026-39481
Modula Image Gallery - PHP object injection
CVE-2026-39481 affects Modula Image Gallery through 2.14.18. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Modula Image Gallery
2026-06-16 CVSS 7.2
CVE-2026-39498
YayMail - PHP object injection
CVE-2026-39498 affects YayMail through 4.3.3. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
YayMail
2026-06-12 CVSS 7.2
CVE-2026-42306
Moby Docker Engine - container networking and firewall exposure
CVE-2026-42306 affects Docker Engine and Moby daemon versions before fixed releases. Review daemon version, published container ports, and host firewall state after upgrade.
Moby / Docker Engine
2026-06-06 CVSS 7.2
CVE-2026-7537
MDJM Event Management - administrator file upload leading to RCE risk
CVE-2026-7537 affects MDJM Event Management for WordPress through 1.7.8.3. Review administrator activity, plugin email attachments, and upload locations for unexpected executable files.
MDJM Event Management Public PoC
2026-06-06 CVSS 7.2
CVE-2026-9851
Booking Package - editor-level account takeover risk
CVE-2026-9851 affects Booking Package for WordPress through 1.7.16. Review editor and administrator accounts, password resets, and booking staff changes after patching.
Booking Package
2026-06-06 CVSS 7.2
CVE-2026-8438
All-In-One Security (AIOS) - stored XSS in debug log handling
CVE-2026-8438 affects AIOS for WordPress through 5.4.7 when REST blocking and debug logging expose unescaped request-path data in admin log views.
All-In-One Security (AIOS)
2026-06-06 CVSS 7.2
CVE-2026-8901
Integration for Freshsales - stored XSS in CRM form submission logs
CVE-2026-8901 affects Integration for Freshsales for WordPress through 1.0.15. Review failed CRM API logs and administrator screens after patching.
Integration for Freshsales
2026-06-13 CVSS 7.2
CVE-2026-9109
GPTranslate - unauthenticated stored XSS in translation storage
CVE-2026-9109 affects GPTranslate through 2.31. Sites using the plugin should update to 2.32 or newer, clear page cache, and review recently translated public pages for unexpected script-like content.
GPTranslate
2026-06-13 CVSS 7.2
CVE-2026-5513
Bookly - unauthenticated stored XSS via remembered customer name
CVE-2026-5513 affects Bookly through 27.2 when the setting to remember personal information in cookies is enabled. Sites using Bookly should update to 27.3 or newer, clear cache, and review appointment/customer entries opened by logged-in staff after disclosure.
Bookly Public PoC
2026-06-10 CVSS 7.2
CVE-2026-25700
Apache Answer - admin token invalidation weakness
CVE-2026-25700 affects Apache Answer through 2.0.0 where administrative tokens may remain usable after account suspension, deletion, or deactivation. Upgrade and rotate admin tokens.
Apache Answer
2026-06-09 CVSS 7.2
CVE-2026-7556
FV Flowplayer Video Player - Stored XSS review for WordPress sites
FV Flowplayer CVE-2026-7556 should be treated as a stored XSS cleanup and permission review, not as a confirmed unauthenticated RCE. Check plugin version, recent video embeds, editor accounts, and cached pages.
FV Flowplayer
2026-06-26 CVSS 7.1
CVE-2026-56011
MapPress Maps for WordPress - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56011 affects MapPress Maps for WordPress <= 2.97.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
MapPress Maps for WordPress
2026-06-26 CVSS 7.1
CVE-2026-56039
Quick Interest Slider - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56039 affects Quick Interest Slider <= 3.1.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Quick Interest Slider
2026-06-26 CVSS 7.1
CVE-2026-56040
Gutenverse Form - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56040 affects Gutenverse Form <= 2.4.7. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Gutenverse Form
2026-06-26 CVSS 7.1
CVE-2026-56041
Responsive Lightbox - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56041 affects Responsive Lightbox <= 2.7.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Responsive Lightbox
2026-06-26 CVSS 7.1
CVE-2026-56043
Customer Reviews for WooCommerce - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56043 affects Customer Reviews for WooCommerce <= 5.110.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Customer Reviews for WooCommerce
2026-06-26 CVSS 7.1
CVE-2026-56044
Blog2Social - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56044 affects Blog2Social <= 8.9.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Blog2Social
2026-06-26 CVSS 7.1
CVE-2026-56045
Automatic - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56045 affects Automatic < 3.135.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Automatic
2026-06-26 CVSS 7.1
CVE-2026-56047
perfmatters - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56047 affects perfmatters <= 2.6.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
perfmatters
2026-06-26 CVSS 7.1
CVE-2026-56072
WoodMart - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56072 affects WoodMart <= 8.5.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
WoodMart
2026-06-26 CVSS 7.1
CVE-2026-57312
Everest Forms - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57312 affects Everest Forms <= 3.4.8. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Everest Forms
2026-06-26 CVSS 7.1
CVE-2026-57314
SureCart - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57314 affects SureCart <= 4.3.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
SureCart
2026-06-26 CVSS 7.1
CVE-2026-57317
Simply Schedule Appointments - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57317 affects Simply Schedule Appointments <= 1.6.12.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Simply Schedule Appointments
2026-06-26 CVSS 7.1
CVE-2026-57319
FOX - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57319 affects FOX <= 1.4.8. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
FOX
2026-06-26 CVSS 7.1
CVE-2026-57321
H5P - Contributor Arbitrary File Deletion
CVE-2026-57321 affects H5P <= 1.17.7. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
H5P
2026-06-26 CVSS 7.1
CVE-2026-57322
weMail - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57322 affects weMail <= 2.1.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
weMail
2026-06-26 CVSS 7.1
CVE-2026-57325
NanoMag - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57325 affects NanoMag <= 1.8. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
NanoMag
2026-06-25 CVSS 7.1
CVE-2026-56005
WP Activity Log - Subscriber Cross Site Scripting (XSS)
CVE-2026-56005 affects WP Activity Log <= 5.6.3.1. Site owners should patch the component, preserve logs, and review content and widgets before closing the issue.
WP Activity Log
2026-06-25 CVSS 7.1
CVE-2026-56006
H5P - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56006 affects H5P <= 1.17.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
H5P
2026-06-25 CVSS 7.1
CVE-2026-56014
Master Slider - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56014 affects Master Slider <= 3.11.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Master Slider
2026-06-25 CVSS 7.1
CVE-2026-56042
Advanced Order Export For WooCommerce - Customer Cross Site Scripting (XSS)
CVE-2026-56042 affects Advanced Order Export For WooCommerce <= 4.0.9. Site owners should patch the component, preserve logs, and review content and widgets before closing the issue.
Advanced Order Export For WooCommerce
2026-06-25 CVSS 7.1
CVE-2026-56051
TablePress - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56051 affects TablePress <= 3.3.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
TablePress
2026-06-25 CVSS 7.1
CVE-2026-56071
Forminator - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56071 affects Forminator <= 1.53.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Forminator
2026-06-25 CVSS 7.1
CVE-2026-9154
Rapid7 InsightConnect Sed Plugin - file write risk in Linux workflow action
CVE-2026-9154 affects the Rapid7 InsightConnect Sed Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
Rapid7 InsightConnect Sed Plugin
2026-06-24 CVSS 7.1
CVE-2026-57303
Jenkins Assembla Plugin - XXE and SSRF risk
CVE-2026-57303 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
Jenkins
2026-06-24 CVSS 7.1
CVE-2026-47110
Tiptap for PHP - malformed link attribute denial of service
CVE-2026-47110 affects Tiptap for PHP before 2.1.1. Review stored editor JSON records, rendering errors, and authenticated editor activity after upgrading.
Tiptap for PHP Public PoC
2026-06-22 CVSS 7.1
CVE-2026-56221
Capgo - Cloudflare Analytics Engine SQL injection
CVE-2026-56221 affects Capgo before 12.128.2 where API-supplied analytics filters can reach Cloudflare Analytics Engine SQL query construction. Patch and review API keys, analytics access, and tenant data exposure.
Capgo Public PoC
2026-06-22 CVSS 7.1
CVE-2026-4259
Ultimate WooCommerce Auction Pro - reflected XSS against admins
CVE-2026-4259 affects Ultimate WooCommerce Auction Pro through 2.4.5. Store owners should patch or disable the plugin, review auction pages, and preserve admin activity logs if suspicious links were opened.
Ultimate WooCommerce Auction Pro
2026-06-19 CVSS 7.1
CVE-2017-20264
Joomla Sponsor Wall - SQL injection
CVE-2017-20264 affects Joomla Sponsor Wall 8.0. Check whether the extension is installed, remove abandoned copies, and review sponsor records, database errors, and authenticated user activity.
Joomla Sponsor Wall Public PoC
2026-06-19 CVSS 7.1
CVE-2017-20265
Joomla Flip Wall - SQL injection
CVE-2017-20265 affects Joomla Flip Wall 8.0. Check whether the extension is installed, remove abandoned copies, and review wall records, database errors, and authenticated user activity.
Joomla Flip Wall Public PoC
2026-06-19 CVSS 7.1
CVE-2019-25749
Joomla J-CruisePortal - SQL injection
CVE-2019-25749 affects Joomla J-CruisePortal 6.0.4. Check whether the extension is installed, remove abandoned copies, and review cruise records, database errors, and authenticated user activity.
Joomla J-CruisePortal Public PoC
2026-06-19 CVSS 7.1
CVE-2019-25757
Joomla vWishlist - SQL injection
CVE-2019-25757 affects Joomla vWishlist 1.0.1. Check whether the extension is installed, remove abandoned copies, and review wishlist records, database errors, and authenticated user activity.
Joomla vWishlist Public PoC
2026-06-19 CVSS 7.1
CVE-2019-25759
Joomla vBizz - SQL injection
CVE-2019-25759 affects Joomla vBizz 1.0.7. Check whether the extension is installed, remove abandoned copies, and review business records, database errors, and authenticated user activity.
Joomla vBizz Public PoC
2026-06-19 CVSS 7.1
CVE-2019-25761
Joomla JoomCRM - SQL injection
CVE-2019-25761 affects Joomla JoomCRM 1.1.1. Check whether the extension is installed, remove abandoned copies, and review CRM records, database errors, and authenticated user activity.
Joomla JoomCRM Public PoC
2026-06-16 CVSS 7.1
CVE-2025-68840
iRobots.txt SEO - Cross-site scripting
CVE-2025-68840 affects iRobots.txt SEO through 1.1.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
iRobots.txt SEO
2026-06-16 CVSS 7.1
CVE-2025-68851
Okay Toolkit - Cross-site scripting
CVE-2025-68851 affects Okay Toolkit through 2.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Okay Toolkit
2026-06-16 CVSS 7.1
CVE-2025-68872
Eli's WordCents AdSense Widget with Analytics - Cross-site scripting
CVE-2025-68872 affects Eli's WordCents AdSense Widget with Analytics through 1.3.03.27. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Eli's WordCents AdSense Widget with Analytics
2026-06-16 CVSS 7.1
CVE-2026-23970
Redirection for Contact Form 7 - Cross-site scripting
CVE-2026-23970 affects Redirection for Contact Form 7 through 3.2.8. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Redirection for Contact Form 7
2026-06-16 CVSS 7.1
CVE-2026-34900
GiveWP - Cross-site scripting
CVE-2026-34900 affects GiveWP through 4.14.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
GiveWP
2026-06-16 CVSS 7.1
CVE-2026-34902
WooCommerce Product Table Lite - Cross-site scripting
CVE-2026-34902 affects WooCommerce Product Table Lite through 4.6.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
WooCommerce Product Table Lite
2026-06-16 CVSS 7.1
CVE-2026-39435
CformsII - Cross-site scripting
CVE-2026-39435 affects CformsII through 15.1.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
CformsII
2026-06-16 CVSS 7.1
CVE-2026-39447
Simply Schedule Appointments - Cross-site scripting
CVE-2026-39447 affects Simply Schedule Appointments through 1.6.10.6. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Simply Schedule Appointments
2026-06-16 CVSS 7.1
CVE-2026-39449
Contact Form to Any API - Cross-site scripting
CVE-2026-39449 affects Contact Form to Any API through 3.0.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Contact Form to Any API
2026-06-16 CVSS 7.1
CVE-2026-39463
ManageWP Worker - Cross-site scripting
CVE-2026-39463 affects ManageWP Worker through 4.9.31. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
ManageWP Worker
2026-06-16 CVSS 7.1
CVE-2026-39507
Social Slider Feed - Cross-site scripting
CVE-2026-39507 affects Social Slider Feed through 2.3.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Social Slider Feed
2026-06-16 CVSS 7.1
CVE-2026-39514
Paid Member Subscriptions - Cross-site scripting
CVE-2026-39514 affects Paid Member Subscriptions through 2.17.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Paid Member Subscriptions
2026-06-16 CVSS 7.1
CVE-2026-40732
Notification for Telegram - Cross-site scripting
CVE-2026-40732 affects Notification for Telegram through 3.5. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Notification for Telegram
2026-06-16 CVSS 7.1
CVE-2026-40770
Coupon Affiliates - Cross-site scripting
CVE-2026-40770 affects Coupon Affiliates through 7.5.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Coupon Affiliates
2026-06-16 CVSS 7.1
CVE-2026-40787
Quiz And Survey Master - Cross-site scripting
CVE-2026-40787 affects Quiz And Survey Master through 11.0.0. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Quiz And Survey Master
2026-06-16 CVSS 7.1
CVE-2026-40791
WP Time Slots Booking Form - Cross-site scripting
CVE-2026-40791 affects WP Time Slots Booking Form through 1.2.46. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
WP Time Slots Booking Form
2026-06-16 CVSS 7.1
CVE-2026-42649
Favicon Rotator - Cross-site scripting
CVE-2026-42649 affects Favicon Rotator through 1.2.11. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Favicon Rotator
2026-06-16 CVSS 7.1
CVE-2026-42658
Classified Listing - Cross-site scripting
CVE-2026-42658 affects Classified Listing through 5.3.8. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Classified Listing
2026-06-16 CVSS 7.1
CVE-2026-42775
AutomatorWP - Cross-site scripting
CVE-2026-42775 affects AutomatorWP through 5.7.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
AutomatorWP
2026-06-16 CVSS 7.1
CVE-2026-45437
Product Filter Widget for Elementor - Cross-site scripting
CVE-2026-45437 affects Product Filter Widget for Elementor through 1.0.6. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Product Filter Widget for Elementor
2026-06-16 CVSS 7.1
CVE-2026-48838
Post SMTP - Cross-site scripting
CVE-2026-48838 affects Post SMTP through 3.6.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Post SMTP
2026-06-16 CVSS 7.1
CVE-2026-48867
Quiz And Survey Master - Cross-site scripting
CVE-2026-48867 affects Quiz And Survey Master through 11.1.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Quiz And Survey Master
2026-06-16 CVSS 7.1
CVE-2026-48871
MW WP Form - Cross-site scripting
CVE-2026-48871 affects MW WP Form through 5.1.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
MW WP Form
2026-06-16 CVSS 7.1
CVE-2026-48876
Stop Spammers - Cross-site scripting
CVE-2026-48876 affects Stop Spammers through 2026.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Stop Spammers
2026-06-16 CVSS 7.1
CVE-2026-48885
HollerBox - Cross-site scripting
CVE-2026-48885 affects HollerBox through 2.3.10.1. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
HollerBox
2026-06-16 CVSS 7.1
CVE-2026-48966
Funnel Builder by FunnelKit - Cross-site scripting
CVE-2026-48966 affects Funnel Builder by FunnelKit through 3.15.0.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Funnel Builder by FunnelKit
2026-06-16 CVSS 7.1
CVE-2026-49055
Drag and Drop Multiple File Upload - Contact Form 7 - Cross-site scripting
CVE-2026-49055 affects Drag and Drop Multiple File Upload - Contact Form 7 through 1.3.9.7. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Drag and Drop Multiple File Upload - Contact Form 7
2026-06-16 CVSS 7.1
CVE-2026-52702
SEO Redirection - Cross-site scripting
CVE-2026-52702 affects SEO Redirection through 9.17. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
SEO Redirection
2026-06-16 CVSS 7.1
CVE-2026-39450
FunnelKit Automations - Broken authentication
CVE-2026-39450 affects FunnelKit Automations through 3.7.3. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
FunnelKit Automations
2026-06-16 CVSS 7.1
CVE-2026-39518
EventPrime - IDOR
CVE-2026-39518 affects EventPrime through 4.3.0.0. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
EventPrime
2026-06-16 CVSS 7.1
CVE-2026-40785
AutomatorWP - Broken authentication
CVE-2026-40785 affects AutomatorWP through 5.6.7. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
AutomatorWP
2026-06-16 CVSS 7.1
CVE-2026-40788
ChatBot - Broken access control
CVE-2026-40788 affects ChatBot through 7.9.7. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
ChatBot
2026-06-16 CVSS 7.1
CVE-2026-42686
EventPrime - Cross-site scripting
CVE-2026-42686 affects EventPrime through 4.3.2.1. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
EventPrime
2026-06-16 CVSS 7.1
CVE-2026-39437
Min Max Step Quantity Limits Manager for WooCommerce - Cross-site scripting
CVE-2026-39437 affects Min Max Step Quantity Limits Manager for WooCommerce through 5.2.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Min Max Step Quantity Limits Manager for WooCommerce
2026-06-16 CVSS 7.1
CVE-2026-54191
Pods - Cross-site scripting
CVE-2026-54191 affects Pods through 3.3.8. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Pods
2026-06-16 CVSS 7.1
CVE-2026-54198
Media Library Assistant - Cross-site scripting
CVE-2026-54198 affects Media Library Assistant through 3.35. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Media Library Assistant
2026-06-15 CVSS 7.1
CVE-2026-52719
GStreamer gst-plugins-bad - VA JPEG out-of-bounds read
CVE-2026-52719 affects the VA JPEG decoder in GStreamer gst-plugins-bad before 1.28.4. Systems that parse untrusted media should update packages and review crashes from media thumbnailing or ingestion jobs.
GStreamer gst-plugins-bad
2026-06-15 CVSS 7.1
CVE-2026-52722
GStreamer VMnc decoder - signed integer overflow
CVE-2026-52722 affects GStreamer's VMnc decoder. Systems that index, preview, transcode, or open untrusted media should update packages and review application crashes, thumbnailer failures, and desktop media logs.
GStreamer VMnc decoder
2026-06-09 CVSS 7.1
CVE-2026-9741
MongoDB Server - Queryable Encryption / CSFLE literal exposure
CVE-2026-9741 affects MongoDB Server query analysis processing for Queryable Encryption or CSFLE. Review encrypted-field workloads, patch affected branches, and check logs for sensitive literal exposure.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9743
MongoDB Server - aggregation cursor crash condition
CVE-2026-9743 affects MongoDB Server aggregation processing in specific cursor paths. Patch affected branches and review mongod crash, getMore, and application reconnect logs.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9746
MongoDB Server - change stream / resharding crash condition
CVE-2026-9746 affects MongoDB Server change stream and resharding-related processing. Patch affected branches and review restart, change stream, and resharding alerts.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9747
MongoDB Server - aggregation role metadata crash condition
CVE-2026-9747 affects MongoDB Server aggregation processing involving runtime user-role metadata. Patch affected branches and review application errors and crash alerts.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9748
MongoDB Server - internal bucket index stats crash condition
CVE-2026-9748 affects MongoDB Server internal bucket index statistics processing. Patch affected branches and review index stats, crash, and restart logs.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9749
MongoDB Server - internal exchange aggregation crash condition
CVE-2026-9749 affects MongoDB Server aggregation processing that uses internal exchange behavior. Patch affected branches and review crash and primary step-down alerts.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9750
MongoDB Server - internal metadata crash or incorrect result condition
CVE-2026-9750 affects MongoDB Server internal metadata processing during query execution. Patch affected branches and review authenticated query workloads, crashes, and incorrect-result reports.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9752
MongoDB Server - 2dsphere query crash condition
CVE-2026-9752 affects MongoDB Server geospatial query handling with 2dsphere indexes. Patch affected branches and review geospatial query errors and restart logs.
MongoDB Server
2026-06-09 CVSS 7.1
CVE-2026-9754
MongoDB Server - filemd5 limited stack-memory disclosure
CVE-2026-9754 affects MongoDB Server filemd5 command handling for authenticated read-role users. Patch affected branches and review read-only account scope.
MongoDB Server
2026-06-05 CVSS 7.1
CVE-2026-46393
HAX CMS - authenticated SSRF and local resource access
CVE-2026-46393 affects HAX CMS before 26.0.0. Operators should patch, restrict server-side fetch behavior, and review outbound requests to localhost, metadata endpoints, and private service ranges.
HAX CMS Public PoC
2026-06-11 CVSS 7.1
CVE-2026-42653
SliceWP - stored XSS
CVE-2026-42653 affects SliceWP through 1.2.6. Review affiliate dashboards, administrator sessions, payout settings, and plugin update state.
SliceWP
2026-06-11 CVSS 7.1
CVE-2026-8406
openSIS Classic - messaging module IDOR
CVE-2026-8406 affects openSIS Classic 9.3 messaging. School portals should patch, review sent-message access, student/staff accounts, and web logs around messaging routes.
openSIS Classic Public PoC
2026-06-10 CVSS 7.1
CVE-2026-49069
WPZOOM Portfolio - reflected XSS
CVE-2026-49069 affects WPZOOM Portfolio through 1.4.21. Patch and review admin-session exposure if editors or administrators opened untrusted links while logged in.
WPZOOM Portfolio
2026-06-11 CVSS 7.1
CVE-2023-33999
WP Mail Log - DOM-based XSS
CVE-2023-33999 affects WP Mail Log through 1.0.2. Patch or remove the plugin and review whether administrators opened untrusted mail-log views while logged in.
WP Mail Log
2026-06-10 CVSS 7.1
CVE-2026-53674
BuddyPress - Activity mention regular expression injection
CVE-2026-53674 affects BuddyPress 14.4.0 activity mention resolution when username compatibility mode is enabled. Review community activity logs, disable risky compatibility settings if possible, and update when a fixed release is available.
BuddyPress
2026-06-09 CVSS 7.1
CVE-2016-20063
Simple Personal Message - Authenticated SQL injection in legacy WordPress plugin
CVE-2016-20063 is a legacy Simple Personal Message WordPress plugin SQL injection issue. Check whether the plugin still exists, confirm the installed version, update to 2.0.0 or remove it, and review admin activity and database access if it was exposed.
Simple Personal Message Public PoC
2026-06-22 CVSS 7.0
CVE-2026-6653
libxml2 - xmlParseInternalSubset use-after-free denial-of-service risk
CVE-2026-6653 affects libxml2 2.9.11 through 2.11.0 in XML internal subset parsing. Patch operating system packages and review services that parse untrusted XML for crashes or parser errors.
libxml2
2026-06-19 CVSS 7.0
CVE-2026-39999
Apache APISIX - authentication bypass by spoofing
CVE-2026-39999 affects Apache APISIX vendor advisory. Confirm exposure, apply the vendor fix or remove the component, and review gateway routes, authentication plugins, and unusual upstream access.
Apache APISIX Public PoC
2026-06-11 CVSS 7.0
CVE-2026-44495
Axios - transformResponse prototype-pollution gadget
CVE-2026-44495 affects Axios versions before 0.31.1 and 1.15.2 where a polluted prototype in the same process can influence response transformation. Patch and audit prototype-pollution sources.
Axios Public PoC
Netty 19 Fission 14 MongoDB Server 13 WordPress 13 HAX CMS 13 GeoVision 10 vm2 9 Apache HTTP Server 9 Roxy-WI 9 Cacti 8 GeoVision GV-I/O Box 4E 8 OpenSSL 8 Apache CXF 7 ApostropheCMS 7 Axios 7 SourceCodester Timetabling 7 JetEngine 6 Jenkins 6 MariaDB Server 6 Node.js 5 wpForo Forum 5 Dokku 4 Simply Schedule Appointments 4 EventPrime 4 wolfSSL 4 Rocket.Chat 4 Crawl4AI 4 Revive Adserver 4 Filament 4 AVideo 4 MISP 4 Cotonti 4 Parse Server 4 Lyrion Music Server 4 Blocksy Companion Pro 3 Contest Gallery 3 Newsletters 3 GitLab 3 n8n 3 Ghost CMS 3 Cornerstone 3 Capgo 3 ProxySQL 3 pgAdmin 4 3 Webmin 3 Eclipse Theia 3 NGINX 3 WP Review Slider Pro 3 Hippoo Mobile App for WooCommerce 3 AutomatorWP 3 Spring Framework 3 ClipBucket v5 3 image-size 3 GitLab EE 3 Invoice Generator 2 Dokan 2 Kestra 2 OpenProject 2 Dokan Pro 2 wpDataTables 2 GeoDirectory 2 JetSmartFilters 2 Apache IoTDB 2 Fusion Builder 2 Groundhogg 2 H5P 2 User Registration 2 Apache Kvrocks 2 MDTF 2 JS Help Desk 2 relibc 2 Motors 2 WP Activity Log 2 Rapid7 InsightConnect Sed Plugin 2 FOSSBilling 2 Appsmith 2 Unraid 2 Post Duplicator 2 GIMP / GEGL 2 WP Forms Connector 2 Flowise 2 Caddy 2 Open WebUI 2 http-proxy-middleware 2 phpMyFAQ 2 Simple File List 2 Joomla JoomRecipe 2 Joomla vBizz 2 pontedilana/php-weasyprint 2 Media Library Assistant 2 Simple Membership 2 User Registration Stripe 2 LiquidJS 2 WordPress Dating Theme 2 MySQL Shell for VS Code 2 NGINX Gateway Fabric 2 Listdom 2 Apache DolphinScheduler 2 Bludit CMS 2 Masteriyo - LMS 2 Booking Package 2 Amelia 2 Bookly 2 Coupon Affiliates 2 WP Travel Engine 2 Quiz And Survey Master 2 WP Time Slots Booking Form 2 Product Filter Widget for Elementor 2 Funnel Builder by FunnelKit 2 GeekyBot 2 GPTranslate 2 Discuz! X5.0 2 Ivanti Sentry 2 Apache OFBiz 2 AWS Aurora PostgreSQL Wrapper 2 tmp 2 Ghidra 2 KnpLabs Snappy 2 BuddyPress 2 code-projects Online Music Site 2 cPanel 2 Gitea act_runner 1 Frontend File Manager Plugin 1 yashpokharna2555 restaurent-management-system 1 YzmCMS 1 Budibase 1 Booster for WooCommerce 1 Quform 1 Travel Booking 1 Genshi Template Engine 1 Easy Elements for Elementor - Addons and Website Templates 1 Paytium 1 Buddyboss Platform 1 Uncanny Automator Pro 1 JetBooking 1 Real Estate 7 1 Library Management System 1 Korean SimplePay WooCommerce plugin 1 Quotes llama 1 Advance Product Search 1 TemplateSpare 1 Eagle Booking 1 Abandoned Cart Pro for WooCommerce 1 Frisbii Pay 1 RealHomes 1 Pagekit CMS 1 Paid Memberships Pro - Add Member From Admin 1 BitFire Security 1 Tourfic 1 Gallery 1 WP Post Author 1 Restaurant Menu by MotoPress 1 WP Job Portal 1 Recipe Maker For Your Food Blog from Zip Recipes 1 ExpressUpdate Agent 1 MailChimp Block 1 Child Theme Wizard 1 Uncanny Automator 1 SupportCandy 1 WP All Import 1 Popup box 1 Splash - Sport Club WordPress Theme for Basketball, Football, Hockey 1 Goya Core 1 Apache Airflow FTP provider 1 Ads by WPQuads 1 Gutenverse Companion 1 Object Cache 4 everyone 1 Five Star Restaurant Menu 1 Intranet and Private Site - All-In-One Intranet 1 Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups 1 Syncee Premium Dropshipping and Wholesale 1 Stylish Cost Calculator 1 Paymob for WooCommerce 1 CorvusPay WooCommerce Payment Gateway 1 Print Invoice & Delivery Notes for WooCommerce 1 Subscriptions for WooCommerce 1 Toolset Forms 1 Panorama Viewer 360 Degree Image + Video Viewer 1 Enable CORS 1 Apache Kerby 1 MapPress Maps for WordPress 1 Quick Interest Slider 1 Gutenverse Form 1 Responsive Lightbox 1 Customer Reviews for WooCommerce 1 Blog2Social 1 Automatic 1 perfmatters 1 WoodMart 1 Everest Forms 1 SureCart 1 FOX 1 weMail 1 NanoMag 1 User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 1 Payment Gateway Based Fees and Discounts for WooCommerce 1 FunnelKit Payment Gateway for Stripe WooCommerce 1 Daan.Dev OMGF Pro 1 Widget Options 1 ToolJet 1 YMC Filter 1 Premmerce Wishlist for WooCommerce 1 SALESmanago & Leadoo 1 WC Vendors Marketplace 1 Post Snippets 1 Saad Iqbal APIExperts Square for WooCommerce 1 Apache Shiro Guice 1 HTMLy CMS 1 Royal Plugins Royal MCP 1 Grocery Store Management System 1 Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress 1 MainWP Child 1 Jacob N. Breetvelt WP Photo Album Plus 1 Five Star Restaurant Reservations 1 Vitepos 1 CheckView Automated Testing 1 InPost PL 1 Visual Link Preview 1 3X-UI 1 Master Slider 1 Advanced Order Export For WooCommerce 1 TablePress 1 Forminator 1 License Manager for WooCommerce 1 Themeisle PPOM for WooCommerce 1 shell-quote 1 Rapid7 InsightConnect AWK Plugin 1 Rapid7 InsightConnect Translate Plugin 1 AutoGPT 1 Sentry 1 AdRotate Banner Manager 1 ShapedPlugin plugin bundle 1 AngularJS 1 Tiptap for PHP 1 SignUp & SignIn 1 Welcome Software Publishing 1 Ultimate Member 1 ClearSale Total 1 FunnelKit Funnel Builder 1 WhatsOrder Instant Checkout for WooCommerce 1 Email JavaScript Cloak 1 Cincopa video and media plugin 1 Kargo Takip 1 URL Preview 1 WP Meta SEO 1 ARForms 1 Spring Statemachine 1 Electron 1 Deno 1 Hono 1 expr-eval 1 @nestjs/platform-fastify 1 PhpSpreadsheet 1 phpseclib 1 vLLM 1 Craft CMS 1 Montodel House-Rental-Management 1 Apache NiFi 1 Angular Language Service 1 @angular/common 1 piscina 1 Apache Doris MCP Server 1 libxml2 1 Ultimate WooCommerce Auction Pro 1 Branda 1 Database for Contact Form 7, WPForms, Elementor Forms 1 WP Go Maps 1 WooCommerce 1 Joomla SP Page Builder 1 Joomla iCagenda 1 Joomla NextGen Editor 1 Joomla My Projects 1 Joomla User Bench 1 Joomla JB Visa 1 Joomla Survey Force Deluxe 1 Joomla Quiz Deluxe 1 Joomla RPC Responsive Portfolio 1 Joomla OSDownloads 1 Joomla Price Alert 1 Joomla Bargain Product VM3 1 Joomla Ajax Quiz 1 Joomla FocalPoint Pro/Free 1 Joomla Sponsor Wall 1 Joomla Flip Wall 1 Joomla SP Movie Database 1 Joomla Calendar Planner 1 Joomla Zap Calendar Lite 1 Joomla KissGallery 1 Joomla Twitch Tv 1 Joomla StreetGuessr Game 1 Joomla Ultimate Property Listing 1 Joomla Event Registration Pro Calendar 1 Joomla LMS King Professional 1 Joomla PHP-Bridge 1 Joomla SIMGenealogy 1 Joomla Payage 1 Joomla Myportfolio 1 Joomla Extra Search 1 Joomla jCart for OpenCart 1 Joomla JHotelReservation 1 Joomla J-CruisePortal 1 Joomla J-MultipleHotelReservation 1 Joomla J-ClassifiedsManager 1 Joomla J-BusinessDirectory 1 Joomla VMap 1 Joomla vRestaurant 1 Joomla vReview 1 Joomla vAccount 1 Joomla vWishlist 1 Joomla Easy Shop 1 Joomla JoomCRM 1 Joomla JoomProject 1 Joomla com_booking 1 Comodo Chromodo Browser 1 Comodo Dragon Browser 1 Apache APISIX 1 Slopsmith 1 Mercator 1 BetterDocs Pro 1 Avada / Fusion Builder 1 CF7 to Webhook 1 Bit Integrations 1 Advanced Import 1 Customize My Account for WooCommerce 1 STRABL checkout solution 1 Integrate Google Drive 1 Geya theme 1 Neuronet theme 1 Joly theme 1 HomeRoofer theme 1 Learnify theme 1 Modernee theme 1 Rosaleen theme 1 Raider Spirit theme 1 AirSupply theme 1 Planty theme 1 Clean Login 1 SureDash 1 Slimstat Analytics 1 FileRise 1 PIAF-HMS 1 LMS 1 UBB.threads 1 Remark42 1 mcp-pinot 1 nanobot 1 Eclipse ThreadX NetX Duo 1 BBOT 1 JobCareer 1 Entrepreneur - Booking for Small Businesses 1 Events Schedule 1 Car Zone 1 E2Pdf - Export PDF Tool for WordPress 1 WooCommerce Frontend Manager - Ultimate 1 BookPro 1 Geo Mashup 1 Directorist Booking 1 Offload, AI & Optimize with Cloudflare Images 1 bus-ticket 1 Azuriom CMS 1 Pimcore CMS/DXP 1 Apache Shiro 1 Sonaar 1 Genemy 1 Avada 1 MetForm Pro 1 PowerPack Pro for Elementor 1 SigmaForms Pro - AI Generated Forms 1 Falang multilanguage 1 Cargo Shipping Location for WooCommerce 1 Advanced Ads - Tracking 1 Plumbing 1 Tutor LMS Pro 1 WPJobster 1 ListingPro 1 JetSearch 1 Moderno 1 JobSearch 1 WP Travel Gutenberg Blocks 1 GIFT4U 1 WP eMember 1 Lagom 1 The Barber Shop 1 The Hospital 1 Creatify 1 Reisen 1 Support Board 1 Nifty 1 Elementra 1 WooCommerce Product Filters 1 AI Lab 1 LoginPress Pro 1 Thrive Apprentice 1 SMS Alert Order Notifications 1 Registration Form for WooCommerce 1 Grip 1 ThemeREX Addons 1 PT Luxa Addons 1 Hot Coffee 1 SeaFood Company 1 WordPress & WooCommerce Scraper Plugin, Import Data from Any Site 1 Support Ticket Management System 1 Restaurt 1 WishList Member X 1 ACPT Pro - Custom Post Types Plugin for WordPress 1 Unlimited Elements for Elementor (Premium) 1 Webenvo 1 Restaurant Zone 1 Ecommerce Zone 1 Kids Gift Shop 1 Charity Zone 1 MySQL Router 1 MySQL NDB Cluster 1 Apache Airflow 1 JimuReport 1 Python StateMachine 1 TypeBot 1 Network-AI 1 Android 1 Splunk AI Toolkit 1 OpenSIPS Control Panel 1 OpenClaw 1 Kids Online Store theme 1 Premmerce Dev Tools 1 Paid Videochat Turnkey Site 1 WP BASE Booking 1 CloudSecure WP Security 1 Really Simple SSL 1 Projectopia 1 WpTravelly 1 IDPay Payment Gateway for WooCommerce 1 Event Tickets Manager for WooCommerce 1 Backup Migration 1 Easy Digital Downloads 1 Easy Appointments 1 AWP Classifieds 1 WP Directory Kit 1 Redsys for WooCommerce Light 1 WPGraphQL 1 WP Event Solution 1 ReviewX 1 Salon booking system 1 Email Marketing for WooCommerce by Omnisend 1 WpEvently 1 Contact Form by WPForms 1 Simple Shopping Cart 1 EmbedPress 1 Montonio for WooCommerce 1 WPC Product Bundles for WooCommerce 1 WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels 1 WPC Product Options for WooCommerce 1 Conekta Payment Gateway 1 Knit Pay 1 Upsell Order Bump Offer for WooCommerce 1 Shared Files 1 Affiliates Manager 1 Signature Add-On for WooCommerce 1 ABC Crypto Checkout 1 VikRentCar 1 Royal MCP 1 CTX Feed 1 WooCommerce Cart Abandonment Recovery 1 WooCommerce PDF Invoices & Packing Slips 1 Advanced Product Fields for WooCommerce 1 iRobots.txt SEO 1 Okay Toolkit 1 Eli's WordCents AdSense Widget with Analytics 1 Redirection for Contact Form 7 1 GiveWP 1 WooCommerce Product Table Lite 1 CformsII 1 Contact Form to Any API 1 ManageWP Worker 1 Social Slider Feed 1 Paid Member Subscriptions 1 Notification for Telegram 1 Favicon Rotator 1 Classified Listing 1 Post SMTP 1 MW WP Form 1 Stop Spammers 1 HollerBox 1 Drag and Drop Multiple File Upload - Contact Form 7 1 SEO Redirection 1 LatePoint 1 AI Engine 1 Link Library 1 ShortPixel Image Optimizer 1 Modula Image Gallery 1 YayMail 1 Chatway Live Chat 1 FunnelKit Automations 1 ChatBot 1 Welcart e-Commerce 1 Abandoned Contact Form 7 1 WP Event SOlution 1 JupiterX Core 1 InPost Gallery 1 WP Sessions Time Monitoring Full Automatic 1 The Events Calendar 1 RD Station 1 WooCommerce POS 1 GEO my WordPress 1 Attendance Manager 1 Min Max Step Quantity Limits Manager for WooCommerce 1 Pods 1 WooCommerce Stripe Payment Gateway 1 Metro Magazine 1 i18next-http-middleware 1 DbGate 1 PowerPress Podcasting 1 Responsive Slider by MetaSlider 1 Anti-Malware Security and Brute-Force Firewall 1 Events Calendar for GeoDirectory 1 B Blocks 1 MasterStudy LMS 1 Contact Form Extender for Divi 1 WP Customer Area 1 AI Product Search for WooCommerce - Motive Commerce Search 1 GamiPress 1 TrueBooker 1 ELEX WordPress HelpDesk & Customer Ticketing System 1 Taskbuilder 1 WCMultiShipping 1 Feed KuantoKusta for WooCommerce Free 1 WP Maps 1 Form Maker by 10Web 1 WP Photo Album Plus 1 SpeakOut! Email Petitions 1 Order Delivery Date for WooCommerce 1 GD Rating System 1 WP Data Access 1 Realtyna Organic IDX 1 Advanced 301 and 302 Redirect 1 eCommerce Product Catalog 1 FastDup 1 Broadcast Live Video 1 iControlWP 1 Datalogics Ecommerce Delivery 1 WP-BusinessDirectory 1 Easy Invoice 1 WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms 1 Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms 1 WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms 1 Integration for Contact Form 7 and Constant Contact 1 Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms 1 Integration for Contact Form 7 HubSpot 1 RegistrationMagic 1 Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms 1 WP User Manager 1 Happyforms 1 OttoKit 1 Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms 1 Amasty Order Attributes for Magento 2 1 jmespath.php 1 Moby / Docker Engine 1 MDJM Event Management 1 All-In-One Security (AIOS) 1 Integration for Freshsales 1 Photo Gallery by 10Web 1 Ad Inserter 1 WPForms 1 MailerPress 1 Debug Log Manager 1 WP Ticket 1 LiteSpeed cPanel Plugin 1 BUK TS-G Gas Station Automation System 1 ShopXO 1 Metacat 1 GStreamer gst-plugins-bad 1 GStreamer librfb 1 GStreamer VMnc decoder 1 Cisco Catalyst SD-WAN Manager 1 WooCommerce PDF Invoice Builder 1 404 Redirection Manager 1 Faust.Js 1 Simple-Backup 1 HB Audio Gallery Lite 1 CherryFramework Themes 1 GetPaid 1 IMDb Profile Widget 1 Brandfolder 1 Responsive FileManager 1 multer 1 Koha 1 cPanel WP Toolkit 1 Schema & Structured Data for WP & AMP 1 Splunk Secure Gateway 1 Spring Security 1 Spring Data Commons 1 Spring for GraphQL 1 PbootCMS 1 UDS Identity Config 1 Mem0 1 Apache Cordova 1 Open XDMoD 1 Check Point Remote Access VPN / Mobile Access 1 YesWiki 1 Nginx Proxy Manager 1 Apinizer 1 Russh 1 CodeAstro Human Resource Management System 1 Product Filter by WBW 1 JoomSport 1 SliceWP 1 Quest Bot 1 Duck Site 1 Boxlite 1 migration-planner 1 mcp-server-kubernetes 1 Azure Kubernetes Service 1 Grafana Operator 1 Apache Airflow Samba provider 1 mysql-mcp-server 1 KanaDojo 1 Keras 1 Vim 1 js-libp2p 1 GitLab CE/EE 1 Apache Answer 1 S2OPC 1 openSIS Classic 1 thaipalliative_lte 1 UpdraftPlus 1 Spring Web Services 1 Splunk 1 Concrete CMS 1 DedeCMS 1 FrankenPHP 1 Doctreat Core 1 WPZOOM Portfolio 1 WP Mail Log 1 samlify 1 SimpleSAMLphp CAS Server 1 Spring Data MongoDB 1 Spring Data REST 1 Spring for Apache Kafka 1 Spring for Apache Pulsar 1 LimeSurvey 1 The Events Calendar for GeoDirectory 1 Simple Personal Message 1 Recover Exit for WooCommerce 1 6Storage Rentals 1 FV Flowplayer 1 WordPress Seotheme 1 code-projects Simple Flight Ticket Booking 1 Kushan2k student-management-system 1 BeikeShop 1 Chanjet CRM 1 FreePBX 1 VS Code 1 Docker 1
Netty
Java / Middleware 19 CVEs 2026-06-12 CVSS 8.1
CVE-2026-44249
Netty handler - IPv6 subnet rule bypass
Netty handler before 4.1.135.Final and 4.2.15.Final can mishandle IPv6 subnet filter rules. Review Java services that rely on Netty IP filtering and update the dependency lock.
Public PoC
2026-06-12 CVSS 7.5
CVE-2026-44893
Netty HAProxy codec - malformed TLV memory leak
Netty HAProxy PROXY protocol v2 parsing before 4.1.135.Final and 4.2.15.Final can trigger memory pressure. Patch services using HAProxyMessageDecoder and review direct-memory alerts.
Public PoC
2026-06-12 CVSS 7.5
CVE-2026-44894
Netty QUIC - token validation amplification risk
Netty QUIC handling before 4.2.15.Final can treat unexpected tokens as valid in a way that changes amplification behavior. Patch HTTP/3 services and review edge traffic.
Public PoC
2026-06-12 CVSS 7.5
CVE-2026-45416
Netty TLS ClientHello handling - memory exhaustion
Netty TLS ClientHello handling before 4.1.135.Final and 4.2.15.Final can allocate excessive memory in affected handlers. Patch SNI/TLS gateway services.
Public PoC
2026-06-12 CVSS 6.8
CVE-2026-45673
Netty DNS resolver - predictable query entropy
Netty DNS resolver before 4.1.135.Final and 4.2.15.Final can use weak DNS query entropy. Patch resolver users and review cache poisoning exposure.
Public PoC
2026-06-12 CVSS 8.7
CVE-2026-45674
Netty DNS resolver - CNAME bailiwick validation issue
Netty DNS resolver before 4.1.135.Final and 4.2.15.Final can mishandle CNAME bailiwick validation. Patch Java services using Netty DNS.
Public PoC
2026-06-12 CVSS 7.5
CVE-2026-46340
Netty SCTP transport - fragment memory growth
Netty SCTP transport before 4.1.135.Final and 4.2.15.Final can accumulate fragments without safe bounds. Patch services using netty-transport-sctp.
Public PoC
2026-06-12 CVSS 8.7
CVE-2026-47691
Netty DNS resolver - NS record bailiwick validation issue
Netty DNS resolver before 4.1.135.Final and 4.2.15.Final can insufficiently validate NS record bailiwick. Patch resolver users and monitor DNS behavior.
Public PoC
2026-06-12 CVSS 8.7
CVE-2026-48006
Netty Redis aggregator - direct-memory leak
Netty RedisArrayAggregator before 4.1.135.Final and 4.2.15.Final can leak pooled direct-memory buffers when Redis pipeline connections close mid-aggregate.
Public PoC
2026-06-12 CVSS 5.3
CVE-2026-48043
Netty HTTP/2 decompression - resource leak
Netty HTTP/2 decompression handling before 4.1.135.Final and 4.2.15.Final can leak resources in affected flow-controller paths. Patch gateway services.
Public PoC
2026-06-12 CVSS 8.7
CVE-2026-48059
Netty HAProxy codec - nested TLV memory leak
Netty HAProxy PROXY protocol v2 codec before 4.1.135.Final and 4.2.15.Final can leak memory on nested TLV handling. Patch and review gateway memory alerts.
Public PoC
2026-06-12 CVSS 7.5
CVE-2026-48748
Netty HTTP/3 codec - blocked streams memory exhaustion
Netty HTTP/3 codec before 4.2.15.Final can exhaust memory through blocked stream handling. Patch HTTP/3 gateways and review OOM events.
Public PoC
2026-06-12 CVSS 7.5
CVE-2026-50010
Netty TLS trust manager - hostname verification gap
Netty before 4.1.135.Final and 4.2.15.Final can lose hostname verification in specific trust-manager wrapping paths. Review custom trust managers and patch.
Public PoC
2026-06-12 CVSS 7.5
CVE-2026-50011
Netty Redis aggregator - unbounded allocation
Netty RedisArrayAggregator before 4.1.135.Final and 4.2.15.Final can allocate excessive memory from attacker-controlled RESP array counts.
Public PoC
2026-06-12 CVSS 6.9
CVE-2026-50560
Netty HTTP/2 header settings - resource pressure
Netty HTTP/2 max-header handling before 4.1.135.Final and 4.2.15.Final can create resource pressure similar to rapid reset patterns.
Public PoC
2026-06-12 CVSS 5.3
CVE-2026-47244
Netty HTTP/2 streams - missing default concurrent stream cap
Netty HTTP/2 server defaults before 4.1.135.Final and 4.2.15.Final can allow excessive concurrent stream object growth when not explicitly capped.
Public PoC
2026-06-12 CVSS 7.5
CVE-2026-44892
Netty HTTP/3 - unbounded header memory pressure
CVE-2026-44892 affects Netty HTTP/3 handling when header size is not bounded. Java services using netty-codec-http3 should update and review memory alerts and HTTP/3 gateway restarts.
2026-06-11 CVSS 7.5
CVE-2026-44250
Netty codec-redis - nested array memory exhaustion
CVE-2026-44250 affects netty-codec-redis before 4.1.135.Final and 4.2.15.Final. Java services that parse Redis protocol traffic should patch and review memory alerts.
Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44890
Netty codec-redis - direct memory exhaustion
CVE-2026-44890 affects netty-codec-redis before 4.1.135.Final and 4.2.15.Final. Patch exposed services and review direct-memory pressure and Redis protocol gateway logs.
Public PoC
Fission
Kubernetes / Serverless 14 CVEs 2026-06-10 CVSS 9.8
CVE-2026-46614
Fission - internal function routes exposed on public router
CVE-2026-46614 affects Fission before 1.23.0 where internal function routes may be exposed through the public router listener. Review ingress, router services, and NetworkPolicy.
Public PoC
2026-06-10 CVSS 6.9
CVE-2026-46618
Fission - builder command validation gap
CVE-2026-46618 affects Fission before 1.23.0 where Environment builder command settings could allow unexpected executable selection in builder pods. Review Environment CRD permissions and builder service account scope.
Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50545
Fission - Environment podSpec passthrough validation gap
CVE-2026-50545 affects Fission Environment podSpec handling before 1.24.0. Review who can create or update environments and whether unsafe pod fields can reach runtime or builder pods.
Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50563
Fission - Container Executor function podSpec privilege issue
CVE-2026-50563 affects Fission Container Executor podSpec handling before 1.24.0. Review Function spec permissions, executor service accounts, and runtime pod security.
Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50564
Fission - Environment CRD unsafe podSpec propagation
CVE-2026-50564 affects Fission Environment CRD podSpec propagation before 1.24.0. Review host namespace, hostPath, privileged, and service account fields in function environments.
Public PoC
2026-06-10 CVSS 9.9
CVE-2026-50566
Fission - tenant function can request dangerous container settings
CVE-2026-50566 affects Fission before 1.24.0 when tenant-facing Environment or Function resources can request unsafe container settings. Review RBAC and admission webhook enforcement.
Public PoC
2026-06-10 CVSS 8.8
CVE-2026-46612
Fission - unauthenticated storage service archive access
CVE-2026-46612 affects Fission before 1.23.0 storage service archive handling. Review service reachability, NetworkPolicy, and package archive access across tenants.
Public PoC
2026-06-10 CVSS 8.7
CVE-2026-46617
Fission - runtime pod service account can read namespace secrets
CVE-2026-46617 affects Fission runtime pod service account permissions before 1.23.0. Review function namespace secrets, configmaps, and runtime pod token exposure.
Public PoC
2026-06-10 CVSS 8.5
CVE-2026-49824
Fission - Function environment namespace validation gap
CVE-2026-49824 affects Fission before 1.24.0 where Function environment namespace validation can miss cross-namespace references. Review function specs and admission webhook behavior.
Public PoC
2026-06-10 CVSS 8.5
CVE-2026-50570
Fission - incomplete container capability denylist
CVE-2026-50570 affects Fission before 1.25.0 capability validation. Review admission settings, runtime security contexts, and function or environment specs that request added Linux capabilities.
Public PoC
2026-06-10 CVSS 7.7
CVE-2026-49821
Fission - Package environment namespace validation gap
CVE-2026-49821 affects Fission before 1.24.0 package environment namespace validation. Review Package specs, builder behavior, and cross-namespace references.
Public PoC
2026-06-10 CVSS 7.7
CVE-2026-49822
Fission - KubernetesWatchTrigger cross-namespace surveillance risk
CVE-2026-49822 affects Fission before 1.24.0 KubernetesWatchTrigger namespace boundaries. Review who can create KWT resources and whether watch targets cross tenant namespaces.
Public PoC
2026-06-10 CVSS 7.7
CVE-2026-49823
Fission - PackageRef namespace validation gap in Function specs
CVE-2026-49823 affects Fission before 1.24.0 Function PackageRef namespace checks. Review function specs for cross-namespace package references.
Public PoC
2026-06-10 CVSS 7.7
CVE-2026-50567
Fission - archive extraction path traversal
CVE-2026-50567 affects Fission archive extraction before 1.25.0. Treat package archive URLs as untrusted and review fetcher sidecar file writes and package storage.
Public PoC
MongoDB Server
Database 13 CVEs 2026-06-12 CVSS 8.8
CVE-2026-11933
MongoDB Server - server-side JavaScript engine use-after-free
CVE-2026-11933 affects MongoDB Server when an authenticated reader can run server-side JavaScript. Review $where and $function usage, disable server-side scripting where possible, and patch affected server lines.
2026-06-09 CVSS 8.7
CVE-2026-9740
MongoDB Server - unauthenticated BSON validation crash
CVE-2026-9740 affects MongoDB Server BSON validation logic and can crash mongod before authentication. Public or partner-exposed MongoDB listeners should be patched and checked for unexplained restarts.
2026-06-09 CVSS 8.2
CVE-2026-9742
MongoDB Server - OIDC configuration pre-auth crash
CVE-2026-9742 affects MongoDB Server deployments with OIDC authentication enabled. Check whether OIDC is configured, patch the affected branch, and review mongod restart and authentication error logs.
2026-06-09 CVSS 7.1
CVE-2026-9741
MongoDB Server - Queryable Encryption / CSFLE literal exposure
CVE-2026-9741 affects MongoDB Server query analysis processing for Queryable Encryption or CSFLE. Review encrypted-field workloads, patch affected branches, and check logs for sensitive literal exposure.
2026-06-09 CVSS 7.1
CVE-2026-9743
MongoDB Server - aggregation cursor crash condition
CVE-2026-9743 affects MongoDB Server aggregation processing in specific cursor paths. Patch affected branches and review mongod crash, getMore, and application reconnect logs.
2026-06-09 CVSS 7.1
CVE-2026-9746
MongoDB Server - change stream / resharding crash condition
CVE-2026-9746 affects MongoDB Server change stream and resharding-related processing. Patch affected branches and review restart, change stream, and resharding alerts.
2026-06-09 CVSS 7.1
CVE-2026-9747
MongoDB Server - aggregation role metadata crash condition
CVE-2026-9747 affects MongoDB Server aggregation processing involving runtime user-role metadata. Patch affected branches and review application errors and crash alerts.
2026-06-09 CVSS 7.1
CVE-2026-9748
MongoDB Server - internal bucket index stats crash condition
CVE-2026-9748 affects MongoDB Server internal bucket index statistics processing. Patch affected branches and review index stats, crash, and restart logs.
2026-06-09 CVSS 7.1
CVE-2026-9749
MongoDB Server - internal exchange aggregation crash condition
CVE-2026-9749 affects MongoDB Server aggregation processing that uses internal exchange behavior. Patch affected branches and review crash and primary step-down alerts.
2026-06-09 CVSS 7.1
CVE-2026-9750
MongoDB Server - internal metadata crash or incorrect result condition
CVE-2026-9750 affects MongoDB Server internal metadata processing during query execution. Patch affected branches and review authenticated query workloads, crashes, and incorrect-result reports.
2026-06-09 CVSS 7.1
CVE-2026-9752
MongoDB Server - 2dsphere query crash condition
CVE-2026-9752 affects MongoDB Server geospatial query handling with 2dsphere indexes. Patch affected branches and review geospatial query errors and restart logs.
2026-06-09 CVSS 8.1
CVE-2026-9753
MongoDB Server - oplog update memory out-of-bounds condition
CVE-2026-9753 affects MongoDB Server oplog update processing and can cause memory out-of-bounds behavior or a crash. Patch affected branches and review replica set stability.
2026-06-09 CVSS 7.1
CVE-2026-9754
MongoDB Server - filemd5 limited stack-memory disclosure
CVE-2026-9754 affects MongoDB Server filemd5 command handling for authenticated read-role users. Patch affected branches and review read-only account scope.
WordPress
WordPress / CMS 13 CVEs 2026-06-05 CVSS 8.8
CVE-2026-7654
Admin Columns - Contributor+ PHP object injection to RCE
CVE-2026-7654 affects the Admin Columns WordPress plugin through 7.0.18. Sites with Contributor or higher accounts should patch to 7.0.19 or newer, then review recent custom-field and account activity.
Public PoC
2026-06-05 CVSS 8.8
CVE-2026-5411
WP Captcha PRO - Subscriber+ arbitrary file upload
CVE-2026-5411 affects WP Captcha PRO through 5.38. Sites should update to 5.39 or newer and inspect uploads, plugin folders, and unexpected account activity after patching.
Public PoC
2026-06-05 CVSS 8.8
CVE-2026-5415
WP Captcha PRO - Subscriber+ authentication bypass
CVE-2026-5415 affects WP Captcha PRO through 5.38. Public registration sites should update to 5.39 or newer, review administrators, and rotate sessions if user activity looks suspicious.
2026-06-02 CVSS 9.8
CVE-2026-8206
Kirki Page Builder β Unauthenticated Admin Account Takeover via Password Reset
Kirki 6.0.0β6.0.6 password reset endpoint sends reset link to attacker-supplied email instead of account owner. One unauthenticated request hijacks any admin. 500K+ installs, Wordfence blocking 222+ attacks/day.
Active Exploit Public PoC
2026-05-30 CVSS 7.5
CVE-2026-9757
GEO my WP β Unauthenticated SQL Injection via map boundary parameters
SQL injection in GEO my WP (β€ 4.5.5) through map boundary query handling. Public Posts Locator pages should be patched and checked for unusual database access.
Public PoC
2026-05-30 CVSS 8.8
CVE-2026-7465
Spectra / Ultimate Addons for Gutenberg β Contributor-level RCE in block rendering
Authenticated (Contributor+) remote code execution in Spectra Gutenberg Blocks β€ 2.19.25. Review Contributor accounts, block rendering behavior, and plugin version before reopening publishing access.
Public PoC
2026-05-30 CVSS 7.5
CVE-2026-7459
Simple History β Subscriber+ account takeover via REST event context leak
Simple History β€ 5.26.0: react_to_event REST endpoints only verify login, not per-logger capabilities. Subscribers read password-reset email bodies and complete admin takeover.
Public PoC
2026-05-29 CVSS 9.1
CVE-2026-4290
WP Travel Pro β Unauthenticated Arbitrary User Deletion
Unauthenticated user deletion in WP Travel Pro (β€ 10.6.0). The affected REST permission path can allow destructive user deletion without a valid admin session. Patch to 10.6.1 and audit recent user changes.
2026-05-28 CVSS 8.1
CVE-2026-6455
WP Contact Form 7 DB Handler β CSRF β SQLi β Deserialization β Arbitrary File Deletion
The WP Contact Form 7 DB Handler plugin chains four flaws: CSRF bypass (nonce check skipped when field is absent), UNION-based SQL injection, PHP object injection, and arbitrary file deletion via path traversal. One admin click on a crafted link can delete wp-config.php and take down the entire site.
Public PoC
2026-05-27 CVSS 9.9
CVE-2026-42748
WordPress Triple-9.9: Unrestricted Upload & Path Traversal (3 plugins)
Three separate WordPress plugins with CVSS 9.9 each published on the same day. CVE-2026-42748 is unrestricted file upload; CVE-2026-42756 and CVE-2026-42757 are path traversal vulnerabilities with changed scope (S:C), meaning a compromise can reach beyond WordPress to the wider server.
2026-05-19 CVSS 9.8
CVE-2026-4885
Piotnet Addons for Elementor Pro β Unauthenticated File Upload β RCE
Unauthenticated arbitrary file upload in Piotnet Addons for Elementor Pro (β€ 7.1.70). Dangerous PHP-like uploads may execute on common hosting stacks, so owners should patch and inspect upload directories.
Public PoC
2026-05-17 CVSS 8.8
CVE-2026-8719
AI Engine Plugin β Subscriber-to-Admin Privilege Escalation
Privilege escalation in the AI Engine WordPress plugin (50,000+ active installs). Missing capability check in MCP OAuth bearer-token path lets any logged-in user, even Subscriber, escalate to Administrator. Patched in v3.4.10. Public registration sites are most exposed.
2026-04-20 CVSS 9.8
CVE-2026-1492
WordPress User Registration & Membership β Auth Bypass β Admin Takeover
Authentication bypass in the User Registration & Membership plugin (60,000+ active installs). An unauthenticated attacker can take over any account, including admin. Patched in 4.2.4 β older versions are wide open.
HAX CMS
CMS / PHP and Node.js 13 CVEs 2026-06-05 CVSS 9.3
CVE-2026-46395
HAX CMS Node.js - private signing key disclosure
CVE-2026-46395 affects the HAX CMS Node.js backend through 25.0.0. Public HAX CMS operators should upgrade, rotate JWT signing material and site tokens, then review admin activity that may not have normal login events.
Public PoC
2026-06-05 CVSS 9.4
CVE-2026-46399
HAX CMS PHP - file overwrite and Git filter risk
CVE-2026-46399 affects HAX CMS PHP before 26.0.0. Review file overwrite paths, Git filters, remote URLs, repository history access, and any content changes made by privileged users.
Public PoC
2026-06-05 CVSS 9.3
CVE-2026-46396
HAX CMS - stored XSS through iframe handling
CVE-2026-46396 affects HAX CMS content rendering before 26.0.0. Operators should patch, review iframe-heavy pages, and inspect admin sessions and tokens after suspicious content edits.
Public PoC
2026-06-05 CVSS 9.3
CVE-2026-46496
HAX CMS - stored XSS through video-player component
CVE-2026-46496 affects HAX CMS media content before 26.0.0. Review video-player usage, media edits, admin sessions, and token exposure after patching.
Public PoC
2026-06-05 CVSS 8.8
CVE-2026-46398
HAX CMS - refresh token cookie missing Secure flag
CVE-2026-46398 affects HAX CMS 25.0.0 before 26.0.0 when refresh tokens may be sent without the Secure cookie flag. Enforce HTTPS, upgrade, and rotate sessions on exposed sites.
Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46400
HAX CMS PHP - file upload validation bypass
CVE-2026-46400 affects HAX CMS PHP 11.0.6 before 25.0.0. Operators should patch, review uploaded files and MIME handling, and remove suspicious PHP-like or active content from public upload paths.
Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46391
HAX CMS open-apis - weak host validation
CVE-2026-46391 affects @haxtheweb/open-apis 9.0.1 before 26.0.0. Review integrations that send basic authorization to remote hosts, rotate exposed credentials, and patch the package.
Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46392
HAX CMS PHP - upload rendering bypass
CVE-2026-46392 affects HAX CMS PHP before 26.0.0. Review uploaded HTML-like content, mixed-case extensions, and pages edited by untrusted users before reopening authoring.
Public PoC
2026-06-05 CVSS 7.7
CVE-2026-46394
HAX CMS PHP - Git command handling risk
CVE-2026-46394 affects the HAX CMS PHP Git helper before 26.0.0. Review Git remotes, filters, helper logs, and repository settings after patching.
Public PoC
2026-06-05 CVSS 7.1
CVE-2026-46393
HAX CMS - authenticated SSRF and local resource access
CVE-2026-46393 affects HAX CMS before 26.0.0. Operators should patch, restrict server-side fetch behavior, and review outbound requests to localhost, metadata endpoints, and private service ranges.
Public PoC
2026-06-05 CVSS 7.5
CVE-2026-46493
HAX CMS - weak salt generation
CVE-2026-46493 affects HAX CMS versions before 26.0.1 that use unsuitable salt generation. Upgrade to 26.0.1 or newer and rotate secrets after patching.
Public PoC
2026-06-05 CVSS 8.7
CVE-2026-46511
HAX CMS - stored XSS and token exposure chain
CVE-2026-46511 affects HAX CMS before 26.0.0 through a stored XSS plus token exposure chain. Review tenants, site tokens, edited content, and admin sessions after upgrading.
Public PoC
2026-06-05 CVSS 6.9
CVE-2026-46390
HAX CMS - unauthenticated gitlist exposure
CVE-2026-46390 affects HAX CMS 2.0.0 before 26.0.0 where gitlist can expose repository browsing to unauthenticated users. Patch and review whether repository history or secrets were visible.
Public PoC
GeoVision
PHP / CMS 10 CVEs 2026-06-26 CVSS 9.8
CVE-2026-57878
GeoVision - authentication boundary risk
CVE-2026-57878 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
2026-06-26 CVSS 9.8
CVE-2026-57879
GeoVision - authentication boundary risk
CVE-2026-57879 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
2026-06-26 CVSS 9.8
CVE-2026-57880
GeoVision - authentication boundary risk
CVE-2026-57880 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
2026-06-26 CVSS 9.8
CVE-2026-57881
GeoVision - authentication boundary risk
CVE-2026-57881 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
2026-06-26 CVSS 8.6
CVE-2026-57877
GeoVision - authentication boundary risk
CVE-2026-57877 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
2026-06-26 CVSS 7.5
CVE-2026-57872
GeoVision - authentication boundary risk
CVE-2026-57872 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
2026-06-26 CVSS 7.5
CVE-2026-57873
GeoVision - authentication boundary risk
CVE-2026-57873 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
2026-06-26 CVSS 7.5
CVE-2026-57874
GeoVision - authentication boundary risk
CVE-2026-57874 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
2026-06-26 CVSS 7.5
CVE-2026-57875
GeoVision - authentication boundary risk
CVE-2026-57875 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
2026-06-26 CVSS 7.5
CVE-2026-57876
GeoVision - authentication boundary risk
CVE-2026-57876 affects GeoVision. An unauthenticated Patch the affected deployment and review web and app logs.
vm2
Node.js / Sandbox 9 CVEs 2026-06-12 CVSS 10.0
CVE-2026-47131
vm2 - sandbox escape via host TypeError exposure
CVE-2026-47131 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
Public PoC
2026-06-12 CVSS 8.7
CVE-2026-47135
vm2 - cross-realm Symbol isolation weakness
CVE-2026-47135 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47137
vm2 - NodeVM require guard bypass
CVE-2026-47137 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
Public PoC
2026-06-12 CVSS 8.6
CVE-2026-47139
vm2 - network builtin restriction bypass
CVE-2026-47139 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47140
vm2 - dangerous builtin denylist gap
CVE-2026-47140 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
Public PoC
2026-06-12 CVSS 6.9
CVE-2026-47141
vm2 - observability builtin data exposure
CVE-2026-47141 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
Public PoC
2026-06-12 CVSS 10.0
CVE-2026-47208
vm2 - sandbox breakout vulnerability
CVE-2026-47208 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
Public PoC
2026-06-12 CVSS 8.6
CVE-2026-47209
vm2 - proxy set trap isolation weakness
CVE-2026-47209 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
Public PoC
2026-06-12 CVSS 9.8
CVE-2026-47210
vm2 - async sandbox escape with WebAssembly JSPI
CVE-2026-47210 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
Public PoC
Apache HTTP Server
Web Server / Apache 9 CVEs 2026-06-09 CVSS 9.8
CVE-2026-29167
Apache HTTP Server - mod_ldap per-directory use-after-free
CVE-2026-29167 affects Apache HTTP Server 2.4.0 through 2.4.67 when mod_ldap is used in per-directory configuration. Apache rates the issue low, while NVD scores it critical. Upgrade to 2.4.68 and review LDAP-related Apache locations.
2026-06-09 CVSS 7.3
CVE-2026-44186
Apache HTTP Server - mod_proxy_ftp infinite loop
CVE-2026-44186 affects Apache HTTP Server 2.4.0 through 2.4.67 when mod_proxy_ftp is used with an attacker-controlled FTP backend. Upgrade to 2.4.68 and review old FTP proxy configurations.
2026-06-09 CVSS 9.1
CVE-2026-42535
Apache HTTP Server - mod_dav_fs WebDAV property database manipulation
CVE-2026-42535 affects Apache HTTP Server 2.4.67 and earlier when mod_dav_fs is in use. WebDAV content authors may be able to manipulate trusted DAV property databases and trigger child process crashes. Upgrade to 2.4.68 and review DAV-enabled locations.
2026-06-08 CVSS 9.8
CVE-2026-44631
Apache HTTP Server - regex configuration buffer underwrite
CVE-2026-44631 affects Apache HTTP Server 2.4.0 through 2.4.67 through crafted regular expressions in configuration. Operators should upgrade to 2.4.68 and review regex-heavy vhost, rewrite, and match directives.
2026-06-08 CVSS 7.5
CVE-2026-34355
Apache HTTP Server - mod_proxy_html buffer overflow
CVE-2026-34355 affects Apache HTTP Server mod_proxy_html in 2.4.67 and earlier. Prioritize reverse proxy deployments that process untrusted backend content and upgrade to Apache 2.4.68.
2026-06-08 CVSS 7.5
CVE-2026-34356
Apache HTTP Server - ProxyPassReverseCookie heap overflow
CVE-2026-34356 affects Apache HTTP Server reverse proxy cookie rewriting in 2.4.67 and earlier. Review ProxyPassReverseCookie configuration and upgrade to Apache 2.4.68.
2026-06-08 CVSS 7.5
CVE-2026-42536
Apache HTTP Server - mod_xml2enc heap overflow
CVE-2026-42536 affects Apache HTTP Server mod_xml2enc in 2.4.67 and earlier. Operators should check whether xml2enc is loaded, review untrusted content paths, and upgrade to Apache 2.4.68.
2026-06-08 CVSS 7.3
CVE-2026-44185
Apache HTTP Server - mod_ssl OCSP buffer over-read
CVE-2026-44185 affects Apache HTTP Server outbound OCSP handling in 2.4.67 and earlier. TLS-heavy deployments should upgrade to 2.4.68 and review mod_ssl OCSP configuration.
2026-06-08 CVSS 7.3
CVE-2026-48913
Apache HTTP Server - mod_http2 use-after-free
CVE-2026-48913 affects Apache HTTP Server mod_http2 when file handles are exhausted. HTTP/2 deployments on Apache 2.4.55 through 2.4.67 should upgrade to 2.4.68 and review worker restart logs.
Roxy-WI
Load Balancer Panel 9 CVEs 2026-06-10 CVSS 9.9
CVE-2026-45552
Roxy-WI - cross-tenant authorization bypass in install workflows
CVE-2026-45552 affects Roxy-WI install and exporter workflows. Review panel exposure, guest or low-privilege users, stored SSH credentials, and recent infrastructure changes.
Public PoC
2026-06-10 CVSS 9.9
CVE-2026-45556
Roxy-WI - WAF configuration path handling issue
CVE-2026-45556 affects Roxy-WI WAF configuration save paths. Operators should restrict the panel, preserve logs, and review load balancer config, cron, and service changes.
Public PoC
2026-06-10 CVSS 9.9
CVE-2026-45558
Roxy-WI - HAProxy generated configuration injection risk
CVE-2026-45558 affects Roxy-WI HAProxy configuration generation. Review HAProxy section changes, reload history, panel accounts, and managed server ownership.
Public PoC
2026-06-10 CVSS 9.1
CVE-2026-45550
Roxy-WI - monitoring check cross-tenant update issue
CVE-2026-45550 affects Roxy-WI monitoring check update paths. Multi-tenant operators should review check ownership, recent changes, and user group boundaries.
Public PoC
2026-06-10 CVSS 8.8
CVE-2026-45564
Roxy-WI - config version restore command injection risk
CVE-2026-45564 affects Roxy-WI configuration version restore paths. Review config restore events, service reloads, and shell command traces on managed hosts.
Public PoC
2026-06-10 CVSS 8.5
CVE-2026-45549
Roxy-WI - monitoring agent action authorization bypass
CVE-2026-45549 affects Roxy-WI monitoring agent actions. Review who can start, stop, or restart agents and compare service restart times against panel logs.
Public PoC
2026-06-10 CVSS 8.3
CVE-2026-45567
Roxy-WI - API-style authentication bypass condition
CVE-2026-45567 affects Roxy-WI authentication handling around API-style paths. Place the panel behind a trusted network and review access logs for unexpected API activity.
Public PoC
2026-06-10 CVSS 8.1
CVE-2026-45565
Roxy-WI - shared input validation traversal weakness
CVE-2026-45565 affects Roxy-WI shared input validation. Review path-like inputs, changed files, and whether previous filtering rules actually blocked traversal patterns.
Public PoC
2026-06-10 CVSS 8.1
CVE-2026-45569
Roxy-WI - incomplete traversal validation patch
CVE-2026-45569 affects an incomplete Roxy-WI traversal validation patch. Review updated code, path containment, and any config restore or upload actions after the first patch attempt.
Public PoC
Cacti
PHP / CMS 8 CVEs 2026-06-25 CVSS 7.2
CVE-2026-40083
Cacti - SQL injection risk
CVE-2026-40083 affects Cacti. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through unsanitized unserialize+implode in managers.php. At line 756 of managers.php, the application assig... Patch the affected deployment and review Cacti and web logs.
2026-06-25 CVSS 6.5
CVE-2026-40084
Cacti - path traversal risk
CVE-2026-40084 affects Cacti. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal through the Report format_file Parameter, causing arbitrary file read. This vulnerability occ... Patch the affected deployment and review Cacti and web logs.
2026-06-25 CVSS 6.1
CVE-2026-40080
Cacti - authentication boundary risk
CVE-2026-40080 affects Cacti. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Redirect through a substring check rather than a host check at str_contains($referer, CACTI_PATH_URL). ... Patch the affected deployment and review Cacti and web logs.
2026-06-24 CVSS 6.1
CVE-2026-39900
Cacti - authentication boundary risk
CVE-2026-39900 affects Cacti. Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab parameter in the auth_profile.php JavaScript context. This issue has been fixed in ver... Patch the affected deployment and review Cacti and web logs.
2026-06-24 CVSS 9.8
CVE-2026-39955
Cacti - pre-authentication graph view SQL injection risk
CVE-2026-39955 affects Cacti 1.2.30 and earlier. Upgrade to 1.2.31, review guest graph viewing exposure, database errors, and graph_view.php access logs.
Public PoC
2026-06-24 CVSS 9.3
CVE-2026-39948
Cacti - guest graph SQL injection risk
CVE-2026-39948 affects Cacti 1.2.30 and earlier where guest graph viewing can expose SQL injection risk. Patch to 1.2.31 and review database and web logs.
Public PoC
2026-06-24 CVSS 8.6
CVE-2026-40079
Cacti - graph template command injection risk
CVE-2026-40079 affects Cacti 1.2.30 and earlier. Review graph templates, RRD activity, web-server process activity, and patch to 1.2.31.
Public PoC
2026-06-24 CVSS 6.9
CVE-2026-39899
Cacti - package import path traversal risk
CVE-2026-39899 affects Cacti 1.2.30 and earlier. Review package import access, uploaded files, and filesystem changes before closing the issue.
Public PoC
GeoVision GV-I/O Box 4E
IoT / Physical Security Device 8 CVEs 2026-06-24 CVSS 10.0
CVE-2026-12485
GeoVision GV-I/O Box 4E - DVRSearch stack overflow risk
CVE-2026-12485 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
2026-06-24 CVSS 10.0
CVE-2026-12846
GeoVision GV-I/O Box 4E - network configuration stack overflow risk
CVE-2026-12846 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
2026-06-24 CVSS 10.0
CVE-2026-12847
GeoVision GV-I/O Box 4E - gateway field stack overflow risk
CVE-2026-12847 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
2026-06-24 CVSS 10.0
CVE-2026-12848
GeoVision GV-I/O Box 4E - DNS field stack overflow risk
CVE-2026-12848 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
2026-06-24 CVSS 9.1
CVE-2026-12486
GeoVision GV-I/O Box 4E - network-setting command execution risk
CVE-2026-12486 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
2026-06-24 CVSS 9.1
CVE-2026-12849
GeoVision GV-I/O Box 4E - netmask command execution risk
CVE-2026-12849 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
2026-06-24 CVSS 9.1
CVE-2026-12850
GeoVision GV-I/O Box 4E - gateway command execution risk
CVE-2026-12850 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
2026-06-24 CVSS 9.1
CVE-2026-12851
GeoVision GV-I/O Box 4E - DNS command execution risk
CVE-2026-12851 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
OpenSSL
Crypto / TLS Library 8 CVEs 2026-06-10 CVSS 7.5
CVE-2026-34183
OpenSSL - QUIC PATH_CHALLENGE memory exhaustion
CVE-2026-34183 affects OpenSSL QUIC stacks where repeated PATH_CHALLENGE handling can exhaust memory. Review custom QUIC clients or servers and update affected OpenSSL branches.
2026-06-09 CVSS 9.8
CVE-2026-45447
OpenSSL - PKCS#7 signature verification use-after-free
CVE-2026-45447 affects applications that process PKCS#7 or S/MIME signed messages through OpenSSL PKCS#7 APIs. Upgrade OpenSSL and review applications that ingest signed email, certificate bundles, or uploaded cryptographic containers.
Public PoC
2026-06-09 CVSS 8.1
CVE-2026-7383
OpenSSL - ASN.1 multibyte string conversion overflow
CVE-2026-7383 is part of the OpenSSL 2026-06-09 advisory. Exposure is narrow and tied to direct ASN1_mbstring_copy style usage with attacker-controlled large input, but operators should still update supported OpenSSL branches.
Public PoC
2026-06-09 CVSS 7.5
CVE-2026-34180
OpenSSL - ASN.1 content parsing heap over-read
CVE-2026-34180 affects applications that pass attacker-supplied data into OpenSSL d2i_* decoding functions. OpenSSL command-line tools are not the main exposure; custom services that decode uploaded certificates or PKCS#7 data need review.
Public PoC
2026-06-09 CVSS 7.5
CVE-2026-45445
OpenSSL - AES-OCB IV handling issue on EVP_Cipher path
CVE-2026-45445 affects applications that drive AES-OCB through the lower-level OpenSSL EVP_Cipher one-shot path. TLS in OpenSSL is not affected, but custom cryptographic integrations should update and review code.
Public PoC
2026-06-09 CVSS 7.5
CVE-2026-9076
OpenSSL - CMS password-based decryption over-read
CVE-2026-9076 affects applications that decrypt untrusted CMS password-recipient data through OpenSSL. Services that accept encrypted CMS files or S/MIME-like input should update and review crash logs.
Public PoC
2026-06-09 CVSS 7.5
CVE-2026-42764
OpenSSL - QUIC server invalid token NULL dereference
CVE-2026-42764 affects OpenSSL QUIC server implementations when address validation is disabled. Default validation is enabled, so review custom QUIC listeners before treating the system as exposed.
Public PoC
2026-06-09 CVSS 7.5
CVE-2026-42765
OpenSSL - OCSP partial-chain verification NULL dereference
CVE-2026-42765 affects applications that enable both OCSP response checking for the whole certificate chain and partial-chain verification. These flags are off by default, but custom certificate-validation code should be checked.
Public PoC
Apache CXF
Java / Web Services 7 CVEs 2026-06-12 CVSS 6.5
CVE-2026-50623
Apache CXF - OAuth2 token introspection authentication bypass
CVE-2026-50623 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
2026-06-12 CVSS 8.2
CVE-2026-50629
Apache CXF - OAuth2 clientId log injection
CVE-2026-50629 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
2026-06-12 CVSS 7.4
CVE-2026-50631
Apache CXF - refresh-token single-use race condition
CVE-2026-50631 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
2026-06-12 CVSS 9.8
CVE-2026-50632
Apache CXF - incomplete JMS RCE fix
CVE-2026-50632 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
2026-06-12 CVSS 9.8
CVE-2026-50633
Apache CXF - JCA JNDI injection
CVE-2026-50633 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
2026-06-12 CVSS 6.5
CVE-2026-50634
Apache CXF - JWS JSON metadata verification gap
CVE-2026-50634 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
2026-06-12 CVSS 7.5
CVE-2026-50645
Apache CXF - attachment header resource exhaustion
CVE-2026-50645 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
ApostropheCMS
Node.js CMS 7 CVEs 2026-06-12 CVSS 9.3
CVE-2026-44990
ApostropheCMS / sanitize-html - sanitizer bypass stored XSS
CVE-2026-44990 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
Public PoC
2026-06-12 CVSS 7.3
CVE-2026-45011
ApostropheCMS - image widget stored XSS
CVE-2026-45011 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
Public PoC
2026-06-12 CVSS 7.6
CVE-2026-45012
ApostropheCMS - rich-text import SSRF
CVE-2026-45012 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
Public PoC
2026-06-12 CVSS 8.1
CVE-2026-45013
ApostropheCMS - password reset Host header account takeover
CVE-2026-45013 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
Public PoC
2026-06-12 CVSS 3.7
CVE-2026-53607
ApostropheCMS - pretty file URL SSRF exposure
CVE-2026-53607 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
Public PoC
2026-06-12 CVSS 9.1
CVE-2026-53609
ApostropheCMS - prototype pollution authorization bypass
CVE-2026-53609 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
Public PoC
2026-06-12 CVSS 8.7
CVE-2026-53608
ApostropheCMS SEO package - stored XSS in tracking fields
CVE-2026-53608 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
Public PoC
Axios
Node.js / HTTP Client 7 CVEs 2026-06-11 CVSS 8.7
CVE-2026-44494
Axios - Node proxy handling prototype-pollution gadget
CVE-2026-44494 affects Axios 1.0.0 before 1.16.0 when prototype pollution elsewhere can influence Node proxy handling. Patch Axios and review dependencies that can pollute object prototypes.
Public PoC
2026-06-11 CVSS 8.6
CVE-2026-44492
Axios - NO_PROXY IPv4-mapped IPv6 bypass
CVE-2026-44492 affects Axios before 0.32.0 and 1.16.0 in Node proxy bypass logic. Review applications that rely on NO_PROXY for metadata services or internal hosts.
Public PoC
2026-06-11 CVSS 8.2
CVE-2026-44487
Axios - Proxy-Authorization redirect credential leak
CVE-2026-44487 affects Axios Node usage with authenticated proxy flows. Patch and review services that follow redirects while using outbound proxy credentials.
Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44486
Axios - proxy credential leak in redirect handling
CVE-2026-44486 affects Axios Node HTTP adapter behavior around authenticated proxies and redirects. Patch and rotate proxy credentials if suspicious redirect traffic is found.
Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44488
Axios - fetch adapter body limit bypass
CVE-2026-44488 affects Axios 1.7.0 through 1.15.x when the fetch adapter does not enforce configured request or response body limits. Patch and review SSR/edge runtimes.
Public PoC
2026-06-11 CVSS 7.5
CVE-2026-44496
Axios - XSRF cookie-name regex denial of service
CVE-2026-44496 affects Axios browser environments where a configurable XSRF cookie name can trigger expensive cookie parsing. Patch frontend bundles and shared packages.
Public PoC
2026-06-11 CVSS 7.0
CVE-2026-44495
Axios - transformResponse prototype-pollution gadget
CVE-2026-44495 affects Axios versions before 0.31.1 and 1.15.2 where a polluted prototype in the same process can influence response transformation. Patch and audit prototype-pollution sources.
Public PoC
SourceCodester Timetabling
Education / PHP App 7 CVEs 2026-06-08 CVSS 7.5
CVE-2026-11471
SourceCodester Class and Exam Timetabling - index2.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in login handling. Public school portals should restrict access, inspect SQL handling, and review logs.
Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11472
SourceCodester Class and Exam Timetabling - index1.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in login handling. Treat internet-exposed installs as at risk until prepared statements and access restrictions are confirmed.
Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11482
SourceCodester Class and Exam Timetabling - archive5.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. This joins the login cluster and should be checked with the same log and prepared-statement review.
Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11483
SourceCodester Class and Exam Timetabling - archive4.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Check it together with the related archive and login files.
Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11484
SourceCodester Class and Exam Timetabling - archive3.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Treat exposed school portals as at risk until SQL handling and logs are reviewed.
Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11485
SourceCodester Class and Exam Timetabling - archive2.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Check file exposure, direct SQL construction, and web logs for archive traffic.
Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11486
SourceCodester Class and Exam Timetabling - archive1.php SQL Injection
SourceCodester Class and Exam Timetabling System 1.0 SQL injection in an archive page. Restrict stale installs and review archive endpoints before reopening public access.
Public PoC
JetEngine
WordPress / CMS 6 CVEs 2026-06-26 CVSS 9.3
CVE-2026-56068
JetEngine - Unauthenticated SQL Injection
CVE-2026-56068 affects JetEngine <= 3.8.10.2. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
2026-06-17 CVSS 9.3
CVE-2026-49076
JetEngine - unauthenticated SQL injection
CVE-2026-49076 affects JetEngine through 3.8.9.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
2026-06-17 CVSS 9.3
CVE-2026-49084
JetEngine - unauthenticated SQL injection
CVE-2026-49084 affects JetEngine before 3.8.9.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
2026-06-17 CVSS 9.3
CVE-2026-54187
JetEngine - unauthenticated SQL injection
CVE-2026-54187 affects JetEngine through 3.8.10.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
2026-06-17 CVSS 9.8
CVE-2026-49075
JetEngine - contributor PHP object injection
CVE-2026-49075 affects JetEngine through 3.8.9.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
2026-06-17 CVSS 9.8
CVE-2026-52706
JetEngine - unauthenticated PHP object injection
CVE-2026-52706 affects JetEngine through 3.8.10. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Jenkins
CI/CD 6 CVEs 2026-06-24 CVSS 8.8
CVE-2026-57280
Jenkins Script Security Plugin - sandbox constructor bypass
CVE-2026-57280 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
2026-06-24 CVSS 7.5
CVE-2026-57281
Jenkins Script Security Plugin - Groovy AST sandbox bypass
CVE-2026-57281 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
2026-06-24 CVSS 8.8
CVE-2026-57296
Jenkins External Workspace Manager - controller file read to RCE risk
CVE-2026-57296 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
2026-06-24 CVSS 8.8
CVE-2026-57301
Jenkins OWASP ZAP Plugin - controller build execution risk
CVE-2026-57301 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
2026-06-24 CVSS 7.1
CVE-2026-57303
Jenkins Assembla Plugin - XXE and SSRF risk
CVE-2026-57303 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
2026-06-10 CVSS 8.8
CVE-2026-53435
Jenkins - deserialization vulnerability in config.xml handling
CVE-2026-53435 affects Jenkins weekly through 2.567 and LTS through 2.555.2. Review users with read and configure-style permissions, config.xml changes, credentials, and Script Console activity.
MariaDB Server
Database 6 CVEs 2026-06-12 CVSS 8.0
CVE-2026-44168
MariaDB Server - branch-level server vulnerability
CVE-2026-44168 affects supported MariaDB branches including 10.6, 10.11, 11.4, and 11.8 lines. Confirm the exact server branch, patch to the fixed release, and review database errors or restarts.
2026-06-12 CVSS 6.3
CVE-2026-44170
MariaDB Server - lower-severity branch advisory
CVE-2026-44170 affects MariaDB Server branches tracked in the June 2026 advisory batch. Patch the deployed branch and review logs before closing the maintenance window.
2026-06-12 CVSS 6.9
CVE-2026-44172
MariaDB Server - mysql_real_escape_string edge case
CVE-2026-44172 affects MariaDB client/server behavior around escaped input in specific versions. Patch the affected branch and review applications that build SQL from user input.
2026-06-12 CVSS 8.0
CVE-2026-48163
MariaDB Server - June 2026 high-severity advisory
CVE-2026-48163 affects MariaDB Server versions in the 10.6, 10.11, 11.4, and 11.8 lines. Confirm the running branch, patch, and review service health after restart.
2026-06-12 CVSS 8.0
CVE-2026-48165
MariaDB Server - June 2026 high-severity advisory
CVE-2026-48165 affects MariaDB Server versions in the June 2026 advisory batch. Patch the deployed branch and review database logs and failover events.
2026-06-11 CVSS 10.0
CVE-2026-49261
MariaDB Galera - wsrep_notify_cmd command handling risk
CVE-2026-49261 affects MariaDB Galera deployments with wsrep_notify_cmd enabled on vulnerable versions. Patch to fixed MariaDB lines or disable the setting, then review node-join and service logs.
Public PoC
Node.js
Node.js Runtime 5 CVEs 2026-06-26 CVSS 9.8
CVE-2026-48930
Node.js - authentication boundary risk
CVE-2026-48930 affects Node.js. A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. Patch the affected deployment and review runtime logs.
2026-06-26 CVSS 7.7
CVE-2026-48618
Node.js - authentication boundary risk
CVE-2026-48618 affects Node.js. A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. Patch the affected deployment and review runtime logs.
2026-06-26 CVSS 7.5
CVE-2026-48615
Node.js - sensitive data exposure risk
CVE-2026-48615 affects Node.js. A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. Patch the affected deployment and review runtime logs.
2026-06-26 CVSS 7.5
CVE-2026-48619
Node.js - availability risk
CVE-2026-48619 affects Node.js. A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. Patch the affected deployment and review runtime logs.
2026-06-26 CVSS 7.5
CVE-2026-48933
Node.js - security boundary risk
CVE-2026-48933 affects Node.js. A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. Patch the affected deployment and review runtime logs.
wpForo Forum
WordPress / CMS 5 CVEs 2026-06-26 CVSS 8.5
CVE-2026-57636
wpForo Forum - Contributor SQL Injection
CVE-2026-57636 affects wpForo Forum <= 3.0.9. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
2026-06-17 CVSS 9.8
CVE-2026-49767
wpForo Forum - unauthenticated broken authentication
CVE-2026-49767 affects wpForo Forum through 3.1.0. Confirm the installed version, patch or disable the component, and review new sessions, password changes, and account history before closing the incident.
2026-06-16 CVSS 7.5
CVE-2026-40767
wpForo Forum - Broken access control
CVE-2026-40767 affects wpForo Forum before 3.0.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
2026-06-15 CVSS 9.3
CVE-2026-40798
wpForo Forum - unauthenticated SQL injection
CVE-2026-40798 affects wpForo Forum through 3.0.4. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
2026-06-15 CVSS 9.8
CVE-2026-49769
wpForo Forum - unauthenticated PHP object injection
CVE-2026-49769 affects wpForo Forum through 3.1.0. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Dokku
DevOps / Self-hosted 4 CVEs 2026-06-26 CVSS 9.0
CVE-2026-45405
Dokku - authentication boundary risk
CVE-2026-45405 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink travers... Patch the affected deployment and review workflow and admin logs.
2026-06-26 CVSS 9.0
CVE-2026-45406
Dokku - security boundary risk
CVE-2026-45406 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into... Patch the affected deployment and review workflow and admin logs.
2026-06-26 CVSS 9.0
CVE-2026-45408
Dokku - authentication boundary risk
CVE-2026-45408 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is e... Patch the affected deployment and review workflow and admin logs.
2026-06-26 CVSS 9.0
CVE-2026-54636
Dokku - security boundary risk
CVE-2026-54636 affects Dokku. Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - inclu... Patch the affected deployment and review workflow and admin logs.
Simply Schedule Appointments
WordPress / CMS 4 CVEs 2026-06-26 CVSS 7.1
CVE-2026-57317
Simply Schedule Appointments - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57317 affects Simply Schedule Appointments <= 1.6.12.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
2026-06-16 CVSS 7.5
CVE-2026-42384
Simply Schedule Appointments - Sensitive data exposure
CVE-2026-42384 affects Simply Schedule Appointments before 1.6.11.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
2026-06-16 CVSS 7.1
CVE-2026-39447
Simply Schedule Appointments - Cross-site scripting
CVE-2026-39447 affects Simply Schedule Appointments through 1.6.10.6. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
2026-06-15 CVSS 9.3
CVE-2026-39493
Simply Schedule Appointments - unauthenticated SQL injection
CVE-2026-39493 affects Simply Schedule Appointments through 1.6.9.27. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
EventPrime
WordPress / CMS 4 CVEs 2026-06-25 CVSS 8.8
CVE-2026-56053
EventPrime - Subscriber PHP Object Injection
CVE-2026-56053 affects EventPrime <= 4.3.4.1. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
2026-06-16 CVSS 8.1
CVE-2026-42687
EventPrime - PHP object injection
CVE-2026-42687 affects EventPrime through 4.3.2.1. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
2026-06-16 CVSS 7.1
CVE-2026-39518
EventPrime - IDOR
CVE-2026-39518 affects EventPrime through 4.3.0.0. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
2026-06-16 CVSS 7.1
CVE-2026-42686
EventPrime - Cross-site scripting
CVE-2026-42686 affects EventPrime through 4.3.2.1. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
wolfSSL
Apache / Crypto 4 CVEs 2026-06-25 CVSS 8.7
CVE-2026-11310
wolfSSL - trust validation risk
CVE-2026-11310 affects wolfSSL. X.509 trust-chain bypass in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra (OPENSSL_EXTRA) and whose application validates certificates by... Patch the affected deployment and review trust and service logs.
2026-06-25 CVSS 8.2
CVE-2026-11999
wolfSSL - trust validation risk
CVE-2026-11999 affects wolfSSL. X.509 trust-chain bypass (path-depth exhaustion) in the OpenSSL compatibility certificate verifier (wolfSSL_X509_verify_cert()). This affects only builds with --enable-opensslextra whose application calls X509_verify_cer... Patch the affected deployment and review trust and service logs.
2026-06-25 CVSS 8.2
CVE-2026-55961
wolfSSL - trust validation risk
CVE-2026-55961 affects wolfSSL. wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticati... Patch the affected deployment and review trust and service logs.
2026-06-25 CVSS 6.3
CVE-2026-55964
wolfSSL - trust validation risk
CVE-2026-55964 affects wolfSSL. Chain intermediate CA:TRUE without keyCertSign accepted as a signing CA. Intermediate CA certificates are required to have the keyCertSign key usage when a Key Usage extension is present, but chain-supplied temporary CAs... Patch the affected deployment and review trust and service logs.
Rocket.Chat
Chat / Collaboration 4 CVEs 2026-06-24 CVSS 9.1
CVE-2026-45688
Rocket.Chat - CAS login NoSQL authorization bypass risk
CVE-2026-45688 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review SSO login events and active sessions after patching.
Public PoC
2026-06-24 CVSS 9.1
CVE-2026-45689
Rocket.Chat - OAuth token NoSQL authorization bypass risk
CVE-2026-45689 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review OAuth tokens, app installs, and administrator activity.
Public PoC
2026-06-24 CVSS 8.5
CVE-2026-45687
Rocket.Chat - file upload record authorization bypass risk
CVE-2026-45687 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review upload records, DDP events, and file storage changes.
Public PoC
2026-06-17 CVSS 9.3
CVE-2026-48616
Rocket.Chat - Livechat protected file access control issue
CVE-2026-48616 affects Rocket.Chat Livechat file download authorization in multiple branches before the fixed releases. Patch and review protected file download logs.
Crawl4AI
AI / Web Crawler 4 CVEs 2026-06-24 CVSS 6.9
CVE-2026-56262
Crawl4AI - unauthenticated monitor endpoint access
CVE-2026-56262 affects Crawl4AI before 0.8.7. Operators should patch, require authentication, review monitor endpoint access, and preserve crawl service logs.
Public PoC
2026-06-23 CVSS 9.8
CVE-2026-53753
Crawl4AI - computed field sandbox escape RCE risk
CVE-2026-53753 affects Crawl4AI before 0.8.7 when computed field expression handling can escape the intended sandbox. Patch, enable authentication, and review crawl jobs and container logs.
Public PoC
2026-06-23 CVSS 7.5
CVE-2026-53754
Crawl4AI - Docker API SSRF filter bypass
CVE-2026-53754 affects Crawl4AI before 0.8.8 when Docker API SSRF protection misses several internal address forms. Patch, enable authentication, and review outbound access from the container.
Public PoC
2026-06-21 CVSS 9.8
CVE-2026-56265
Crawl4AI - Docker API authentication bypass
CVE-2026-56265 affects Crawl4AI before 0.8.7 when the Docker API server uses a default JWT signing key. Patch, rotate secrets, and review API access logs before re-exposing the service.
Public PoC
Revive Adserver
PHP / Ad Server 4 CVEs 2026-06-23 CVSS 8.3
CVE-2026-34914
Revive Adserver - Blind SQL injection in zone-include.php clientid handling
CVE-2026-34914 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check zone-include.php clientid, database errors, delivery logs.
Public PoC
2026-06-23 CVSS 6.1
CVE-2026-34915
Revive Adserver - Reflected XSS in zone-include.php clientid handling
CVE-2026-34915 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check admin browser exposure, zone-include.php access logs, unusual links.
Public PoC
2026-06-23 CVSS 8.8
CVE-2026-34916
Revive Adserver - PHP code injection through delivery limitation logical parameter
CVE-2026-34916 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check delivery limitation changes, compiledlimitations records, banner delivery logs.
Public PoC
2026-06-23 CVSS 8.8
CVE-2026-44959
Revive Adserver - PHP code injection through unexpected delivery limitation component
CVE-2026-44959 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check unexpected limitation parameters, compiledlimitations records, PHP error logs.
Public PoC
Filament
PHP / Laravel Admin 4 CVEs 2026-06-22 CVSS 7.6
CVE-2026-55409
Filament Forms - disabled RichEditor XSS risk
CVE-2026-55409 affects Filament Forms 3.x before 3.3.53 when disabled RichEditor field state can render unsanitized HTML. Patch and review fields that display stored rich text.
Public PoC
2026-06-22 CVSS 7.4
CVE-2026-48505
Filament MFA - recovery code reuse under concurrent submission
CVE-2026-48505 affects Filament app-based MFA recovery codes before 4.11.5 and 5.6.5. Patch and review recovery-code use, login sessions, and MFA reset activity.
Public PoC
2026-06-22 CVSS 6.5
CVE-2026-48500
Filament auth pages - unauthenticated temporary file upload exposure
CVE-2026-48500 affects Filament auth-page schemas that unintentionally expose Livewire temporary upload handling. Patch and review temporary upload directories, disk growth, and auth-page access logs.
Public PoC
2026-06-22 CVSS 5.3
CVE-2026-48166
Filament login - timing-based user enumeration
CVE-2026-48166 affects Filament login timing behavior before 4.11.5 and 5.6.5. Patch, rate-limit login paths, and review repeated login probes.
Public PoC
AVideo
PHP / Video Platform 4 CVEs 2026-06-20 CVSS 9.2
CVE-2026-56345
AVideo - Meet plugin authorization bypass and account takeover risk
CVE-2026-56345 affects AVideo through 29.0. Check the installed version, restrict exposed plugins during patching, and review Meet plugin settings, recorded-video uploads, user sessions, and admin logins.
Public PoC
2026-06-20 CVSS 8.7
CVE-2026-56341
AVideo - payment plugin information disclosure
CVE-2026-56341 affects AVideo through 26.0. Check the installed version, restrict exposed plugins during patching, and review payment plugin logs, PayPal or Authorize.Net records, and Bitcoin transaction records.
Public PoC
2026-06-20 CVSS 6.9
CVE-2026-56346
AVideo - message decryption authorization gap
CVE-2026-56346 affects AVideo through 25.0. Check the installed version, restrict exposed plugins during patching, and review message plugin usage, server logs, and unusual resource spikes.
Public PoC
2026-06-20 CVSS 6.8
CVE-2026-56342
AVideo - Live plugin server-side request forgery risk
CVE-2026-56342 affects AVideo through 27.0. Check the installed version, restrict exposed plugins during patching, and review Live plugin settings, outbound requests, and admin activity.
Public PoC
MISP
PHP / Threat Intelligence 4 CVEs 2026-06-22 CVSS 9.4
CVE-2026-56422
MISP - mass assignment and object re-ownership
CVE-2026-56422 affects MISP through 2.5.41. Authenticated users may be able to cause saves against objects outside the row checked by authorization. Patch and review ownership, sharing scope, event, proposal, and organisation changes.
Public PoC
2026-06-22 CVSS 9.3
CVE-2026-56425
MISP AAD auth - OAuth state and session hardening issue
CVE-2026-56425 affects the MISP Azure Active Directory authentication plugin. Operators should patch the AAD auth fix, enforce HTTPS redirect URIs, rotate exposed sessions if needed, and review OAuth callback logs.
Public PoC
2026-06-22 CVSS 8.7
CVE-2026-56446
MISP JsonLogTool - arbitrary NDJSON log path RCE risk
CVE-2026-56446 affects MISP JsonLogTool log destination handling. Site administrators should patch, verify log files stay under approved log directories, and review recent webroot writes before closing the incident.
Public PoC
2026-06-12 CVSS 8.4
CVE-2026-54360
MISP - sharing group mass assignment issue
CVE-2026-54360 affects MISP sharing group creation. Operators should patch, review sharing group IDs, ownership, membership, and event visibility around the advisory window.
Cotonti
PHP / Self-hosted App 4 CVEs 2026-06-18 CVSS 7.6
CVE-2026-55746
Cotonti - stored XSS in personal file storage
CVE-2026-55746 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review PFS folder titles and user-uploaded content.
Public PoC
2026-06-18 CVSS 8.8
CVE-2026-55741
Cotonti - administration configuration CSRF
CVE-2026-55741 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review configuration changes and admin sessions.
Public PoC
2026-06-18 CVSS 9.6
CVE-2026-55742
Cotonti - administration rights CSRF
CVE-2026-55742 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review rights changes, group permissions, and admin sessions.
Public PoC
2026-06-18 CVSS 8.6
CVE-2026-55744
Cotonti - personal file storage CSRF
CVE-2026-55744 affects Cotonti 1.0.0 master branch. Patch or remove public exposure, preserve logs, and review PFS uploads, changed files, and user sessions.
Public PoC
Parse Server
Node.js / Backend 4 CVEs 2026-06-12 CVSS 8.7
CVE-2026-47138
Parse Server - unauthenticated API exposure
CVE-2026-47138 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
2026-06-12 CVSS 6.9
CVE-2026-47248
Parse Server - GraphQL endpoint exposure
CVE-2026-47248 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
2026-06-12 CVSS 6.9
CVE-2026-50008
Parse Server - routeAllowList bypass condition
CVE-2026-50008 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
2026-06-12 CVSS 6.9
CVE-2026-53726
Parse Server - relation query exposure
CVE-2026-53726 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
Lyrion Music Server
Media Server / Self-hosted 4 CVEs 2026-06-05 CVSS 8.7
CVE-2026-50234
Lyrion Music Server 9.2.0 - unauthenticated path traversal file read
CVE-2026-50234 affects Lyrion Music Server 9.2.0 / through 9.2.0. Public web UI or CLI exposure should be closed, logs reviewed, and the server moved back to a stable or fixed build.
Public PoC
2026-06-05 CVSS 6.9
CVE-2026-50233
Lyrion Music Server 9.2.0 - arbitrary directory listing
CVE-2026-50233 affects Lyrion Music Server 9.2.0 / through 9.2.0. Operators should check web UI and CLI exposure, especially public access to management and library-browsing surfaces.
Public PoC
2026-06-05 CVSS 5.1
CVE-2026-50232
Lyrion Music Server 9.2.0 - stored XSS through media metadata
CVE-2026-50232 affects Lyrion Music Server 9.2.0 / through 9.2.0 when untrusted media metadata is rendered in the web interface. Review recent library additions and keep the admin UI restricted.
Public PoC
2026-06-05 CVSS 5.1
CVE-2026-50231
Lyrion Music Server 9.2.0 - stored XSS in server log viewer
CVE-2026-50231 affects Lyrion Music Server 9.2.0 / through 9.2.0 through server log viewer rendering. Operators should restrict UI access and avoid opening suspicious logs from exposed hosts.
Public PoC
Blocksy Companion Pro
WordPress / CMS 3 CVEs 2026-06-26 CVSS 8.5
CVE-2026-57315
Blocksy Companion Pro - Contributor Remote Code Execution (remote code execution)
CVE-2026-57315 affects Blocksy Companion Pro <= 2.1.45. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
2026-06-17 CVSS 9.3
CVE-2026-39596
Blocksy Companion Pro - unauthenticated SQL injection
CVE-2026-39596 affects Blocksy Companion Pro before 2.1.29. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
2026-06-17 CVSS 9.9
CVE-2026-40783
Blocksy Companion Pro - contributor remote code execution
CVE-2026-40783 affects Blocksy Companion Pro through 2.1.37. Confirm the installed version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Public PoC
Contest Gallery
WordPress / CMS 3 CVEs 2026-06-26 CVSS 8.5
CVE-2026-57662
Contest Gallery - Contributor SQL Injection
CVE-2026-57662 affects Contest Gallery <= 30.0.0. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
2026-06-17 CVSS 8.8
CVE-2026-12165
Contest Gallery - privilege escalation
CVE-2026-12165 affects Contest Gallery through 30.0.2. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Public PoC
2026-06-15 CVSS 9.3
CVE-2026-40771
Contest Gallery - unauthenticated SQL injection
CVE-2026-40771 affects Contest Gallery through 28.1.6. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Newsletters
WordPress / CMS 3 CVEs 2026-06-26 CVSS 8.1
CVE-2026-57645
Newsletters - newsletters_subscribers Broken Access Control
CVE-2026-57645 affects Newsletters <= 4.13. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
2026-06-26 CVSS 7.3
CVE-2026-54840
Newsletters - Unauthenticated Broken Access Control
CVE-2026-54840 affects Newsletters <= 4.13. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
2026-06-10 CVSS 7.5
CVE-2026-3018
Newsletters - unauthenticated SQL injection
CVE-2026-3018 affects the Newsletters WordPress plugin through 4.13. Review subscriber actions, access logs, database errors, and patch before relying on firewall filtering.
GitLab
DevOps / Git Hosting 3 CVEs 2026-06-25 CVSS 8.0
CVE-2026-10712
GitLab CE/EE - path validation cross-site scripting risk
CVE-2026-10712 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
2026-06-25 CVSS 8.6
CVE-2026-12053
GitLab EE - Duo Workflows output filtering information exposure
CVE-2026-12053 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
2026-06-25 CVSS 8.7
CVE-2026-10086
GitLab EE - developer-role stored client-side code risk
CVE-2026-10086 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
n8n
Workflow Automation 3 CVEs 2026-06-24 CVSS 8.2
CVE-2026-56351
n8n - SQL node identifier injection risk
CVE-2026-56351 affects n8n before 2.4.0 in MySQL, PostgreSQL, and Microsoft SQL nodes. Review workflow editors, SQL node configuration, database logs, and connected credentials.
Public PoC
2026-06-23 CVSS 8.9
CVE-2026-44792
n8n - Source Control Pull SQL injection
CVE-2026-44792 affects n8n instances using PostgreSQL and Source Control. Patch and review connected repositories, admin pulls, and Data Table import activity.
Public PoC
2026-06-23 CVSS 6.5
CVE-2026-54313
n8n MongoDB node - Find And Replace NoSQL injection
CVE-2026-54313 affects n8n before 2.24.0 when MongoDB node Find And Replace filters can be shaped by a workflow editor. Patch and review workflows that use MongoDB operations.
Public PoC
Ghost CMS
Node.js CMS 3 CVEs 2026-06-24 CVSS 9.6
CVE-2026-53943
Ghost CMS - shared cache preview poisoning risk
CVE-2026-53943 affects Ghost before 6.37.0 in shared-cache deployments. Review cache rules, preview headers, staff sessions, and frontend/admin domain separation.
Public PoC
2026-06-24 CVSS 5.3
CVE-2026-53949
Ghost CMS - public API filter validation data exposure
CVE-2026-53949 affects Ghost from 5.46.1 until 6.21.2. Review public API filters, database type, member data exposure, and access logs.
Public PoC
2026-06-24 CVSS 5.3
CVE-2026-53947
Ghost CMS - members signin user enumeration
CVE-2026-53947 affects Ghost from 5.18.0 until 6.21.1. Review member signin logs, rate limits, and suspicious email enumeration attempts.
Public PoC
Cornerstone
WordPress Plugin 3 CVEs 2026-06-24 CVSS 7.7
CVE-2026-9710
Cornerstone - CSS preview metadata disclosure risk
CVE-2026-9710 affects the premium Cornerstone page builder before 7.8.8. Review logged-in user activity, wp-admin access, and sensitive metadata exposure.
2026-06-17 CVSS 8.5
CVE-2026-49113
Cornerstone - Arbitrary code execution
CVE-2026-49113 affects Cornerstone before 7.8.8. Confirm the installed version, patch or disable the component, and review users, files, logs, and plugin settings before closing the incident.
2026-06-17 CVSS 8.5
CVE-2026-54185
Cornerstone - SQL injection
CVE-2026-54185 affects Cornerstone before 7.8.8. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Capgo
DevOps / Deployment Platform 3 CVEs 2026-06-23 CVSS 8.7
CVE-2026-56248
Capgo - audit_logs RLS unauthenticated DoS risk
CVE-2026-56248 affects Capgo backend before 12.128.12 through costly audit_logs RLS behavior exposed via Supabase PostgREST. Patch and review database timeouts and public anon-key access.
Public PoC
2026-06-22 CVSS 7.1
CVE-2026-56221
Capgo - Cloudflare Analytics Engine SQL injection
CVE-2026-56221 affects Capgo before 12.128.2 where API-supplied analytics filters can reach Cloudflare Analytics Engine SQL query construction. Patch and review API keys, analytics access, and tenant data exposure.
Public PoC
2026-06-20 CVSS 6.9
CVE-2026-56282
Capgo - unauthenticated PostgreSQL replication telemetry disclosure
CVE-2026-56282 affects Capgo before 12.128.2. Patch or remove public exposure, preserve logs, and review replication endpoint exposure, PostgreSQL logs, and deployment telemetry.
Public PoC
ProxySQL
Database / Proxy 3 CVEs 2026-06-19 CVSS 10.0
CVE-2026-48772
ProxySQL - MySQL frontend memory corruption risk
CVE-2026-48772 affects ProxySQL 2.0.0 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review ProxySQL listeners, crashes, restarts, and frontend access.
2026-06-19 CVSS 9.8
CVE-2026-48773
ProxySQL - pre-authentication memory corruption risk
CVE-2026-48773 affects ProxySQL 2.0.18 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review ProxySQL process crashes, listener exposure, and connection spikes.
2026-06-19 CVSS 7.5
CVE-2026-48774
ProxySQL - GenAI/MCP read-only contract violation
CVE-2026-48774 affects ProxySQL 3.0.0 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review MCP/GenAI settings, tool logs, and database write activity.
pgAdmin 4
PostgreSQL / Admin Tool 3 CVEs 2026-06-19 CVSS 9.4
CVE-2026-12045
pgAdmin 4 - AI Assistant SQL safety bypass
CVE-2026-12045 affects pgAdmin 4 9.13 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review AI Assistant use, database role privileges, and pgAdmin logs.
Public PoC
2026-06-19 CVSS 9.3
CVE-2026-12048
pgAdmin 4 - stored XSS in error and plan rendering
CVE-2026-12048 affects pgAdmin 4 6.0 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review connected server names, object names, and user browser sessions.
Public PoC
2026-06-19 CVSS 8.8
CVE-2026-12044
pgAdmin 4 - SQL injection in dialog template rendering
CVE-2026-12044 affects pgAdmin 4 1.0 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review object descriptions, database role permissions, and pgAdmin activity.
Public PoC
Webmin
Server Control Panel 3 CVEs 2026-06-18 CVSS 9.2
CVE-2026-56020
Webmin - SSL client certificate impersonation risk
CVE-2026-56020 affects Webmin before 2.641. Patch to 2.641 or newer, restrict the Webmin listener, and review login history, miniserv configuration, and certificate-auth users.
Public PoC
2026-06-18 CVSS 6.9
CVE-2026-56021
Webmin - module configuration file read risk
CVE-2026-56021 affects Webmin before 2.641. Patch to 2.641 or newer, restrict the Webmin listener, and review module access, unexpected reads, and exposed configuration.
Public PoC
2026-06-18 CVSS 6.9
CVE-2026-56022
Webmin - MFA/session bypass risk
CVE-2026-56022 affects Webmin before 2.641. Patch to 2.641 or newer, restrict the Webmin listener, and review MFA settings, session logs, and authentication sources.
Public PoC
Eclipse Theia
Developer / AI Tooling 3 CVEs 2026-06-18 CVSS 8.4
CVE-2026-44688
Eclipse Theia - AI chat workspace prompt-context risk
CVE-2026-44688 affects Eclipse Theia before 1.71.0. Review workspace trust, AI agent settings, and opened repositories, then apply the vendor fix or remove the risky exposure until patched.
Public PoC
2026-06-18 CVSS 8.4
CVE-2026-44691
Eclipse Theia - workspace task execution risk
CVE-2026-44691 affects Eclipse Theia before 1.69.0. Review workspace trust, task definitions, and AI tool confirmation, then apply the vendor fix or remove the risky exposure until patched.
Public PoC
2026-06-18 CVSS 8.4
CVE-2026-46580
Eclipse Theia - workspace prompt template risk
CVE-2026-46580 affects Eclipse Theia before 1.71.0. Review prompt template folders, workspace trust, and AI agent settings, then apply the vendor fix or remove the risky exposure until patched.
Public PoC
NGINX
Web Server / Edge 3 CVEs 2026-06-17 CVSS 9.2
CVE-2026-42055
NGINX - HTTP/2 proxy and gRPC module request handling risk
CVE-2026-42055 affects NGINX proxy and gRPC module configurations in the June 2026 F5 advisory. Review HTTP/2 proxying, gRPC exposure, and edge logs before closing.
2026-06-17 CVSS 9.2
CVE-2026-42530
NGINX - HTTP/3 QUIC module request handling risk
CVE-2026-42530 affects NGINX HTTP/3 QUIC module deployments. Operators should confirm whether HTTP/3 is enabled, patch, and review edge stability and request logs.
2026-05-13 CVSS 9.2
CVE-2026-42945
NGINX Rift β 18-Year-Old RCE in ngx_http_rewrite_module
Heap buffer overflow in ngx_http_rewrite_module. Risk rises on systems using the affected rewrite configuration pattern. In the codebase since 2008. Affects ~1/3 of all websites.
Public PoC
WP Review Slider Pro
WordPress / Plugin 3 CVEs 2026-06-16 CVSS 8.8
CVE-2026-8443
WP Review Slider Pro - SQL injection
CVE-2026-8443 affects WP Review Slider Pro through 12.6.8. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Public PoC
2026-06-16 CVSS 8.8
CVE-2026-8444
WP Review Slider Pro - SQL injection
CVE-2026-8444 affects WP Review Slider Pro through 12.6.8. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
2026-06-16 CVSS 8.1
CVE-2026-8442
WP Review Slider Pro - Arbitrary file deletion
CVE-2026-8442 affects WP Review Slider Pro through 12.6.8. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
Hippoo Mobile App for WooCommerce
WordPress / Ecommerce 3 CVEs 2026-06-16 CVSS 8.2
CVE-2026-49065
Hippoo Mobile App for WooCommerce - Broken access control
CVE-2026-49065 affects Hippoo Mobile App for WooCommerce through 1.9.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
2026-06-11 CVSS 9.8
CVE-2026-49060
Hippoo Mobile App for WooCommerce - privilege escalation
CVE-2026-49060 affects Hippoo Mobile App for WooCommerce through 1.9.4. Store owners should patch, review administrator and shop manager accounts, mobile app API activity, and recent order-setting changes.
2026-06-05 CVSS 9.8
CVE-2026-10580
Hippoo Mobile App for WooCommerce - unauthenticated admin takeover
CVE-2026-10580 affects Hippoo Mobile App for WooCommerce through 1.9.4. Public stores should update to 1.9.5 or newer, review administrator accounts, WooCommerce API activity, password resets, and payment settings.
AutomatorWP
WordPress / Plugin 3 CVEs 2026-06-16 CVSS 7.2
CVE-2026-42650
AutomatorWP - Cross-site scripting
CVE-2026-42650 affects AutomatorWP through 5.6.7. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
2026-06-16 CVSS 7.1
CVE-2026-42775
AutomatorWP - Cross-site scripting
CVE-2026-42775 affects AutomatorWP through 5.7.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
2026-06-16 CVSS 7.1
CVE-2026-40785
AutomatorWP - Broken authentication
CVE-2026-40785 affects AutomatorWP through 5.6.7. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Spring Framework
Java / Framework 3 CVEs 2026-06-09 CVSS 7.5
CVE-2026-41849
Spring Framework - SpEL expression parsing denial of service
CVE-2026-41849 is a Spring Framework SpEL denial-of-service issue. Teams should upgrade Spring Framework, check whether user-controlled expressions are evaluated, and review API logs for repeated parser-heavy requests.
2026-06-09 CVSS 7.5
CVE-2026-41850
Spring Framework - SpEL evaluation denial of service
CVE-2026-41850 is paired with the Spring Framework SpEL DoS advisory set. It is not an Express RCE issue; the practical action is patching Spring and removing user-controlled expression evaluation paths.
2026-06-08 CVSS 5.3
CVE-2026-41851
Spring Framework - SpEL unbounded cache denial of service
CVE-2026-41851 affects Spring Framework applications that accept user-controlled SpEL expressions and cache parsed expressions. Check rule/formula features, upgrade Spring, and review memory alerts.
ClipBucket v5
PHP / Video CMS 3 CVEs 2026-06-11 CVSS 9.8
CVE-2026-45060
ClipBucket v5 - unauthenticated SQL injection in video progress handling
CVE-2026-45060 affects ClipBucket v5 before 5.5.3 #129. Public video-sharing installs should patch, review anonymous video progress traffic, database access logs, and unexpected admin or media changes.
Public PoC
2026-06-11 CVSS 8.8
CVE-2026-45418
ClipBucket v5 - authenticated SQL injection in subtitle editing
CVE-2026-45418 affects ClipBucket v5 before 5.5.3 #132 when users can upload videos and edit subtitles. Review uploader accounts, subtitle changes, database logs, and media admin actions.
Public PoC
2026-06-11 CVSS 6.5
CVE-2026-47238
ClipBucket v5 - subtitle authorization weakness
CVE-2026-47238 is a medium-severity ClipBucket v5 authorization issue around subtitle management. Track it with the ClipBucket 5.5.3 patch set and review subtitle edit/delete history.
Public PoC
image-size
Node.js / Image Processing 3 CVEs 2026-06-10 CVSS 8.7
CVE-2025-71319
image-size - JXL/HEIF parser infinite loop
CVE-2025-71319 affects image-size through 2.0.2. Node.js apps that inspect untrusted JXL or HEIF uploads should patch or isolate image parsing workers.
Public PoC
2026-06-10 CVSS 8.7
CVE-2025-71329
image-size - JXL/HEIF parser infinite loop variant
CVE-2025-71329 affects image-size through 2.0.2 in JXL/HEIF parsing. Review user upload pipelines, background image processors, and server-side metadata extraction.
Public PoC
2026-06-10 CVSS 8.7
CVE-2025-71330
image-size - ICNS parser infinite loop
CVE-2025-71330 affects image-size through 2.0.2 in ICNS parsing. Isolate image metadata extraction when accepting untrusted uploads.
Public PoC
GitLab EE
DevOps / GitLab 3 CVEs 2026-06-11 CVSS 8.7
CVE-2026-6552
GitLab EE - Group SAML identity management access control issue
CVE-2026-6552 affects GitLab EE Group SAML identity management. Self-managed GitLab owners should upgrade and review group Owner activity, SAML mappings, and recent identity changes.
2026-06-11 CVSS 8.7
CVE-2026-10087
GitLab EE - Analytics Dashboard XSS
CVE-2026-10087 affects GitLab EE Analytics Dashboard. Upgrade and review developer-role users, analytics dashboard activity, and unusual browser-session events.
2026-06-11 CVSS 7.3
CVE-2026-8589
GitLab EE - group setting HTML injection
CVE-2026-8589 affects GitLab EE group setting fields. Upgrade and review group-setting changes, unexpected email additions, and high-privilege group activity.
Invoice Generator
WordPress / CMS 2 CVEs 2026-06-27 CVSS 9.8
CVE-2026-12415
Invoice Generator - unauthenticated privilege escalation
CVE-2026-12415 affects the Invoice Generator plugin for WordPress through 1.0.0. Site owners should patch or disable the plugin, review administrator email changes, password reset events, and new sessions before closing the incident.
2026-06-24 CVSS 9.8
CVE-2026-12416
Invoice Generator - password reset account takeover risk
CVE-2026-12416 affects the WordPress Invoice Generator plugin through 1.0.0. Site owners should patch or remove the plugin, review administrator password reset activity, and rotate credentials if account changes look suspicious.
Dokan
WordPress / WooCommerce 2 CVEs 2026-06-27 CVSS 6.4
CVE-2026-11783
Dokan - stored XSS via product SKU rendering
CVE-2026-11783 affects Dokan for WordPress through 5.0.4. Marketplace owners should patch Dokan, review vendor product SKU changes, storefront search output, cached product fragments, and administrator sessions opened during the exposure window.
2026-06-15 CVSS 8.8
CVE-2026-49780
Dokan - customer privilege escalation
CVE-2026-49780 affects Dokan through 5.0.2. WordPress owners should confirm the plugin version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Kestra
DevOps / Self-hosted 2 CVEs 2026-06-26 CVSS 10.0
CVE-2026-53576
Kestra - authentication boundary risk
CVE-2026-53576 affects Kestra. Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs as the public i... Patch the affected deployment and review workflow and admin logs.
2026-06-26 CVSS 8.7
CVE-2026-55069
Kestra - privilege escalation risk
CVE-2026-55069 affects Kestra. Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains... Patch the affected deployment and review workflow and admin logs.
OpenProject
DevOps / Self-hosted 2 CVEs 2026-06-26 CVSS 9.9
CVE-2026-46386
OpenProject - security boundary risk
CVE-2026-46386 affects OpenProject Docker deployments that inherited an unsafe default application secret configuration. Patch the affected deployment and review workflow and admin logs.
2026-06-26 CVSS 8.2
CVE-2026-52783
OpenProject - authentication boundary risk
CVE-2026-52783 affects OpenProject. OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth access_token plaintext to Rails.cache under the d... Patch the affected deployment and review workflow and admin logs.
Dokan Pro
WordPress / CMS 2 CVEs 2026-06-26 CVSS 9.8
CVE-2026-56033
Dokan Pro - Unauthenticated Privilege Escalation
CVE-2026-56033 affects Dokan Pro <= 5.0.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
2026-06-25 CVSS 7.5
CVE-2026-12077
Dokan Pro - unauthenticated SQL injection data exposure risk
CVE-2026-12077 affects Dokan Pro for WordPress through 5.0.4. Marketplace owners should patch, review vendor/store pages, database errors, and unusual requests around location-based filtering.
wpDataTables
WordPress / CMS 2 CVEs 2026-06-26 CVSS 9.3
CVE-2026-54825
wpDataTables - Unauthenticated SQL Injection
CVE-2026-54825 affects wpDataTables <= 7.4. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
2026-06-17 CVSS 9.3
CVE-2026-49080
wpDataTables - unauthenticated SQL injection
CVE-2026-49080 affects wpDataTables through 7.3.6. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GeoDirectory
WordPress / CMS 2 CVEs 2026-06-26 CVSS 9.3
CVE-2026-54831
GeoDirectory - Unauthenticated SQL Injection
CVE-2026-54831 affects GeoDirectory <= 2.8.162. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
2026-06-15 CVSS 9.3
CVE-2026-39512
GeoDirectory - unauthenticated SQL injection
CVE-2026-39512 affects GeoDirectory through 2.8.152. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetSmartFilters
WordPress / CMS 2 CVEs 2026-06-26 CVSS 9.3
CVE-2026-56067
JetSmartFilters - Unauthenticated SQL Injection
CVE-2026-56067 affects JetSmartFilters <= 3.8.3. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
2026-06-17 CVSS 9.3
CVE-2026-48875
JetSmartFilters - unauthenticated SQL injection
CVE-2026-48875 affects JetSmartFilters through 3.8.1. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Apache IoTDB
Apache / Crypto 2 CVEs 2026-06-26 CVSS 9.1
CVE-2025-55017
Apache IoTDB - path traversal risk
CVE-2025-55017 affects Apache IoTDB. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. Patch the affected deployment and review trust and service logs.
2026-06-26 CVSS 9.1
CVE-2025-64152
Apache IoTDB - path traversal risk
CVE-2025-64152 affects Apache IoTDB. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. Patch the affected deployment and review trust and service logs.
Fusion Builder
WordPress / CMS 2 CVEs 2026-06-26 CVSS 8.8
CVE-2026-56008
Fusion Builder - Contributor Privilege Escalation
CVE-2026-56008 affects Fusion Builder <= 3.15.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
2026-06-17 CVSS 9.8
CVE-2026-54194
Fusion Builder - contributor PHP object injection
CVE-2026-54194 affects Fusion Builder through 3.15.4. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Groundhogg
WordPress / CMS 2 CVEs 2026-06-26 CVSS 8.5
CVE-2026-57667
Groundhogg - Sales Representative SQL Injection
CVE-2026-57667 affects Groundhogg <= 4.5. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
2026-06-16 CVSS 7.7
CVE-2026-40727
Groundhogg - Arbitrary file deletion
CVE-2026-40727 affects Groundhogg through 4.4. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
H5P
WordPress / CMS 2 CVEs 2026-06-26 CVSS 7.1
CVE-2026-57321
H5P - Contributor Arbitrary File Deletion
CVE-2026-57321 affects H5P <= 1.17.7. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
2026-06-25 CVSS 7.1
CVE-2026-56006
H5P - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56006 affects H5P <= 1.17.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
User Registration
WordPress / CMS 2 CVEs 2026-06-26 CVSS 6.5
CVE-2026-52701
User Registration - Unauthenticated Broken Access Control
CVE-2026-52701 affects User Registration <= 5.2.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
2026-06-16 CVSS 7.5
CVE-2026-25425
User Registration - Broken access control
CVE-2026-25425 affects User Registration through 5.1.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Apache Kvrocks
Runtime / Watch 2 CVEs 2026-06-25 CVSS 10.0
CVE-2026-46752
Apache Kvrocks - security boundary risk
CVE-2026-46752 affects Apache Kvrocks. Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. Patch the affected deployment and review component presence.
2026-06-25 CVSS 9.4
CVE-2026-41566
Apache Kvrocks - security boundary risk
CVE-2026-41566 affects Apache Kvrocks. Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. Patch the affected deployment and review component presence.
MDTF
WordPress / CMS 2 CVEs 2026-06-25 CVSS 9.3
CVE-2026-54843
MDTF - Unauthenticated SQL Injection
CVE-2026-54843 affects MDTF <= 1.3.7. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
2026-06-25 CVSS 8.1
CVE-2026-54845
MDTF - Unauthenticated Local File Inclusion
CVE-2026-54845 affects MDTF <= 1.3.8. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
JS Help Desk
WordPress / CMS 2 CVEs 2026-06-25 CVSS 7.7
CVE-2026-56054
JS Help Desk - Subscriber Arbitrary File Deletion
CVE-2026-56054 affects JS Help Desk <= 3.1.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
2026-06-15 CVSS 9.3
CVE-2026-48886
JS Help Desk - unauthenticated SQL injection
CVE-2026-48886 affects JS Help Desk through 3.0.9. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
relibc
Runtime / Watch 2 CVEs 2026-06-25 CVSS 7.5
CVE-2026-38637
relibc - availability risk
CVE-2026-38637 affects relibc. An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted input. Patch the affected deployment and review component presence.
2026-06-25 CVSS 7.5
CVE-2026-38640
relibc - availability risk
CVE-2026-38640 affects relibc. A reachable unwrap in the __assert_fail function (/assert/mod.rs) of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via a crafted string. Patch the affected deployment and review component presence.
Motors
WordPress / CMS 2 CVEs 2026-06-25 CVSS 7.5
CVE-2026-54828
Motors - Unauthenticated Broken Access Control
CVE-2026-54828 affects Motors <= 1.4.109. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
2026-06-17 CVSS 9.3
CVE-2026-54812
Motors - SQL injection
CVE-2026-54812 affects Motors through 1.4.109. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Activity Log
WordPress / CMS 2 CVEs 2026-06-25 CVSS 7.1
CVE-2026-56005
WP Activity Log - Subscriber Cross Site Scripting (XSS)
CVE-2026-56005 affects WP Activity Log <= 5.6.3.1. Site owners should patch the component, preserve logs, and review content and widgets before closing the issue.
2026-06-17 CVSS 9.8
CVE-2026-54806
WP Activity Log - unauthenticated PHP object injection
CVE-2026-54806 affects WP Activity Log through 5.6.3.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Rapid7 InsightConnect Sed Plugin
SOAR / Automation 2 CVEs 2026-06-25 CVSS 8.8
CVE-2026-9155
Rapid7 InsightConnect Sed Plugin - command execution risk in Linux workflow action
CVE-2026-9155 affects the Rapid7 InsightConnect Sed Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
2026-06-25 CVSS 7.1
CVE-2026-9154
Rapid7 InsightConnect Sed Plugin - file write risk in Linux workflow action
CVE-2026-9154 affects the Rapid7 InsightConnect Sed Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
FOSSBilling
PHP / Billing Platform 2 CVEs 2026-06-24 CVSS 9.3
CVE-2026-33543
FOSSBilling - administrator bootstrap API exposure
CVE-2026-33543 affects FOSSBilling 0.7.2 and earlier. Upgrade to 0.8.0, review staff accounts, API logs, billing templates, and payment integrations.
Public PoC
2026-06-23 CVSS 9.4
CVE-2026-28496
FOSSBilling - Twig template SSTI and RCE risk
CVE-2026-28496 affects FOSSBilling through 0.7.2 when Twig templates are rendered without the intended sandbox. Patch and review email templates, payment adapters, admin actions, and tokens.
Public PoC
Appsmith
Self-hosted DevOps / AI 2 CVEs 2026-06-24 CVSS 9.9
CVE-2026-55454
Appsmith - bundled Caddy admin API takeover risk
CVE-2026-55454 affects Appsmith before 2.1. Review Caddy configuration changes, SSRF exposure, and low-privilege user activity after upgrading.
Public PoC
2026-06-24 CVSS 8.9
CVE-2026-50189
Appsmith - bundled supervisord XML-RPC exposure
CVE-2026-50189 affects Appsmith before 2.1. Review supervisord exposure, administrator activity, container process history, and environment access.
Public PoC
Unraid
NAS / Web Admin 2 CVEs 2026-06-24 CVSS 8.8
CVE-2026-9772
Unraid - FileUpload command execution risk
CVE-2026-9772 affects Unraid web administration paths where authenticated access can reach command execution risk. Restrict admin access, patch, and review plugin, upload, and process activity.
Public PoC
2026-06-24 CVSS 8.8
CVE-2026-9773
Unraid - ToggleState command execution risk
CVE-2026-9773 affects Unraid web administration paths where authenticated access can reach command execution risk. Restrict admin access, patch, and review plugin, upload, and process activity.
Public PoC
Post Duplicator
WordPress Plugin 2 CVEs 2026-06-24 CVSS 7.2
CVE-2026-10749
Post Duplicator - serialized metadata object injection risk
CVE-2026-10749 affects Post Duplicator before 3.0.15. Review contributor activity, duplicated posts, custom fields, and plugin update state.
2026-06-15 CVSS 8.8
CVE-2026-39474
Post Duplicator - contributor PHP object injection
CVE-2026-39474 affects Post Duplicator through 3.0.10. WordPress owners should confirm the plugin version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
GIMP / GEGL
Desktop / Image Processing 2 CVEs 2026-06-24 CVSS 7.8
CVE-2026-2050
GIMP / GEGL - HDR file parsing heap overflow risk
CVE-2026-2050 affects GIMP HDR file parsing through the GEGL image processing path. Desktop fleets should update packages and review workflows that open untrusted HDR files.
Public PoC
2026-06-10 CVSS 7.8
CVE-2026-2049
GIMP/GEGL - HDR file parsing memory corruption
CVE-2026-2049 affects GIMP/GEGL HDR file parsing. Teams processing untrusted image submissions should update workstations and automated image-processing containers.
Public PoC
WP Forms Connector
WordPress Plugin 2 CVEs 2026-06-24 CVSS 7.5
CVE-2026-9178
WP Forms Connector - user data exposure risk
CVE-2026-9178 affects WP Forms Connector through 1.8. Site owners should disable the plugin until patched, review REST access logs, and treat exposed user data as sensitive.
2026-06-24 CVSS 7.5
CVE-2026-9179
WP Forms Connector - REST route SQL injection risk
CVE-2026-9179 affects WP Forms Connector through 1.8. Review REST route access, database errors, and user data exposure before returning the plugin to production.
Flowise
AI / Workflow Automation 2 CVEs 2026-06-23 CVSS 9.9
CVE-2026-56274
Flowise - Custom MCP Server command injection risk
CVE-2026-56274 affects Flowise before 3.1.2 through Custom MCP Server validation bypasses. Patch, restrict Flowise accounts and API keys, and review chatflow and MCP tool changes.
Public PoC
2026-06-08 CVSS 7.5
CVE-2026-46440
Flowise - Basic Auth credential brute-force exposure
CVE-2026-46440 affects Flowise before 3.1.2 when exposed Basic Auth can be repeatedly tested without adequate rate limiting. Operators should upgrade, add a real access layer, rotate credentials, and review Flowise flows and stored secrets.
Caddy
Web Server / FastCGI 2 CVEs 2026-06-23 CVSS 8.1
CVE-2026-45135
Caddy FastCGI - unsafe split path handling for non-PHP files
CVE-2026-45135 affects Caddy 2.7.0 through 2.10.2 when FastCGI split path handling can treat attacker-controlled non-PHP files as scripts. Patch and review upload directories behind FastCGI.
Public PoC
2026-06-23 CVSS 8.1
CVE-2026-52845
Caddy FastCGI - forward_auth header normalization bypass
CVE-2026-52845 affects Caddy before 2.11.4 when forward_auth copied headers can collide with FastCGI header normalization. Patch and review PHP applications that trust upstream identity headers.
Public PoC
Open WebUI
AI / Self-hosted App 2 CVEs 2026-06-23 CVSS 7.7
CVE-2026-54018
Open WebUI - Playwright URL loader SSRF redirect bypass
CVE-2026-54018 affects Open WebUI before 0.9.6 when the Playwright web loader can follow redirects after initial URL validation. Patch and review RAG web fetch settings and outbound access.
Public PoC
2026-06-23 CVSS 6.5
CVE-2026-54019
Open WebUI - Milvus multitenancy RAG ACL bypass
CVE-2026-54019 affects Open WebUI before 0.9.6 when Milvus multitenancy mode can bypass RAG collection access checks. Patch and review knowledge-base access logs.
Public PoC
http-proxy-middleware
Node.js / Proxy Middleware 2 CVEs 2026-06-22 CVSS 7.5
CVE-2026-55603
http-proxy-middleware - multipart request body desync risk
CVE-2026-55603 affects http-proxy-middleware deployments that rebuild multipart request bodies with fixRequestBody. Patch and verify gateway validation still matches what upstream services receive.
Public PoC
2026-06-22 CVSS 6.9
CVE-2026-55602
http-proxy-middleware - host and path router match bypass
CVE-2026-55602 affects http-proxy-middleware router configurations that use host plus path matching. Operators should patch, review proxy-table rules, and confirm requests cannot route to unintended backends.
Public PoC
phpMyFAQ
PHP / Self-hosted App 2 CVEs 2026-06-21 CVSS 8.8
CVE-2026-56396
phpMyFAQ - administrator privilege escalation
CVE-2026-56396 affects phpMyFAQ before 4.1.4. Patch or remove public exposure, preserve logs, and review admin user changes, rights changes, and FAQ admin logs.
Public PoC
2026-06-18 CVSS 6.5
CVE-2026-49205
phpMyFAQ - API authorization gap
CVE-2026-49205 affects phpMyFAQ before 4.1.4. Patch or remove public exposure, preserve logs, and review API keys, content writes, and user permissions.
Public PoC
Simple File List
WordPress / Plugin 2 CVEs 2026-06-20 CVSS 7.5
CVE-2026-11911
Simple File List - arbitrary file deletion
CVE-2026-11911 affects Simple File List through 6.3.7. Confirm the installed version, patch or disable the component, and review file list activity, missing files, and recent PHP changes before closing the issue.
2026-06-20 CVSS 7.5
CVE-2026-11912
Simple File List - arbitrary file modification
CVE-2026-11912 affects Simple File List through 6.3.7. Confirm the installed version, patch or disable the component, and review file list activity, changed files, and recent PHP changes before closing the issue.
Public PoC
Joomla JoomRecipe
Joomla / Extension 2 CVEs 2026-06-19 CVSS 8.8
CVE-2017-20277
Joomla JoomRecipe - blind SQL injection
CVE-2017-20277 affects Joomla JoomRecipe 1.0.4. Check whether the extension is installed, remove abandoned copies, and review recipe records, database errors, and access logs.
Public PoC
2026-06-19 CVSS 8.8
CVE-2017-20278
Joomla JoomRecipe - SQL injection
CVE-2017-20278 affects Joomla JoomRecipe 1.0.3. Check whether the extension is installed, remove abandoned copies, and review recipe records, database errors, and access logs.
Public PoC
Joomla vBizz
Joomla / Extension 2 CVEs 2026-06-19 CVSS 8.8
CVE-2019-25758
Joomla vBizz - unrestricted file upload
CVE-2019-25758 affects Joomla vBizz 1.0.7. Check whether the extension is installed, remove abandoned copies, and review uploads, executable files, and authenticated user activity.
Public PoC
2026-06-19 CVSS 7.1
CVE-2019-25759
Joomla vBizz - SQL injection
CVE-2019-25759 affects Joomla vBizz 1.0.7. Check whether the extension is installed, remove abandoned copies, and review business records, database errors, and authenticated user activity.
Public PoC
pontedilana/php-weasyprint
PHP Library 2 CVEs 2026-06-19 CVSS 8.2
CVE-2026-49260
PhpWeasyPrint - PDF command construction risk
CVE-2026-49260 affects pontedilana/php-weasyprint before 2.5.1. Patch the Composer dependency, check which routes generate PDFs, and review composer.lock, PDF generation jobs, and web-server logs.
Public PoC
2026-06-19 CVSS 8.1
CVE-2026-49286
PhpWeasyPrint - output filename handling risk
CVE-2026-49286 affects pontedilana/php-weasyprint before 2.6.0. Patch the Composer dependency, check which routes generate PDFs, and review composer.lock, PDF output folders, and generated files.
Public PoC
Media Library Assistant
WordPress / Plugin 2 CVEs 2026-06-18 CVSS 8.5
CVE-2026-56012
Media Library Assistant - Blind SQL injection
CVE-2026-56012 affects Media Library Assistant through 3.35. Confirm the installed version, patch or disable the component, and review database errors and media records before closing the issue.
2026-06-16 CVSS 7.1
CVE-2026-54198
Media Library Assistant - Cross-site scripting
CVE-2026-54198 affects Media Library Assistant through 3.35. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Simple Membership
WordPress / Community 2 CVEs 2026-06-18 CVSS 5.3
CVE-2026-12093
Simple Membership - Webhook authorization bypass
CVE-2026-12093 affects Simple Membership through 4.7.5. Confirm the installed version, patch or disable the component, and review member status and Stripe webhook settings before closing the issue.
Public PoC
2026-06-16 CVSS 7.5
CVE-2026-34886
Simple Membership - Broken access control
CVE-2026-34886 affects Simple Membership through 4.7.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
User Registration Stripe
WordPress / Plugin 2 CVEs 2026-06-18 CVSS 8.2
CVE-2026-40726
User Registration Stripe - Broken access control
CVE-2026-40726 affects User Registration Stripe through 1.3.14. Confirm the installed version, patch or disable the component, and review registration payments and user records before closing the issue.
2026-06-18 CVSS 8.2
CVE-2026-49081
User Registration Stripe - Broken access control
CVE-2026-49081 affects User Registration Stripe through 1.3.12. Confirm the installed version, patch or disable the component, and review registration payments and user records before closing the issue.
LiquidJS
Developer / AI Tooling 2 CVEs 2026-06-18 CVSS 7.5
CVE-2026-45617
LiquidJS - strip_html ReDoS
CVE-2026-45617 affects LiquidJS through 10.25.7. Review template inputs, Node.js worker CPU, and dependency locks, then apply the vendor fix or remove the risky exposure until patched.
Public PoC
2026-06-18 CVSS 6.5
CVE-2026-44645
LiquidJS - render limit bypass
CVE-2026-44645 affects LiquidJS through 10.25.7. Review template-authoring users and renderLimit assumptions, then apply the vendor fix or remove the risky exposure until patched.
Public PoC
WordPress Dating Theme
WordPress / Plugin 2 CVEs 2026-06-17 CVSS 8.6
CVE-2026-22343
WordPress Dating Theme - Broken access control
CVE-2026-22343 affects WordPress Dating Theme through 11.2.0. Confirm the installed version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
2026-06-17 CVSS 8.8
CVE-2026-22342
WordPress Dating Theme - CSRF account takeover risk
CVE-2026-22342 affects WordPress Dating Theme through 11.2.0. Confirm the installed version, patch or disable the component, and review users, files, logs, and plugin settings before closing the incident.
MySQL Shell for VS Code
Database / Developer Tooling 2 CVEs 2026-06-17 CVSS 8.5
CVE-2026-46870
MySQL Shell for VS Code - Oracle June 2026 CPU issue
CVE-2026-46870 affects MySQL Shell for VS Code 2026.2.0+9.6.1. Database teams should patch developer tooling and review saved connections, extension access, and unusual database activity.
Public PoC
2026-06-17 CVSS 9.9
CVE-2026-46850
MySQL Shell for VS Code - June 2026 Oracle CPU critical issue
CVE-2026-46850 affects MySQL Shell for VS Code 2026.2.0+9.6.1. Database teams should patch developer tooling and review saved connection profiles and extension access.
NGINX Gateway Fabric
Kubernetes / Edge 2 CVEs 2026-06-17 CVSS 8.6
CVE-2026-11311
NGINX Gateway Fabric - CRD field configuration injection
CVE-2026-11311 affects NGINX Gateway Fabric configuration generation when NGINX Plus is used as the data plane. Review who can create or modify NginxProxy and AuthenticationFilter resources, patch, and audit recent CRD changes.
2026-06-17 CVSS 8.6
CVE-2026-50107
NGINX Gateway Fabric - access log format configuration injection
CVE-2026-50107 affects NGINX Gateway Fabric configuration generation for NGINX Plus or NGINX Open Source data planes. Patch and review recent NginxProxy access log format changes and related Kubernetes RBAC.
Listdom
WordPress / Directory 2 CVEs 2026-06-17 CVSS 9.3
CVE-2026-54819
Listdom - SQL injection
CVE-2026-54819 affects Listdom through 5.4.0. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
2026-06-16 CVSS 7.3
CVE-2026-49063
Listdom - Privilege escalation
CVE-2026-49063 affects Listdom through 5.5.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
Apache DolphinScheduler
Workflow / Data Platform 2 CVEs 2026-06-18 CVSS 9.1
CVE-2026-32967
Apache DolphinScheduler - v2 experimental interface authorization gap
CVE-2026-32967 affects the Apache DolphinScheduler v2 experimental interface. Patch, restrict exposed API routes, and review scheduler user activity.
2026-06-17 CVSS 9.8
CVE-2026-32966
Apache DolphinScheduler - DataSource API authorization gap
CVE-2026-32966 affects Apache DolphinScheduler DataSource API authorization. Operators should patch, restrict API exposure, and review datasource metadata access.
Bludit CMS
PHP CMS 2 CVEs 2026-06-15 CVSS 9.8
CVE-2026-38329
Bludit CMS - API plugin file upload RCE risk
CVE-2026-38329 affects Bludit before 3.18.4 when API plugin file handling is exposed. Review API token use, plugin access, uploaded files, and web-server logs before closing the issue.
Public PoC
2026-06-15 CVSS 9.8
CVE-2026-50869
Bludit CMS - API plugin directory traversal
CVE-2026-50869 affects Bludit 3.19.0 API plugin handling. Treat public API plugin exposure as high risk, restrict access, review file paths, and preserve logs if suspicious reads or writes are found.
Public PoC
Masteriyo - LMS
WordPress / Community 2 CVEs 2026-06-16 CVSS 7.5
CVE-2026-39524
Masteriyo - LMS - Broken access control
CVE-2026-39524 affects Masteriyo - LMS through 2.1.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
2026-06-15 CVSS 8.8
CVE-2026-49111
Masteriyo LMS - privilege escalation risk
CVE-2026-49111 affects Masteriyo - LMS through 2.2.0. Sites should patch, then compare WordPress roles, LMS instructors, course managers, and recent role changes.
Booking Package
WordPress / Community 2 CVEs 2026-06-16 CVSS 7.5
CVE-2026-40774
Booking Package - Broken access control
CVE-2026-40774 affects Booking Package through 1.7.06. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
2026-06-06 CVSS 7.2
CVE-2026-9851
Booking Package - editor-level account takeover risk
CVE-2026-9851 affects Booking Package for WordPress through 1.7.16. Review editor and administrator accounts, password resets, and booking staff changes after patching.
Amelia
WordPress / Community 2 CVEs 2026-06-16 CVSS 7.5
CVE-2026-40789
Amelia - Sensitive data exposure
CVE-2026-40789 affects Amelia through 2.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
2026-06-15 CVSS 8.8
CVE-2026-48889
Amelia - subscriber privilege escalation
CVE-2026-48889 affects Amelia through 2.3. WordPress owners should confirm the plugin version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Bookly
WordPress / Community 2 CVEs 2026-06-16 CVSS 7.5
CVE-2026-42667
Bookly - Sensitive data exposure
CVE-2026-42667 affects Bookly through 27.4. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
2026-06-13 CVSS 7.2
CVE-2026-5513
Bookly - unauthenticated stored XSS via remembered customer name
CVE-2026-5513 affects Bookly through 27.2 when the setting to remember personal information in cookies is enabled. Sites using Bookly should update to 27.3 or newer, clear cache, and review appointment/customer entries opened by logged-in staff after disclosure.
Public PoC
Coupon Affiliates
WordPress / Ecommerce 2 CVEs 2026-06-16 CVSS 7.5
CVE-2026-49068
Coupon Affiliates - Sensitive data exposure
CVE-2026-49068 affects Coupon Affiliates through 7.8.1. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
2026-06-16 CVSS 7.1
CVE-2026-40770
Coupon Affiliates - Cross-site scripting
CVE-2026-40770 affects Coupon Affiliates through 7.5.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
WP Travel Engine
WordPress / Plugin 2 CVEs 2026-06-16 CVSS 7.5
CVE-2026-49078
WP Travel Engine - Other vulnerability
CVE-2026-49078 affects WP Travel Engine through 6.7.10. Confirm the installed version, patch or disable the plugin, and review users, files, logs, and plugin settings before closing the incident.
2026-06-15 CVSS 9.8
CVE-2026-49770
WP Travel Engine - unauthenticated PHP object injection
CVE-2026-49770 affects WP Travel Engine through 6.7.12. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Quiz And Survey Master
WordPress / Plugin 2 CVEs 2026-06-16 CVSS 7.1
CVE-2026-40787
Quiz And Survey Master - Cross-site scripting
CVE-2026-40787 affects Quiz And Survey Master through 11.0.0. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
2026-06-16 CVSS 7.1
CVE-2026-48867
Quiz And Survey Master - Cross-site scripting
CVE-2026-48867 affects Quiz And Survey Master through 11.1.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
WP Time Slots Booking Form
WordPress / Forms 2 CVEs 2026-06-16 CVSS 7.1
CVE-2026-40791
WP Time Slots Booking Form - Cross-site scripting
CVE-2026-40791 affects WP Time Slots Booking Form through 1.2.46. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
2026-06-15 CVSS 8.5
CVE-2026-48882
WP Time Slots Booking Form - subscriber SQL injection
CVE-2026-48882 affects WP Time Slots Booking Form through 1.2.50. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Product Filter Widget for Elementor
WordPress / Ecommerce 2 CVEs 2026-06-16 CVSS 7.1
CVE-2026-45437
Product Filter Widget for Elementor - Cross-site scripting
CVE-2026-45437 affects Product Filter Widget for Elementor through 1.0.6. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
2026-06-09 CVSS 6.1
CVE-2026-11603
Product Filter Widget for Elementor - reflected XSS in AJAX filter handling
CVE-2026-11603 affects Product Filter Widget for Elementor through 1.0.6. Patch the plugin, clear cache, and review product filter pages opened by logged-in admins or shop managers.
Public PoC
Funnel Builder by FunnelKit
WordPress / Plugin 2 CVEs 2026-06-16 CVSS 7.1
CVE-2026-48966
Funnel Builder by FunnelKit - Cross-site scripting
CVE-2026-48966 affects Funnel Builder by FunnelKit through 3.15.0.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
2026-06-15 CVSS 9.3
CVE-2026-42381
Funnel Builder by FunnelKit - unauthenticated SQL injection
CVE-2026-42381 affects Funnel Builder by FunnelKit through 3.15.0.1. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GeekyBot
WordPress / Plugin 2 CVEs 2026-06-15 CVSS 9.3
CVE-2026-39519
GeekyBot - unauthenticated SQL injection
CVE-2026-39519 affects GeekyBot through 1.2.0. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
2026-06-15 CVSS 10.0
CVE-2026-40772
GeekyBot - unauthenticated arbitrary file upload
CVE-2026-40772 affects GeekyBot through 1.2.2. WordPress sites should patch or disable the component, then review upload directories, new PHP files, and web access logs before closing the incident.
GPTranslate
WordPress / Plugin 2 CVEs 2026-06-15 CVSS 9.3
CVE-2026-49776
GPTranslate - unauthenticated SQL injection
CVE-2026-49776 affects GPTranslate through 2.32.6. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
2026-06-13 CVSS 7.2
CVE-2026-9109
GPTranslate - unauthenticated stored XSS in translation storage
CVE-2026-9109 affects GPTranslate through 2.31. Sites using the plugin should update to 2.32 or newer, clear page cache, and review recently translated public pages for unexpected script-like content.
Discuz! X5.0
Forum / PHP 2 CVEs 2026-06-15 CVSS 9.3
CVE-2026-49952
Discuz! X5.0 - authentication bypass in backup/restore boundary
CVE-2026-49952 affects Discuz! X5.0 releases 20260320 through 20260501. Forum operators should upgrade to 20260510 or newer, restrict administrative paths, and review database backup and restore activity.
Public PoC
2026-06-15 CVSS 8.6
CVE-2026-49954
Discuz! X5.0 - administrator plugin local file inclusion
CVE-2026-49954 affects Discuz! X5.0 releases 20260320 through 20260610, with older X3.4 and X3.5 releases possibly affected. Operators should restrict administrator access, review plugin imports, and watch for unexpected PHP files.
Ivanti Sentry
Mobile Gateway / Edge 2 CVEs 2026-06-11 CVSS 10.0
CVE-2026-10520
Ivanti Sentry - unauthenticated root-level command injection
CVE-2026-10520 affects Ivanti Sentry and was added to CISA KEV on 2026-06-11. Confirm version state, restrict management access, patch, and review appliance logs and unexpected accounts.
CISA KEV Active Exploit
2026-06-11 CVSS 9.9
CVE-2026-10523
Ivanti Sentry - unauthenticated administrative account creation
CVE-2026-10523 affects Ivanti Sentry and can allow unauthorized administrative account creation. Patch first, then review admin users, MFA state, login history, and configuration changes.
Apache OFBiz
Enterprise App 2 CVEs 2026-06-12 CVSS 8.8
CVE-2026-47342
Apache OFBiz - privilege escalation before 24.09.07
CVE-2026-47342 affects Apache OFBiz versions before 24.09.07. Upgrade to the fixed release and review low-privilege users, role changes, and recent administrative actions.
2026-06-10 CVSS 8.8
CVE-2026-50223
Apache OFBiz - Content/DataResource template injection
CVE-2026-50223 affects Apache OFBiz before 24.09.07 when low-privileged users with Content/DataResource editing rights can reach unsafe template behavior. Patch and audit editor accounts.
AWS Aurora PostgreSQL Wrapper
Cloud Database / Java 2 CVEs 2026-06-05 CVSS 8.6
CVE-2026-11400
AWS Advanced JDBC Wrapper - Aurora PostgreSQL privilege escalation
CVE-2026-11400 affects AWS Advanced JDBC Wrapper for Aurora PostgreSQL versions 3.0.0 through before 4.0.1. Review wrapper dependency versions, database search_path, and low-privilege function creation.
2026-06-05 CVSS 8.6
CVE-2026-11401
AWS Advanced Go Wrapper - Aurora PostgreSQL privilege escalation
CVE-2026-11401 affects the AWS Advanced Go Wrapper 2026-04-06 release for Aurora PostgreSQL. Upgrade to the 2026-05-26 release and review public schema search_path exposure.
tmp
Node.js / Filesystem 2 CVEs 2026-06-11 CVSS 7.7
CVE-2026-44705
tmp npm package - temporary path traversal
CVE-2026-44705 affects tmp before 0.2.6 when untrusted data reaches temporary file or directory options. Patch and enforce strict string allowlists around prefix, postfix, dir, and template settings.
Public PoC
2026-06-11 CVSS 8.2
CVE-2026-49982
tmp npm package - non-string path option traversal
CVE-2026-49982 affects tmp 0.2.6 when non-string option values can escape the intended temp directory. Update to 0.2.7 and type-check temporary file options.
Public PoC
Ghidra
Reverse Engineering / Database 2 CVEs 2026-06-10 CVSS 8.8
CVE-2026-49498
Ghidra - PostgreSQL password-change SQL injection
CVE-2026-49498 affects Ghidra 11.0 before 12.1 in PostgreSQL-backed password-change handling. Patch shared Ghidra servers and review database roles and account changes.
Public PoC
2026-06-10 CVSS 8.8
CVE-2026-52758
Ghidra BSim - PostgreSQL SQL injection
CVE-2026-52758 affects Ghidra before 12.1 in BSim database query handling. Shared reverse-engineering environments should patch and review PostgreSQL audit logs.
Public PoC
KnpLabs Snappy
PHP / PDF 2 CVEs 2026-06-10 CVSS 7.5
CVE-2026-46643
KnpLabs Snappy - binary path shell escaping regression
CVE-2026-46643 affects KnpLabs Snappy before 1.7.1 when the wkhtmltopdf or wkhtmltoimage binary path can be influenced by user or environment data. Patch and pin trusted binary paths.
Public PoC
2026-06-10 CVSS 6.9
CVE-2026-46683
KnpLabs Snappy - SSRF and local file read via stylesheet option
CVE-2026-46683 affects KnpLabs Snappy before 1.7.0 when PDF or image generation can be influenced by untrusted stylesheet options. Patch Snappy and restrict outbound access from rendering workers.
Public PoC
BuddyPress
WordPress / Community 2 CVEs 2026-06-10 CVSS 8.6
CVE-2026-53673
BuddyPress - Private message IDOR through REST API user_id
CVE-2026-53673 affects BuddyPress 14.4.0 private messaging REST API permission checks. Community and membership sites should disable private messaging if needed, review message API access, and update when a fixed release is available.
2026-06-10 CVSS 7.1
CVE-2026-53674
BuddyPress - Activity mention regular expression injection
CVE-2026-53674 affects BuddyPress 14.4.0 activity mention resolution when username compatibility mode is enabled. Review community activity logs, disable risky compatibility settings if possible, and update when a fixed release is available.
code-projects Online Music Site
Media / PHP App 2 CVEs 2026-06-08 CVSS 7.5
CVE-2026-11489
Online Music Site - AdminDeleteAlbum.php SQL Injection
code-projects Online Music Site 1.0 SQL injection in an admin album action. Check admin path exposure, album changes, logs, and SQL handling.
Public PoC
2026-06-08 CVSS 7.5
CVE-2026-11490
Online Music Site - Search.php Category SQL Injection
code-projects Online Music Site 1.0 SQL injection in public search handling. Check public search exposure, category validation, web logs, and prepared-statement coverage.
Public PoC
cPanel
Web Hosting Control Panel 2 CVEs 2026-05-21 CVSS 10.0
CVE-2026-48172
cPanel/WHM Redis Socket β Unauthenticated Privilege Escalation to Root
Unauthenticated privilege escalation via Redis Unix socket in cPanel & WHM. Overly permissive socket access can let a local user or compromised PHP process write root-owned files through Redis. Third critical cPanel CVE in 2026.
Public PoC
2026-04-28 CVSS 9.8
CVE-2026-41940
cPanel/WHM Pre-Auth CRLF Injection β Root Access
Pre-authentication CRLF injection in cPanel & WHM session handling leading to root access. 44,000 IPs compromised, 7,135 hit by .sorry ransomware. Persistent Mr_Rot13 Filemanager backdoor survives the patch. Second emergency TSR on May 8.
CISA KEV Active Exploit Public PoC
Gitea act_runner
DevOps / CI Runner 1 CVE 2026-06-28 CVSS 9.9
CVE-2026-58053
Gitea act_runner - Docker backend container hardening bypass
CVE-2026-58053 affects Gitea act_runner deployments that use the Docker backend through act 0.262.0. Owners should restrict who can run workflows, review Docker runner configuration, isolate runners from production hosts, and apply vendor hardening guidance.
Public PoC
Frontend File Manager Plugin
WordPress / CMS 1 CVE 2026-06-28 CVSS 8.1
CVE-2026-8095
Frontend File Manager Plugin - authenticated arbitrary file deletion
CVE-2026-8095 affects the Frontend File Manager Plugin for WordPress through 23.6. Sites should patch the plugin, preserve file timestamps, review failed file operations, and check whether critical WordPress files changed during the exposure window.
yashpokharna2555 restaurent-management-system
PHP / MySQL App 1 CVE 2026-06-28 CVSS 7.5
CVE-2026-13498
restaurent-management-system - forgot-password SQL injection risk
CVE-2026-13498 affects the yashpokharna2555 restaurent-management-system project, which does not publish fixed version metadata. Owners should remove public exposure, review forgot-password activity, preserve database logs, and migrate away from the unsupported code path.
Public PoC
YzmCMS
PHP / CMS 1 CVE 2026-06-29 CVSS 5.6
CVE-2026-13529
YzmCMS - installer SQL injection risk
CVE-2026-13529 affects YzmCMS through 7.5 where installer exposure can create SQL injection risk. Owners should remove or restrict installer paths, review install access logs, and check configuration or database changes before returning the site to service.
Public PoC
Budibase
DevOps / Self-hosted 1 CVE 2026-06-26 CVSS 10.0
CVE-2026-54350
Budibase - authentication boundary risk
CVE-2026-54350 affects Budibase. Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with... Patch the affected deployment and review workflow and admin logs.
Booster for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 9.9
CVE-2026-56027
Booster for WooCommerce - Customer Arbitrary File Upload
CVE-2026-56027 affects Booster for WooCommerce <= 8.0.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Quform
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.9
CVE-2026-56058
Quform - Subscriber Arbitrary File Upload
CVE-2026-56058 affects Quform <= 2.23.0. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Travel Booking
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.9
CVE-2026-56059
Travel Booking - Subscriber Arbitrary File Upload
CVE-2026-56059 affects Travel Booking <= 2.2.5. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Genshi Template Engine
PHP / CMS 1 CVE 2026-06-26 CVSS 9.8
CVE-2026-0685
Genshi Template Engine - remote code execution risk
CVE-2026-0685 affects Genshi Template Engine. Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions. Patch the affected deployment and review web and app logs.
Easy Elements for Elementor - Addons and Website Templates
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.8
CVE-2026-56028
Easy Elements for Elementor - Addons and Website Templates - Unauthenticated Privilege Escalation
CVE-2026-56028 affects Easy Elements for Elementor - Addons and Website Templates <= 1.4.9. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Paytium
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.8
CVE-2026-56030
Paytium - Unauthenticated Privilege Escalation
CVE-2026-56030 affects Paytium <= 5.0.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Buddyboss Platform
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.8
CVE-2026-56032
Buddyboss Platform - Subscriber PHP Object Injection
CVE-2026-56032 affects Buddyboss Platform <= 3.0.4. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Uncanny Automator Pro
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.8
CVE-2026-56057
Uncanny Automator Pro - Subscriber PHP Object Injection
CVE-2026-56057 affects Uncanny Automator Pro <= 7.3.0.6. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
JetBooking
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.3
CVE-2026-54820
JetBooking - Unauthenticated SQL Injection
CVE-2026-54820 affects JetBooking <= 4.0.4.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Real Estate 7
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.3
CVE-2026-54827
Real Estate 7 - Unauthenticated SQL Injection
CVE-2026-54827 affects Real Estate 7 <= 3.5.9. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Library Management System
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.3
CVE-2026-56034
Library Management System - Unauthenticated SQL Injection
CVE-2026-56034 affects Library Management System <= 3.5.7. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Korean SimplePay WooCommerce plugin
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 9.3
CVE-2026-56036
Korean SimplePay WooCommerce plugin - Unauthenticated SQL Injection
CVE-2026-56036 affects Korean SimplePay WooCommerce plugin <= 5.5.6. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Quotes llama
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.3
CVE-2026-56062
Quotes llama - Unauthenticated SQL Injection
CVE-2026-56062 affects Quotes llama <= 3.1.5. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Advance Product Search
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.3
CVE-2026-56070
Advance Product Search - Unauthenticated SQL Injection
CVE-2026-56070 affects Advance Product Search <= 1.4.4. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
TemplateSpare
WordPress / CMS 1 CVE 2026-06-26 CVSS 9.1
CVE-2026-57658
TemplateSpare - Administrator Arbitrary File Upload
CVE-2026-57658 affects TemplateSpare <= 4.2.0. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Eagle Booking
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.8
CVE-2025-68052
Eagle Booking - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2025-68052 affects Eagle Booking <= 1.3.4.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Abandoned Cart Pro for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 8.8
CVE-2026-56010
Abandoned Cart Pro for WooCommerce - Subscriber Privilege Escalation
CVE-2026-56010 affects Abandoned Cart Pro for WooCommerce <= 10.4.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Frisbii Pay
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.8
CVE-2026-56038
Frisbii Pay - Contributor Privilege Escalation
CVE-2026-56038 affects Frisbii Pay <= 1.8.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
RealHomes
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.8
CVE-2026-56055
RealHomes - Subscriber PHP Object Injection
CVE-2026-56055 affects RealHomes <= 4.5.3. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Pagekit CMS
PHP / CMS 1 CVE 2026-06-26 CVSS 8.8
CVE-2026-57518
Pagekit CMS - privilege escalation risk
CVE-2026-57518 affects Pagekit CMS. Pagekit CMS 1.0.18 contains a privilege escalation vulnerability that allows authenticated users with the 'user: manage users' permission to escalate privileges by assigning arbitrary custom roles to themselves due to mi... Patch the affected deployment and review web and app logs.
Paid Memberships Pro - Add Member From Admin
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.8
CVE-2026-57659
Paid Memberships Pro - Add Member From Admin - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2026-57659 affects Paid Memberships Pro - Add Member From Admin <= 0.7.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
BitFire Security
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.6
CVE-2026-56035
BitFire Security - Unauthenticated Multiple Vulnerabilities
CVE-2026-56035 affects BitFire Security <= 5.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Tourfic
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.5
CVE-2026-56064
Tourfic - Subscriber SQL Injection
CVE-2026-56064 affects Tourfic <= 2.22.5. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Gallery
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.5
CVE-2026-57642
Gallery - Contributor SQL Injection
CVE-2026-57642 affects Gallery <= 4.7.8. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WP Post Author
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.5
CVE-2026-57643
WP Post Author - Contributor SQL Injection
CVE-2026-57643 affects WP Post Author <= 3.9.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WP Job Portal
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.5
CVE-2026-57653
WP Job Portal - Contributor SQL Injection
CVE-2026-57653 affects WP Job Portal <= 2.5.2. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Recipe Maker For Your Food Blog from Zip Recipes
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.5
CVE-2026-57663
Recipe Maker For Your Food Blog from Zip Recipes - Contributor SQL Injection
CVE-2026-57663 affects Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
ExpressUpdate Agent
Runtime / Watch 1 CVE 2026-06-26 CVSS 8.5
CVE-2026-8797
ExpressUpdate Agent - security boundary risk
CVE-2026-8797 affects ExpressUpdate Agent. An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges. Patch the affected deployment and review component presence.
MailChimp Block
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.3
CVE-2026-56063
MailChimp Block - Unauthenticated Broken Access Control
CVE-2026-56063 affects MailChimp Block <= 1.1.15. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Child Theme Wizard
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.2
CVE-2026-57655
Child Theme Wizard - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2026-57655 affects Child Theme Wizard <= 1.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Uncanny Automator
WordPress / CMS 1 CVE 2026-06-26 CVSS 8.1
CVE-2026-56031
Uncanny Automator - Unauthenticated PHP Object Injection
CVE-2026-56031 affects Uncanny Automator <= 7.3.1.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
SupportCandy
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.6
CVE-2026-54826
SupportCandy - Subscriber Insecure Direct Object References (IDOR)
CVE-2026-54826 affects SupportCandy <= 3.4.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
WP All Import
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.6
CVE-2026-57628
WP All Import - Administrator SQL Injection
CVE-2026-57628 affects WP All Import <= 4.0.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Popup box
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.6
CVE-2026-57631
Popup box - Administrator SQL Injection
CVE-2026-57631 affects Popup box <= 6.0.1. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Splash - Sport Club WordPress Theme for Basketball, Football, Hockey
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2025-68063
Splash - Sport Club WordPress Theme for Basketball, Football, Hockey - Contributor Local File Inclusion
CVE-2025-68063 affects Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Goya Core
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2025-68064
Goya Core - Contributor Local File Inclusion
CVE-2025-68064 affects Goya Core < 1.0.9.4. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Apache Airflow FTP provider
DevOps / Self-hosted 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-49486
Apache Airflow FTP provider - sensitive data exposure risk
CVE-2026-49486 affects Apache Airflow FTP provider. The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was transmitted in cleartext.... Patch the affected deployment and review workflow and admin logs.
Ads by WPQuads
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-54824
Ads by WPQuads - Unauthenticated Sensitive Data Exposure
CVE-2026-54824 affects Ads by WPQuads <= 3.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Gutenverse Companion
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-54832
Gutenverse Companion - Unauthenticated Broken Access Control
CVE-2026-54832 affects Gutenverse Companion <= 2.5.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Object Cache 4 everyone
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-54834
Object Cache 4 everyone - Unauthenticated Sensitive Data Exposure
CVE-2026-54834 affects Object Cache 4 everyone <= 2.3.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Intranet and Private Site - All-In-One Intranet
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-54837
Intranet and Private Site - All-In-One Intranet - Unauthenticated Broken Access Control
CVE-2026-54837 affects Intranet and Private Site - All-In-One Intranet <= 1.8.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-54839
Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups - Unauthenticated Sensitive Data Exposure
CVE-2026-54839 affects Trinity Backup - Backup, Migrate, Restore, Clone and Schedule Backups <= 2.0.9. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Stylish Cost Calculator
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-54847
Stylish Cost Calculator - Unauthenticated Broken Access Control
CVE-2026-54847 affects Stylish Cost Calculator <= 8.3.9. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Paymob for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-56025
Paymob for WooCommerce - Unauthenticated Broken Access Control
CVE-2026-56025 affects Paymob for WooCommerce <= 4.1.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
CorvusPay WooCommerce Payment Gateway
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-56029
CorvusPay WooCommerce Payment Gateway - Unauthenticated Broken Authentication
CVE-2026-56029 affects CorvusPay WooCommerce Payment Gateway <= 2.7.4. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Print Invoice & Delivery Notes for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-56060
Print Invoice & Delivery Notes for WooCommerce - Unauthenticated Sensitive Data Exposure
CVE-2026-56060 affects Print Invoice & Delivery Notes for WooCommerce <= 7.1.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Subscriptions for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-56061
Subscriptions for WooCommerce - Unauthenticated Broken Access Control
CVE-2026-56061 affects Subscriptions for WooCommerce <= 1.9.5. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Toolset Forms
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-56069
Toolset Forms - Unauthenticated Insecure Direct Object References (IDOR)
CVE-2026-56069 affects Toolset Forms <= 2.6.24. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Panorama Viewer 360 Degree Image + Video Viewer
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.5
CVE-2026-57647
Panorama Viewer 360 Degree Image + Video Viewer - Contributor Local File Inclusion
CVE-2026-57647 affects Panorama Viewer 360 Degree Image + Video Viewer <= 1.6.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Enable CORS
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.4
CVE-2026-54833
Enable CORS - Unauthenticated Backdoor
CVE-2026-54833 affects Enable CORS <= 2.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Apache Kerby
Apache / Crypto 1 CVE 2026-06-26 CVSS 7.3
CVE-2026-57915
Apache Kerby - authentication boundary risk
CVE-2026-57915 affects Apache Kerby. It is possible to bypass the Kerberos pre-authentication check in Apache Kerby by sending a PA-DATA with an unrecognized or unsupported type. Users are recommended to upgrade to version 2.1.2, which fixes this issue. Patch the affected deployment and review trust and service logs.
MapPress Maps for WordPress
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-56011
MapPress Maps for WordPress - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56011 affects MapPress Maps for WordPress <= 2.97.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Quick Interest Slider
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-56039
Quick Interest Slider - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56039 affects Quick Interest Slider <= 3.1.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Gutenverse Form
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-56040
Gutenverse Form - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56040 affects Gutenverse Form <= 2.4.7. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Responsive Lightbox
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-56041
Responsive Lightbox - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56041 affects Responsive Lightbox <= 2.7.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Customer Reviews for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-56043
Customer Reviews for WooCommerce - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56043 affects Customer Reviews for WooCommerce <= 5.110.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Blog2Social
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-56044
Blog2Social - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56044 affects Blog2Social <= 8.9.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Automatic
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-56045
Automatic - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56045 affects Automatic < 3.135.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
perfmatters
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-56047
perfmatters - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56047 affects perfmatters <= 2.6.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
WoodMart
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-56072
WoodMart - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56072 affects WoodMart <= 8.5.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Everest Forms
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-57312
Everest Forms - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57312 affects Everest Forms <= 3.4.8. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
SureCart
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-57314
SureCart - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57314 affects SureCart <= 4.3.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
FOX
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-57319
FOX - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57319 affects FOX <= 1.4.8. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
weMail
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-57322
weMail - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57322 affects weMail <= 2.1.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
NanoMag
WordPress / CMS 1 CVE 2026-06-26 CVSS 7.1
CVE-2026-57325
NanoMag - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-57325 affects NanoMag <= 1.8. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
WordPress / CMS 1 CVE 2026-06-26 CVSS 6.5
CVE-2026-1869
User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder - unauthorized modification of data due to missing validation checks in the confirm_payment() function in all versions up to, and including, 5
CVE-2026-1869 affects User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder vendor-fixed release. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Payment Gateway Based Fees and Discounts for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 6.5
CVE-2026-56048
Payment Gateway Based Fees and Discounts for WooCommerce - Unauthenticated Insecure Direct Object References (IDOR)
CVE-2026-56048 affects Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
FunnelKit Payment Gateway for Stripe WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-26 CVSS 6.5
CVE-2026-57635
FunnelKit Payment Gateway for Stripe WooCommerce - Unauthenticated Cross Site Request Forgery (CSRF)
CVE-2026-57635 affects FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Daan.Dev OMGF Pro
WordPress / CMS 1 CVE 2026-06-25 CVSS 10.0
CVE-2026-57700
Daan.Dev OMGF Pro - Unrestricted Upload of File with Dangerous Type vulnerability
CVE-2026-57700 affects Daan.Dev OMGF Pro vendor-fixed release. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
Widget Options
WordPress / CMS 1 CVE 2026-06-25 CVSS 9.9
CVE-2026-54823
Widget Options - Contributor Remote Code Execution (remote code execution)
CVE-2026-54823 affects Widget Options <= 4.2.3. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
ToolJet
DevOps / Self-hosted 1 CVE 2026-06-25 CVSS 9.4
CVE-2026-55413
ToolJet - remote code execution risk
CVE-2026-55413 affects ToolJet. ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role (free tier) can overwrite a ... Patch the affected deployment and review workflow and admin logs.
YMC Filter
WordPress / CMS 1 CVE 2026-06-25 CVSS 9.3
CVE-2026-54836
YMC Filter - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability
CVE-2026-54836 affects YMC Filter vendor-fixed release. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Premmerce Wishlist for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-25 CVSS 9.3
CVE-2026-54849
Premmerce Wishlist for WooCommerce - Unauthenticated SQL Injection
CVE-2026-54849 affects Premmerce Wishlist for WooCommerce <= 1.1.11. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
SALESmanago & Leadoo
WordPress / CMS 1 CVE 2026-06-25 CVSS 8.5
CVE-2026-54822
SALESmanago & Leadoo - Subscriber SQL Injection
CVE-2026-54822 affects SALESmanago & Leadoo <= 3.11.2. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
WC Vendors Marketplace
WordPress / CMS 1 CVE 2026-06-25 CVSS 8.5
CVE-2026-54838
WC Vendors Marketplace - Subscriber SQL Injection
CVE-2026-54838 affects WC Vendors Marketplace <= 2.6.8. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Post Snippets
WordPress / CMS 1 CVE 2026-06-25 CVSS 8.5
CVE-2026-56049
Post Snippets - Contributor Remote Code Execution (remote code execution)
CVE-2026-56049 affects Post Snippets <= 4.0.19. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Saad Iqbal APIExperts Square for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-25 CVSS 8.3
CVE-2026-54848
Saad Iqbal APIExperts Square for WooCommerce - Insertion of Sensitive Information Into Sent Data vulnerability
CVE-2026-54848 affects Saad Iqbal APIExperts Square for WooCommerce vendor-fixed release. Site owners should patch the component, preserve logs, and review data exposure before closing the issue.
Apache Shiro Guice
Runtime / Watch 1 CVE 2026-06-25 CVSS 8.2
CVE-2026-56091
Apache Shiro Guice - authentication boundary risk
CVE-2026-56091 affects Apache Shiro Guice. When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. Patch the affected deployment and review component presence.
HTMLy CMS
PHP / CMS 1 CVE 2026-06-25 CVSS 8.1
CVE-2026-45233
HTMLy CMS - path traversal risk
CVE-2026-45233 affects HTMLy CMS. HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the ad... Patch the affected deployment and review web and app logs.
Royal Plugins Royal MCP
WordPress / CMS 1 CVE 2026-06-25 CVSS 8.1
CVE-2026-54842
Royal Plugins Royal MCP - Missing Authorization vulnerability
CVE-2026-54842 affects Royal Plugins Royal MCP vendor-fixed release. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Grocery Store Management System
PHP / CMS 1 CVE 2026-06-25 CVSS 7.7
CVE-2026-37149
Grocery Store Management System - SQL injection risk
CVE-2026-37149 affects Grocery Store Management System. GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/search_products.php. This vulnerability allows attackers to a... Patch the affected deployment and review web and app logs.
Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.5
CVE-2026-12937
Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress - generic SQL Injection
CVE-2026-12937 affects Tourfic AI Powered Travel Booking, Hotel Booking & Car Rental WordPress vendor-fixed release. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
MainWP Child
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.5
CVE-2026-27366
MainWP Child - Unauthenticated Broken Access Control
CVE-2026-27366 affects MainWP Child <= 6.1.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Jacob N. Breetvelt WP Photo Album Plus
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.5
CVE-2026-54829
Jacob N. Breetvelt WP Photo Album Plus - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability
CVE-2026-54829 affects Jacob N. Breetvelt WP Photo Album Plus vendor-fixed release. Site owners should patch the component, preserve logs, and review database logs before closing the issue.
Five Star Restaurant Reservations
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.5
CVE-2026-54830
Five Star Restaurant Reservations - Unauthenticated Broken Access Control
CVE-2026-54830 affects Five Star Restaurant Reservations <= 2.7.19. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Vitepos
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.5
CVE-2026-54841
Vitepos - Unauthenticated Sensitive Data Exposure
CVE-2026-54841 affects Vitepos <= 3.4.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
CheckView Automated Testing
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.5
CVE-2026-54844
CheckView Automated Testing - Unauthenticated Broken Access Control
CVE-2026-54844 affects CheckView Automated Testing <= 2.1.0. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
InPost PL
WordPress / WooCommerce 1 CVE 2026-06-25 CVSS 7.5
CVE-2026-9702
InPost PL - WordPress plugin vulnerability
CVE-2026-9702 affects InPost PL before 1.9.1. Site owners should patch the component, preserve logs, and review logs and users before closing the issue.
Visual Link Preview
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.4
CVE-2026-54821
Visual Link Preview - Subscriber Sensitive Data Exposure
CVE-2026-54821 affects Visual Link Preview <= 2.3.1. Site owners should patch the component, preserve logs, and review data exposure before closing the issue.
3X-UI
DevOps / Self-hosted 1 CVE 2026-06-25 CVSS 7.2
CVE-2026-55477
3X-UI - authentication boundary risk
CVE-2026-55477 affects 3X-UI. 3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray config... Patch the affected deployment and review workflow and admin logs.
Master Slider
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.1
CVE-2026-56014
Master Slider - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56014 affects Master Slider <= 3.11.2. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Advanced Order Export For WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-25 CVSS 7.1
CVE-2026-56042
Advanced Order Export For WooCommerce - Customer Cross Site Scripting (XSS)
CVE-2026-56042 affects Advanced Order Export For WooCommerce <= 4.0.9. Site owners should patch the component, preserve logs, and review content and widgets before closing the issue.
TablePress
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.1
CVE-2026-56051
TablePress - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56051 affects TablePress <= 3.3.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Forminator
WordPress / CMS 1 CVE 2026-06-25 CVSS 7.1
CVE-2026-56071
Forminator - Unauthenticated Cross Site Scripting (XSS)
CVE-2026-56071 affects Forminator <= 1.53.1. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
License Manager for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-25 CVSS 6.5
CVE-2026-56013
License Manager for WooCommerce - Unauthenticated Insecure Direct Object References (IDOR)
CVE-2026-56013 affects License Manager for WooCommerce <= 3.0.15. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
Themeisle PPOM for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-25 CVSS 6.5
CVE-2026-56050
Themeisle PPOM for WooCommerce - Improper Access Control vulnerability
CVE-2026-56050 affects Themeisle PPOM for WooCommerce vendor-fixed release. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
shell-quote
Node.js Dependency 1 CVE 2026-06-25 CVSS 8.7
CVE-2026-13311
shell-quote - parse() event-loop denial of service risk
CVE-2026-13311 affects shell-quote before 1.8.5. Node.js services that pass untrusted text into parse() should update dependency locks and review request timeout or event-loop stall evidence.
Public PoC
Rapid7 InsightConnect AWK Plugin
SOAR / Automation 1 CVE 2026-06-25 CVSS 7.7
CVE-2026-8592
Rapid7 InsightConnect AWK Plugin - command execution risk in Linux workflow action
CVE-2026-8592 affects the Rapid7 InsightConnect AWK Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
Rapid7 InsightConnect Translate Plugin
SOAR / Automation 1 CVE 2026-06-25 CVSS 7.7
CVE-2026-8665
Rapid7 InsightConnect Translate Plugin - command execution risk in Linux workflow action
CVE-2026-8665 affects the Rapid7 InsightConnect Translate Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
AutoGPT
Self-hosted DevOps / AI 1 CVE 2026-06-24 CVSS 7.7
CVE-2026-33235
AutoGPT - Fill Text Template denial of service risk
CVE-2026-33235 affects AutoGPT before 0.6.52. Review Fill Text Template blocks, tenant activity, worker CPU pressure, and failed runs.
Public PoC
Sentry
Self-hosted DevOps / AI 1 CVE 2026-06-24 CVSS 7.5
CVE-2026-52794
Sentry - event ingestion ReDoS risk
CVE-2026-52794 affects Sentry from 24.4.0 until 26.5.2. Review event ingestion rates, CPU spikes, queue backlogs, and project-level event sources.
Public PoC
AdRotate Banner Manager
WordPress Plugin 1 CVE 2026-06-24 CVSS 8.8
CVE-2026-12242
AdRotate Banner Manager - shortcode PHP code injection risk
CVE-2026-12242 affects AdRotate Banner Manager through 5.17.7 when certain cache support settings are enabled. Review shortcode content, cache settings, and contributor activity.
ShapedPlugin plugin bundle
WordPress Plugin 1 CVE 2026-06-24 CVSS 7.5
CVE-2026-10735
ShapedPlugin compromised update supply-chain risk
CVE-2026-10735 affects Shapedsmart-post-show-pro before 4.0.2, Real Testimonials Pro before 3.2.5, and Product Slider for WooCommerce Pro before 3.5.3. Review updates, files, users, and credentials.
AngularJS
Frontend Framework 1 CVE 2026-06-24 CVSS 7.6
CVE-2026-11998
AngularJS - SCE resource URL bypass risk
CVE-2026-11998 affects AngularJS 1.2.0-rc.3 and later in Strict Contextual Escaping resource URL policy handling. Review legacy AngularJS apps, trusted resource URL rules, and migration plans.
Tiptap for PHP
PHP / Editor Library 1 CVE 2026-06-24 CVSS 7.1
CVE-2026-47110
Tiptap for PHP - malformed link attribute denial of service
CVE-2026-47110 affects Tiptap for PHP before 2.1.1. Review stored editor JSON records, rendering errors, and authenticated editor activity after upgrading.
Public PoC
SignUp & SignIn
WordPress Plugin 1 CVE 2026-06-24 CVSS 9.8
CVE-2026-12417
SignUp & SignIn - weak password reset account takeover risk
CVE-2026-12417 affects the WordPress SignUp & SignIn plugin through 1.0.0. Site owners should patch or remove the plugin, review password reset events, and check for unexpected administrator access.
Public PoC
Welcome Software Publishing
WordPress Plugin 1 CVE 2026-06-24 CVSS 8.8
CVE-2026-4297
Welcome Software Publishing - arbitrary option update privilege escalation
CVE-2026-4297 affects the Welcome Software Publishing plugin through 0.0.31. Review XML-RPC exposure, changed site options, default role settings, and newly registered users.
Ultimate Member
WordPress Plugin 1 CVE 2026-06-24 CVSS 8.8
CVE-2026-7761
Ultimate Member - password reset link exposure risk
CVE-2026-7761 affects Ultimate Member through 2.11.4. Review contributor accounts, member directory configuration, password reset events, and administrator sessions before closing the issue.
ClearSale Total
WordPress Plugin 1 CVE 2026-06-24 CVSS 7.5
CVE-2026-8705
ClearSale Total - unauthenticated SQL injection risk
CVE-2026-8705 affects ClearSale Total through 3.4.2. Stores should patch or remove the plugin, confirm the PHP runtime state, and review WooCommerce payment and plugin logs.
Public PoC
FunnelKit Funnel Builder
WordPress Plugin 1 CVE 2026-06-24 CVSS 7.6
CVE-2026-56052
FunnelKit Funnel Builder - blind SQL injection risk
CVE-2026-56052 affects FunnelKit Funnel Builder through 3.15.0.5. Review funnel changes, administrator activity, and database errors before reopening checkout or marketing flows.
WhatsOrder Instant Checkout for WooCommerce
WordPress Plugin 1 CVE 2026-06-24 CVSS 5.3
CVE-2026-9612
WhatsOrder Instant Checkout - WooCommerce invoice data exposure
CVE-2026-9612 affects WhatsOrder Instant Checkout for WooCommerce through 1.0.1. Review generated invoice files, customer data exposure, and web server access before closing the incident.
Email JavaScript Cloak
WordPress Plugin 1 CVE 2026-06-24 CVSS 7.2
CVE-2026-10091
Email JavaScript Cloak - shortcode stored XSS risk
CVE-2026-10091 affects Email JavaScript Cloak through 1.03. Review contributor posts, shortcode usage, administrator visits, and changed pages after patching.
Cincopa video and media plugin
WordPress Plugin 1 CVE 2026-06-24 CVSS 7.2
CVE-2026-10092
Cincopa video and media plugin - comment shortcode stored XSS risk
CVE-2026-10092 affects the Cincopa video and media plugin through 1.163. Review recent comments, moderation queues, administrator visits, and changed posts after patching.
Public PoC
Kargo Takip
WordPress Plugin 1 CVE 2026-06-24 CVSS 7.2
CVE-2026-12095
Kargo Takip - unauthenticated SSRF risk
CVE-2026-12095 affects Kargo Takip through 1.2. Review outbound request logs, hosting metadata exposure controls, and plugin access before returning it to service.
URL Preview
WordPress Plugin 1 CVE 2026-06-24 CVSS 7.2
CVE-2026-12100
URL Preview - unauthenticated SSRF risk
CVE-2026-12100 affects URL Preview through 1.0. Review outbound request logs, allow-lists, and internal service exposure before enabling preview features again.
WP Meta SEO
WordPress Plugin 1 CVE 2026-06-24 CVSS 7.2
CVE-2026-9643
WP Meta SEO - unauthenticated stored XSS through 404 records
CVE-2026-9643 affects WP Meta SEO through 4.5.18. Review 404 records, redirect tables, administrator visits, and changed SEO settings after patching.
ARForms
WordPress Plugin 1 CVE 2026-06-24 CVSS 7.2
CVE-2026-3652
ARForms - incomplete form data stored XSS risk
CVE-2026-3652 affects ARForms through 7.1.3. Review partial form entries, form submissions, administrator visits, and changed pages after patching.
Spring Statemachine
Java / Spring 1 CVE 2026-06-23 CVSS 8.8
CVE-2026-41862
Spring Statemachine - Kryo persisted context deserialization
CVE-2026-41862 affects Spring Statemachine Kryo persistence backends when persisted contexts deserialize without an allowlist. Patch and plan the persisted-state migration before restart.
Electron
Node.js / Desktop Runtime 1 CVE 2026-06-23 CVSS 9.3
CVE-2026-54257
Electron - Node Buffer byte length calculation issue
CVE-2026-54257 affects Electron 42.3.1 and 42.3.2 through incorrect Node Buffer byte length calculations. Patch Electron and rebuild distributed desktop packages.
Public PoC
Deno
JavaScript Runtime 1 CVE 2026-06-23 CVSS 7.4
CVE-2026-44726
Deno Node TLS compatibility - plaintext retry risk
CVE-2026-44726 affects Deno 2.0.0 through 2.7.7 when Node TLS compatibility retry handling can leave application data unprotected. Patch and review outbound TLS clients.
Public PoC
Hono
Node.js / Web Framework 1 CVE 2026-06-23 CVSS 6.9
CVE-2026-56762
Hono - cookie name validation robustness issue
CVE-2026-56762 affects Hono before 4.12.12 when cookie names on the write path are not validated. Patch and review setCookie, serialize, and serializeSigned call sites.
Public PoC
expr-eval
Node.js / Expression Parser 1 CVE 2026-06-23 CVSS 9.8
CVE-2026-12866
expr-eval - toJSFunction code execution risk
CVE-2026-12866 affects expr-eval when untrusted expressions reach toJSFunction. Review Node services that compile user-controlled expressions, remove that path, and isolate affected workers.
Public PoC
@nestjs/platform-fastify
Node.js / Web Framework 1 CVE 2026-06-22 CVSS 8.7
CVE-2026-54281
NestJS Fastify adapter - middleware route bypass risk
CVE-2026-54281 affects @nestjs/platform-fastify before 11.1.24 when route middleware coverage can differ from intended Fastify routing. Patch and review middleware-protected routes.
Public PoC
PhpSpreadsheet
PHP / Spreadsheet Library 1 CVE 2026-06-22 CVSS 9.2
CVE-2026-45034
PhpSpreadsheet - stream wrapper patch bypass
CVE-2026-45034 affects PhpSpreadsheet before 1.30.5 when unsafe file paths can bypass wrapper blocking. Review spreadsheet import features, uploaded files, and PHP 7.x exposure.
Public PoC
phpseclib
PHP / Crypto Library 1 CVE 2026-06-22 CVSS 5.8
CVE-2026-55599
phpseclib - X.509 AIA outbound request SSRF risk
CVE-2026-55599 affects phpseclib certificate validation when untrusted certificates can trigger outbound AIA fetches. Patch and review services that validate uploaded or partner-supplied certificates.
Public PoC
vLLM
AI / Model Serving 1 CVE 2026-06-22 CVSS 8.8
CVE-2026-54232
vLLM Dockerfile - dependency confusion build risk
CVE-2026-54232 affects vLLM Docker builds before 0.22.1 through a dependency-confusion risk in a Dockerfile package install path. Rebuild images with fixed vLLM, verify package sources, and rotate secrets if affected images reached production.
Public PoC
Craft CMS
PHP CMS 1 CVE 2026-06-21 CVSS 8.6
CVE-2026-56382
Craft CMS - authenticated admin remote code execution risk
CVE-2026-56382 affects Craft CMS 5.5.0 through 5.9.13. Patch or remove public exposure, preserve logs, and review Composer lock files, admin field-layout changes, environment access, and logs.
Public PoC
Montodel House-Rental-Management
PHP / Self-hosted App 1 CVE 2026-06-21 CVSS 7.5
CVE-2026-12775
Montodel House-Rental-Management - SQL injection
CVE-2026-12775 affects Montodel House-Rental-Management rolling release before the reported fix state. Patch or remove public exposure, preserve logs, and review login logs, rental records, database errors, and changed users.
Public PoC
Apache NiFi
Dataflow / Apache 1 CVE 2026-06-22 CVSS 7.5
CVE-2026-44914
Apache NiFi - restricted component authorization gap
CVE-2026-44914 affects Apache NiFi 1.12.0 through 2.9.0 when replacing process groups that include components requiring restricted permissions. Review users with write access, restricted component policy, and flow replacement activity.
Angular Language Service
Developer Tooling 1 CVE 2026-06-22 CVSS 8.7
CVE-2026-49241
Angular Language Service VS Code extension - workspace trust bypass RCE risk
CVE-2026-49241 affects Angular Language Service VS Code extension versions before 21.2.4. Developer workstations should update the extension, review Workspace Trust settings, and inspect recent untrusted repository opens.
Public PoC
@angular/common
JavaScript Framework 1 CVE 2026-06-22 CVSS 8.2
CVE-2026-54268
Angular common - date formatting denial-of-service risk
CVE-2026-54268 affects @angular/common date formatting when untrusted date format strings reach formatDate or DatePipe. Patch Angular and review SSR routes, user preferences, and API data that can influence date formats.
Public PoC
piscina
Node.js / Worker Pool 1 CVE 2026-06-22 CVSS 8.1
CVE-2026-55388
piscina - inherited filename option worker execution risk
CVE-2026-55388 affects piscina when polluted prototype properties can influence worker options. Node services should upgrade piscina, audit prototype-pollution sources, and review worker process activity.
Public PoC
Apache Doris MCP Server
AI / Database MCP 1 CVE 2026-06-22 CVSS 8.1
CVE-2025-66336
Apache Doris MCP Server - metadata query SQL injection
CVE-2025-66336 affects Apache Doris MCP Server metadata queries when database names reach SQL construction without the intended authorization context. Patch to 0.6.1 or newer and review MCP and Doris audit logs.
libxml2
System Library 1 CVE 2026-06-22 CVSS 7.0
CVE-2026-6653
libxml2 - xmlParseInternalSubset use-after-free denial-of-service risk
CVE-2026-6653 affects libxml2 2.9.11 through 2.11.0 in XML internal subset parsing. Patch operating system packages and review services that parse untrusted XML for crashes or parser errors.
Ultimate WooCommerce Auction Pro
WordPress / WooCommerce 1 CVE 2026-06-22 CVSS 7.1
CVE-2026-4259
Ultimate WooCommerce Auction Pro - reflected XSS against admins
CVE-2026-4259 affects Ultimate WooCommerce Auction Pro through 2.4.5. Store owners should patch or disable the plugin, review auction pages, and preserve admin activity logs if suspicious links were opened.
Branda
WordPress / Plugin 1 CVE 2026-06-20 CVSS 9.8
CVE-2026-11551
Branda - account takeover / privilege escalation
CVE-2026-11551 affects Branda through 3.4.29. Confirm the installed version, patch or disable the component, and review password reset events, administrators, and login sessions before closing the issue.
Database for Contact Form 7, WPForms, Elementor Forms
WordPress / Forms 1 CVE 2026-06-20 CVSS 8.1
CVE-2026-9843
Database for Contact Form 7, WPForms, Elementor Forms - arbitrary file deletion
CVE-2026-9843 affects Database for Contact Form 7, WPForms, Elementor Forms through 1.5.1. Confirm the installed version, patch or disable the component, and review form entries, deleted files, and recent admin views before closing the issue.
Public PoC
WP Go Maps
WordPress / Plugin 1 CVE 2026-06-19 CVSS 5.3
CVE-2026-12238
WP Go Maps - authorization bypass
CVE-2026-12238 affects WP Go Maps through 10.1.01. Confirm the installed version, patch or disable the component, and review map records, REST activity, and plugin settings before closing the issue.
WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-20 CVSS 9.8
CVE-2022-50972
WooCommerce - remote code execution risk
CVE-2022-50972 affects WooCommerce 7.1.0. Confirm the installed version, patch or disable the component, and review WooCommerce product edits, changed PHP files, and web root file timestamps before closing the issue.
Public PoC
Joomla SP Page Builder
Joomla / Extension 1 CVE 2026-06-19 CVSS 10.0
CVE-2026-48908
Joomla SP Page Builder - unauthenticated file upload
CVE-2026-48908 affects Joomla SP Page Builder vendor advisory. Check whether the extension is installed, remove abandoned copies, and review uploads, executable files, and public builder routes.
Public PoC
Joomla iCagenda
Joomla / Extension 1 CVE 2026-06-19 CVSS 10.0
CVE-2026-48939
Joomla iCagenda - file attachment upload risk
CVE-2026-48939 affects Joomla iCagenda vendor advisory. Check whether the extension is installed, remove abandoned copies, and review event attachments, uploads, and executable files.
Public PoC
Joomla NextGen Editor
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20252
Joomla NextGen Editor - SQL injection
CVE-2017-20252 affects Joomla NextGen Editor 2.1.0. Check whether the extension is installed, remove abandoned copies, and review database errors, extension settings, and user activity.
Public PoC
Joomla My Projects
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20253
Joomla My Projects - SQL injection
CVE-2017-20253 affects Joomla My Projects 2.0. Check whether the extension is installed, remove abandoned copies, and review project records, database errors, and user activity.
Public PoC
Joomla User Bench
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20254
Joomla User Bench - SQL injection
CVE-2017-20254 affects Joomla User Bench 1.0. Check whether the extension is installed, remove abandoned copies, and review user records, database errors, and access logs.
Public PoC
Joomla JB Visa
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20255
Joomla JB Visa - SQL injection
CVE-2017-20255 affects Joomla JB Visa 1.0. Check whether the extension is installed, remove abandoned copies, and review booking records, database errors, and access logs.
Public PoC
Joomla Survey Force Deluxe
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20256
Joomla Survey Force Deluxe - SQL injection
CVE-2017-20256 affects Joomla Survey Force Deluxe 3.2.4. Check whether the extension is installed, remove abandoned copies, and review survey records, database errors, and access logs.
Public PoC
Joomla Quiz Deluxe
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20257
Joomla Quiz Deluxe - SQL injection
CVE-2017-20257 affects Joomla Quiz Deluxe 3.7.4. Check whether the extension is installed, remove abandoned copies, and review quiz records, database errors, and access logs.
Public PoC
Joomla RPC Responsive Portfolio
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20258
Joomla RPC Responsive Portfolio - SQL injection
CVE-2017-20258 affects Joomla RPC Responsive Portfolio 1.6.1. Check whether the extension is installed, remove abandoned copies, and review portfolio records, database errors, and access logs.
Public PoC
Joomla OSDownloads
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20259
Joomla OSDownloads - SQL injection
CVE-2017-20259 affects Joomla OSDownloads 1.7.4. Check whether the extension is installed, remove abandoned copies, and review download records, database errors, and access logs.
Public PoC
Joomla Price Alert
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20260
Joomla Price Alert - SQL injection
CVE-2017-20260 affects Joomla Price Alert 3.0.2. Check whether the extension is installed, remove abandoned copies, and review price alert records, database errors, and access logs.
Public PoC
Joomla Bargain Product VM3
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20261
Joomla Bargain Product VM3 - SQL injection
CVE-2017-20261 affects Joomla Bargain Product VM3 1.0. Check whether the extension is installed, remove abandoned copies, and review VirtueMart product records, database errors, and access logs.
Public PoC
Joomla Ajax Quiz
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20262
Joomla Ajax Quiz - SQL injection
CVE-2017-20262 affects Joomla Ajax Quiz 1.8. Check whether the extension is installed, remove abandoned copies, and review quiz records, database errors, and access logs.
Public PoC
Joomla FocalPoint Pro/Free
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20263
Joomla FocalPoint Pro/Free - SQL injection
CVE-2017-20263 affects Joomla FocalPoint Pro/Free 1.2.3. Check whether the extension is installed, remove abandoned copies, and review content records, database errors, and access logs.
Public PoC
Joomla Sponsor Wall
Joomla / Extension 1 CVE 2026-06-19 CVSS 7.1
CVE-2017-20264
Joomla Sponsor Wall - SQL injection
CVE-2017-20264 affects Joomla Sponsor Wall 8.0. Check whether the extension is installed, remove abandoned copies, and review sponsor records, database errors, and authenticated user activity.
Public PoC
Joomla Flip Wall
Joomla / Extension 1 CVE 2026-06-19 CVSS 7.1
CVE-2017-20265
Joomla Flip Wall - SQL injection
CVE-2017-20265 affects Joomla Flip Wall 8.0. Check whether the extension is installed, remove abandoned copies, and review wall records, database errors, and authenticated user activity.
Public PoC
Joomla SP Movie Database
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20266
Joomla SP Movie Database - SQL injection
CVE-2017-20266 affects Joomla SP Movie Database 1.3. Check whether the extension is installed, remove abandoned copies, and review movie records, database errors, and access logs.
Public PoC
Joomla Calendar Planner
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20267
Joomla Calendar Planner - SQL injection
CVE-2017-20267 affects Joomla Calendar Planner 1.0.1. Check whether the extension is installed, remove abandoned copies, and review calendar records, database errors, and access logs.
Public PoC
Joomla Zap Calendar Lite
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20268
Joomla Zap Calendar Lite - SQL injection
CVE-2017-20268 affects Joomla Zap Calendar Lite 4.3.4. Check whether the extension is installed, remove abandoned copies, and review calendar records, database errors, and access logs.
Public PoC
Joomla KissGallery
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20269
Joomla KissGallery - SQL injection
CVE-2017-20269 affects Joomla KissGallery 1.0.0. Check whether the extension is installed, remove abandoned copies, and review gallery records, database errors, and access logs.
Public PoC
Joomla Twitch Tv
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20270
Joomla Twitch Tv - SQL injection
CVE-2017-20270 affects Joomla Twitch Tv 1.1. Check whether the extension is installed, remove abandoned copies, and review video records, database errors, and access logs.
Public PoC
Joomla StreetGuessr Game
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20271
Joomla StreetGuessr Game - SQL injection
CVE-2017-20271 affects Joomla StreetGuessr Game 1.1.8. Check whether the extension is installed, remove abandoned copies, and review game records, database errors, and access logs.
Public PoC
Joomla Ultimate Property Listing
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20272
Joomla Ultimate Property Listing - SQL injection
CVE-2017-20272 affects Joomla Ultimate Property Listing 1.0.2. Check whether the extension is installed, remove abandoned copies, and review property records, database errors, and access logs.
Public PoC
Joomla Event Registration Pro Calendar
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20273
Joomla Event Registration Pro Calendar - SQL injection
CVE-2017-20273 affects Joomla Event Registration Pro Calendar 4.1.3. Check whether the extension is installed, remove abandoned copies, and review event records, database errors, and access logs.
Public PoC
Joomla LMS King Professional
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20274
Joomla LMS King Professional - SQL injection
CVE-2017-20274 affects Joomla LMS King Professional 3.2.4.0. Check whether the extension is installed, remove abandoned copies, and review course records, database errors, and access logs.
Public PoC
Joomla PHP-Bridge
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20275
Joomla PHP-Bridge - SQL injection
CVE-2017-20275 affects Joomla PHP-Bridge 1.2.3. Check whether the extension is installed, remove abandoned copies, and review bridge records, database errors, and access logs.
Public PoC
Joomla SIMGenealogy
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20276
Joomla SIMGenealogy - SQL injection
CVE-2017-20276 affects Joomla SIMGenealogy 2.1.5. Check whether the extension is installed, remove abandoned copies, and review genealogy records, database errors, and access logs.
Public PoC
Joomla Payage
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20279
Joomla Payage - SQL injection
CVE-2017-20279 affects Joomla Payage 2.05. Check whether the extension is installed, remove abandoned copies, and review payment records, database errors, and access logs.
Public PoC
Joomla Myportfolio
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20280
Joomla Myportfolio - SQL injection
CVE-2017-20280 affects Joomla Myportfolio 3.0.2. Check whether the extension is installed, remove abandoned copies, and review portfolio records, database errors, and access logs.
Public PoC
Joomla Extra Search
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20281
Joomla Extra Search - SQL injection
CVE-2017-20281 affects Joomla Extra Search 2.2.8. Check whether the extension is installed, remove abandoned copies, and review search records, database errors, and access logs.
Public PoC
Joomla jCart for OpenCart
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2017-20282
Joomla jCart for OpenCart - SQL injection
CVE-2017-20282 affects Joomla jCart for OpenCart 2.0. Check whether the extension is installed, remove abandoned copies, and review cart records, database errors, and access logs.
Public PoC
Joomla JHotelReservation
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2019-25748
Joomla JHotelReservation - SQL injection
CVE-2019-25748 affects Joomla JHotelReservation 6.0.7. Check whether the extension is installed, remove abandoned copies, and review reservation records, database errors, and access logs.
Public PoC
Joomla J-CruisePortal
Joomla / Extension 1 CVE 2026-06-19 CVSS 7.1
CVE-2019-25749
Joomla J-CruisePortal - SQL injection
CVE-2019-25749 affects Joomla J-CruisePortal 6.0.4. Check whether the extension is installed, remove abandoned copies, and review cruise records, database errors, and authenticated user activity.
Public PoC
Joomla J-MultipleHotelReservation
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2019-25750
Joomla J-MultipleHotelReservation - SQL injection
CVE-2019-25750 affects Joomla J-MultipleHotelReservation 6.0.7. Check whether the extension is installed, remove abandoned copies, and review reservation records, database errors, and access logs.
Public PoC
Joomla J-ClassifiedsManager
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2019-25751
Joomla J-ClassifiedsManager - SQL injection
CVE-2019-25751 affects Joomla J-ClassifiedsManager 3.0.5. Check whether the extension is installed, remove abandoned copies, and review classified records, database errors, and access logs.
Public PoC
Joomla J-BusinessDirectory
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2019-25752
Joomla J-BusinessDirectory - SQL injection
CVE-2019-25752 affects Joomla J-BusinessDirectory 4.9.7. Check whether the extension is installed, remove abandoned copies, and review directory records, database errors, and access logs.
Public PoC
Joomla VMap
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2019-25753
Joomla VMap - SQL injection
CVE-2019-25753 affects Joomla VMap 1.9.6. Check whether the extension is installed, remove abandoned copies, and review map records, database errors, and access logs.
Public PoC
Joomla vRestaurant
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2019-25754
Joomla vRestaurant - SQL injection
CVE-2019-25754 affects Joomla vRestaurant 1.9.4. Check whether the extension is installed, remove abandoned copies, and review restaurant records, database errors, and access logs.
Public PoC
Joomla vReview
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2019-25755
Joomla vReview - SQL injection
CVE-2019-25755 affects Joomla vReview 1.9.11. Check whether the extension is installed, remove abandoned copies, and review review records, database errors, and access logs.
Public PoC
Joomla vAccount
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.8
CVE-2019-25756
Joomla vAccount - SQL injection
CVE-2019-25756 affects Joomla vAccount 2.0.2. Check whether the extension is installed, remove abandoned copies, and review account records, database errors, and access logs.
Public PoC
Joomla vWishlist
Joomla / Extension 1 CVE 2026-06-19 CVSS 7.1
CVE-2019-25757
Joomla vWishlist - SQL injection
CVE-2019-25757 affects Joomla vWishlist 1.0.1. Check whether the extension is installed, remove abandoned copies, and review wishlist records, database errors, and authenticated user activity.
Public PoC
Joomla Easy Shop
Joomla / Extension 1 CVE 2026-06-19 CVSS 6.9
CVE-2019-25760
Joomla Easy Shop - local file inclusion
CVE-2019-25760 affects Joomla Easy Shop 1.2.3. Check whether the extension is installed, remove abandoned copies, and review file access logs, configuration reads, and old public routes.
Public PoC
Joomla JoomCRM
Joomla / Extension 1 CVE 2026-06-19 CVSS 7.1
CVE-2019-25761
Joomla JoomCRM - SQL injection
CVE-2019-25761 affects Joomla JoomCRM 1.1.1. Check whether the extension is installed, remove abandoned copies, and review CRM records, database errors, and authenticated user activity.
Public PoC
Joomla JoomProject
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.7
CVE-2019-25762
Joomla JoomProject - information disclosure
CVE-2019-25762 affects Joomla JoomProject 1.1.3.2. Check whether the extension is installed, remove abandoned copies, and review project data, user exports, and access logs.
Public PoC
Joomla com_booking
Joomla / Extension 1 CVE 2026-06-19 CVSS 8.7
CVE-2023-54357
Joomla com_booking - information disclosure
CVE-2023-54357 affects Joomla com_booking 2.4.9. Check whether the extension is installed, remove abandoned copies, and review booking users, account enumeration signs, and access logs.
Public PoC
Comodo Chromodo Browser
Windows / Desktop 1 CVE 2026-06-19 CVSS 8.5
CVE-2016-20088
Comodo Chromodo Browser - local service privilege escalation
CVE-2016-20088 affects Comodo Chromodo Browser through 52.15.25.664. Confirm exposure, apply the vendor fix or remove the component, and review Windows services, old browser installs, and updater paths.
Public PoC
Comodo Dragon Browser
Windows / Desktop 1 CVE 2026-06-19 CVSS 8.5
CVE-2016-20090
Comodo Dragon Browser - local service privilege escalation
CVE-2016-20090 affects Comodo Dragon Browser through 52.15.25.663. Confirm exposure, apply the vendor fix or remove the component, and review Windows services, old browser installs, and updater paths.
Public PoC
Apache APISIX
API Gateway 1 CVE 2026-06-19 CVSS 7.0
CVE-2026-39999
Apache APISIX - authentication bypass by spoofing
CVE-2026-39999 affects Apache APISIX vendor advisory. Confirm exposure, apply the vendor fix or remove the component, and review gateway routes, authentication plugins, and unusual upstream access.
Public PoC
Slopsmith
Self-hosted App 1 CVE 2026-06-19 CVSS 7.6
CVE-2026-49290
Slopsmith - path traversal file read risk
CVE-2026-49290 affects Slopsmith before 0.2.9-alpha.5. Confirm exposure, apply the vendor fix or remove the component, and review media library paths, container mounts, and access logs.
Public PoC
Mercator
Self-hosted App 1 CVE 2026-06-19 CVSS 5.3
CVE-2026-49345
Mercator - server-side request forgery
CVE-2026-49345 affects Mercator before 2025.05.19. Confirm exposure, apply the vendor fix or remove the component, and review outbound requests, Redis/internal access, and web logs.
Public PoC
BetterDocs Pro
WordPress / Plugin 1 CVE 2026-06-19 CVSS 9.8
CVE-2026-7515
BetterDocs Pro - Local file inclusion
CVE-2026-7515 affects BetterDocs Pro through 3.8.0. Confirm the installed version, patch or disable the component, and review PHP files and uploads before closing the issue.
Avada / Fusion Builder
WordPress / Plugin 1 CVE 2026-06-19 CVSS 9.1
CVE-2026-8713
Avada / Fusion Builder - File deletion risk
CVE-2026-8713 affects Avada / Fusion Builder through 3.15.3. Confirm the installed version, patch or disable the component, and review Avada forms, deleted files, and wp-config state before closing the issue.
CF7 to Webhook
WordPress / Plugin 1 CVE 2026-06-18 CVSS 7.2
CVE-2026-11395
CF7 to Webhook - SSRF risk
CVE-2026-11395 affects CF7 to Webhook through 5.0.0. Confirm the installed version, patch or disable the component, and review Contact Form 7 webhook settings before closing the issue.
Public PoC
Bit Integrations
WordPress / Plugin 1 CVE 2026-06-19 CVSS 6.5
CVE-2026-11989
Bit Integrations - SSRF risk
CVE-2026-11989 affects Bit Integrations through 2.8.7. Confirm the installed version, patch or disable the component, and review WooCommerce and attachment integrations before closing the issue.
Public PoC
Advanced Import
WordPress / Plugin 1 CVE 2026-06-19 CVSS 6.4
CVE-2026-4328
Advanced Import - SSRF risk
CVE-2026-4328 affects Advanced Import through 1.4.6. Confirm the installed version, patch or disable the component, and review import URLs and outbound requests before closing the issue.
Customize My Account for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-18 CVSS 6.1
CVE-2026-12137
Customize My Account for WooCommerce - Reflected XSS
CVE-2026-12137 affects Customize My Account for WooCommerce through 4.3.6. Confirm the installed version, patch or disable the component, and review shop manager sessions and admin visits before closing the issue.
Public PoC
STRABL checkout solution
WordPress / Ecommerce 1 CVE 2026-06-19 CVSS 5.3
CVE-2026-3640
STRABL checkout solution - Missing authentication
CVE-2026-3640 affects STRABL checkout solution through 4.5. Confirm the installed version, patch or disable the component, and review WooCommerce orders, refunds, and user creation before closing the issue.
Integrate Google Drive
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.3
CVE-2024-32949
Integrate Google Drive - Missing authorization
CVE-2024-32949 affects Integrate Google Drive through 1.3.8. Confirm the installed version, patch or disable the component, and review Google Drive file access and plugin permissions before closing the issue.
Geya theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-58924
Geya theme - Local file inclusion
CVE-2025-58924 affects Geya theme through 1.15. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Neuronet theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-58952
Neuronet theme - Local file inclusion
CVE-2025-58952 affects Neuronet theme before 1.14.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Joly theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-58953
Joly theme - Local file inclusion
CVE-2025-58953 affects Joly theme through 1.22.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
HomeRoofer theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-58954
HomeRoofer theme - Local file inclusion
CVE-2025-58954 affects HomeRoofer theme through 2.11.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Learnify theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-60085
Learnify theme - Local file inclusion
CVE-2025-60085 affects Learnify theme through 1.15.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Modernee theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-69105
Modernee theme - Local file inclusion
CVE-2025-69105 affects Modernee theme through 1.6.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Rosaleen theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-69107
Rosaleen theme - Local file inclusion
CVE-2025-69107 affects Rosaleen theme through 2.8. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Raider Spirit theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-69109
Raider Spirit theme - Local file inclusion
CVE-2025-69109 affects Raider Spirit theme through 1.1.2. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
AirSupply theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-69110
AirSupply theme - Local file inclusion
CVE-2025-69110 affects AirSupply theme through 2.0.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Planty theme
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.1
CVE-2025-69112
Planty theme - Local file inclusion
CVE-2025-69112 affects Planty theme through 1.14.0. Confirm the installed version, patch or disable the component, and review theme files and recent PHP changes before closing the issue.
Clean Login
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.2
CVE-2026-54184
Clean Login - IDOR risk
CVE-2026-54184 affects Clean Login through 1.15. Confirm the installed version, patch or disable the component, and review login flows and user records before closing the issue.
SureDash
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.5
CVE-2026-54813
SureDash - Blind SQL injection
CVE-2026-54813 affects SureDash through 1.8.0. Confirm the installed version, patch or disable the component, and review database errors and dashboard records before closing the issue.
Slimstat Analytics
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.5
CVE-2026-54818
Slimstat Analytics - Blind SQL injection
CVE-2026-54818 affects Slimstat Analytics through 5.4.11. Confirm the installed version, patch or disable the component, and review analytics tables and database errors before closing the issue.
FileRise
PHP / Self-hosted App 1 CVE 2026-06-19 CVSS 9.8
CVE-2026-54414
FileRise - shared-folder upload file-write risk
CVE-2026-54414 affects FileRise before 3.16.0. Patch or remove public exposure, preserve logs, and review shared links, users.txt, upload folders, and new admin users.
Public PoC
PIAF-HMS
PHP / Self-hosted App 1 CVE 2026-06-18 CVSS 9.8
CVE-2026-54419
PIAF-HMS - unauthenticated SQL injection
CVE-2026-54419 affects PIAF-HMS current public code. Patch or remove public exposure, preserve logs, and review hotel records, PBX-HMS database users, and web logs.
Public PoC
LMS
PHP / Self-hosted App 1 CVE 2026-06-18 CVSS 8.6
CVE-2026-40455
LMS - SQL injection
CVE-2026-40455 affects LMS before commit 4cb30a7. Patch or remove public exposure, preserve logs, and review tariff changes, database errors, and authenticated admin activity.
Public PoC
UBB.threads
PHP / Self-hosted App 1 CVE 2026-06-18 CVSS 8.6
CVE-2026-54222
UBB.threads - control-panel SQL injection
CVE-2026-54222 affects UBB.threads confirmed in 7.7.5. Patch or remove public exposure, preserve logs, and review control panel members activity and database access.
Remark42
PHP / Self-hosted App 1 CVE 2026-06-18 CVSS 8.2
CVE-2026-48788
Remark42 - stored XSS in comments
CVE-2026-48788 affects Remark42 1.6.0 through 1.15.0. Patch or remove public exposure, preserve logs, and review comment content, moderator sessions, and site embeds.
Public PoC
mcp-pinot
Developer / AI Tooling 1 CVE 2026-06-18 CVSS 10.0
CVE-2026-49257
mcp-pinot - unauthenticated MCP server exposure
CVE-2026-49257 affects mcp-pinot through 3.0.1. Review Pinot credentials, MCP access logs, and table/config changes, then apply the vendor fix or remove the risky exposure until patched.
Public PoC
nanobot
Developer / AI Tooling 1 CVE 2026-06-18 CVSS 8.7
CVE-2026-48716
nanobot - WhatsApp document filename file-write risk
CVE-2026-48716 affects nanobot through 0.1.5.post3. Review media folders, bridge logs, and document ingestion settings, then apply the vendor fix or remove the risky exposure until patched.
Public PoC
Eclipse ThreadX NetX Duo
Developer / AI Tooling 1 CVE 2026-06-19 CVSS 7.5
CVE-2026-11576
Eclipse ThreadX NetX Duo - HTTP server cleanup handling
CVE-2026-11576 affects Eclipse ThreadX NetX Duo HTTP server PUT handling. Review embedded HTTP server firmware, PUT support, and vendor update state, then apply the vendor fix or remove the risky exposure until patched.
Public PoC
BBOT
Developer / AI Tooling 1 CVE 2026-06-18 CVSS 5.3
CVE-2026-12565
BBOT - archive extraction path handling
CVE-2026-12565 affects BBOT unarchive module on older tar stacks. Review container base images, GNU tar versions, and extraction jobs, then apply the vendor fix or remove the risky exposure until patched.
Public PoC
JobCareer
WordPress / Plugin 1 CVE 2026-06-17 CVSS 8.6
CVE-2025-69128
JobCareer - Path traversal / file deletion
CVE-2025-69128 affects JobCareer through 7.3. Confirm the installed version, patch or disable the component, and review file access logs and unexpected downloads before closing the incident.
Entrepreneur - Booking for Small Businesses
WordPress / Community 1 CVE 2026-06-17 CVSS 8.8
CVE-2025-69130
Entrepreneur - Booking for Small Businesses - PHP object injection
CVE-2025-69130 affects Entrepreneur - Booking for Small Businesses through 3.1.3. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Events Schedule
WordPress / Community 1 CVE 2026-06-17 CVSS 8.5
CVE-2025-69135
Events Schedule - SQL injection
CVE-2025-69135 affects Events Schedule through 2.7.2. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Car Zone
WordPress / Plugin 1 CVE 2026-06-17 CVSS 8.6
CVE-2025-69139
Car Zone - Arbitrary file deletion
CVE-2025-69139 affects Car Zone through 3.7. Confirm the installed version, patch or disable the component, and review missing plugin files, media files, and backups before closing the incident.
E2Pdf - Export PDF Tool for WordPress
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.8
CVE-2026-12407
E2Pdf - Export PDF Tool for WordPress - Missing authorization / privilege escalation
CVE-2026-12407 affects E2Pdf - Export PDF Tool for WordPress through 1.32.26. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
WooCommerce Frontend Manager - Ultimate
WordPress / Ecommerce 1 CVE 2026-06-17 CVSS 8.5
CVE-2026-22335
WooCommerce Frontend Manager - Ultimate - SQL injection
CVE-2026-22335 affects WooCommerce Frontend Manager - Ultimate before 6.7.7. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
BookPro
WordPress / Plugin 1 CVE 2026-06-17 CVSS 8.6
CVE-2026-27400
BookPro - Arbitrary file deletion
CVE-2026-27400 affects BookPro through 1.1.0. Confirm the installed version, patch or disable the component, and review missing plugin files, media files, and backups before closing the incident.
Geo Mashup
WordPress / Plugin 1 CVE 2026-06-17 CVSS 8.5
CVE-2026-48967
Geo Mashup - SQL injection
CVE-2026-48967 affects Geo Mashup through 1.13.19. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Directorist Booking
WordPress / Community 1 CVE 2026-06-17 CVSS 8.5
CVE-2026-49073
Directorist Booking - Blind SQL injection
CVE-2026-49073 affects Directorist Booking through 3.0.3. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Offload, AI & Optimize with Cloudflare Images
WordPress / Plugin 1 CVE 2026-06-18 CVSS 8.8
CVE-2026-9860
Offload, AI & Optimize with Cloudflare Images - Remote code execution
CVE-2026-9860 affects Offload, AI & Optimize with Cloudflare Images through 1.10.2. Confirm the installed version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Public PoC
bus-ticket
PHP / Database App 1 CVE 2026-06-18 CVSS 9.8
CVE-2026-55740
bus-ticket - unauthenticated SQL injection
CVE-2026-55740 affects the Nur-Alam39 bus-ticket PHP application. Public deployments should be taken out of exposure until SQL handling and database credentials are fixed, then database access and records should be reviewed.
Public PoC
Azuriom CMS
PHP / CMS 1 CVE 2026-06-17 CVSS 8.6
CVE-2026-54415
Azuriom CMS - server management authorization gap
CVE-2026-54415 affects Azuriom before 1.2.11 in server management authorization. Site owners should upgrade and review server tokens, account email changes, and password changes during the exposure window.
Public PoC
Pimcore CMS/DXP
PHP / CMS 1 CVE 2026-06-17 CVSS 8.6
CVE-2026-11407
Pimcore CMS/DXP - Twig sandbox bypass
CVE-2026-11407 affects Pimcore CMS/DXP 12.3.8 through a Twig sandbox bypass reachable by authenticated administrators. Review class definitions, template changes, file reads, and database access after patching.
Public PoC
Apache Shiro
Java / Authentication 1 CVE 2026-06-17 CVSS 8.8
CVE-2026-49268
Apache Shiro - DefaultLdapRealm DN construction issue
CVE-2026-49268 affects Apache Shiro through 2.2.0 and 3.0.0-alpha-1 when DefaultLdapRealm builds LDAP Distinguished Names from user input. Upgrade and review LDAP realm templates, authentication logs, and account mappings.
Sonaar
WordPress / Plugin 1 CVE 2026-06-17 CVSS 8.8
CVE-2025-59563
Sonaar - subscriber privilege escalation
CVE-2025-59563 affects Sonaar through 4.27.4. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Genemy
WordPress / Plugin 1 CVE 2026-06-17 CVSS 8.8
CVE-2025-69138
Genemy - subscriber privilege escalation
CVE-2025-69138 affects Genemy through 1.6.6. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Avada
WordPress / Plugin 1 CVE 2026-06-17 CVSS 8.8
CVE-2026-12256
Avada - contributor PHP object injection
CVE-2026-12256 affects Avada through 3.15.3. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
MetForm Pro
WordPress / Forms 1 CVE 2026-06-17 CVSS 9.1
CVE-2026-24611
MetForm Pro - unauthenticated broken access control
CVE-2026-24611 affects MetForm Pro through 3.9.1. Confirm the installed version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
PowerPack Pro for Elementor
WordPress / Plugin 1 CVE 2026-06-17 CVSS 8.8
CVE-2026-42629
PowerPack Pro for Elementor - broken authentication
CVE-2026-42629 affects PowerPack Pro for Elementor before 2.13.0. Confirm the installed version, patch or disable the component, and review new sessions, password changes, and account history before closing the incident.
SigmaForms Pro - AI Generated Forms
WordPress / Forms 1 CVE 2026-06-17 CVSS 9.0
CVE-2026-52705
SigmaForms Pro - unauthenticated arbitrary file upload
CVE-2026-52705 affects SigmaForms Pro - AI Generated Forms through 1.4.5. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Falang multilanguage
WordPress / Plugin 1 CVE 2026-06-17 CVSS 8.8
CVE-2026-54805
Falang multilanguage - subscriber privilege escalation
CVE-2026-54805 affects Falang multilanguage through 1.4.2. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Cargo Shipping Location for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-17 CVSS 9.3
CVE-2026-54815
Cargo Shipping Location for WooCommerce - SQL injection
CVE-2026-54815 affects Cargo Shipping Location for WooCommerce through 5.6. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Advanced Ads - Tracking
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.3
CVE-2025-59554
Advanced Ads Tracking - unauthenticated SQL injection
CVE-2025-59554 affects Advanced Ads - Tracking before 3.0.7. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Plumbing
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-69127
Plumbing theme - unauthenticated PHP object injection
CVE-2025-69127 affects Plumbing through 1.6. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Tutor LMS Pro
WordPress / Community 1 CVE 2026-06-17 CVSS 9.3
CVE-2026-22332
Tutor LMS Pro - unauthenticated SQL injection
CVE-2026-22332 affects Tutor LMS Pro through 3.9.6. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WPJobster
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.3
CVE-2026-22340
WPJobster - unauthenticated SQL injection
CVE-2026-22340 affects WPJobster through 6.3.5. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
ListingPro
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.3
CVE-2026-39438
ListingPro - unauthenticated SQL injection
CVE-2026-39438 affects ListingPro through 2.9.10. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
JetSearch
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.3
CVE-2026-49079
JetSearch - unauthenticated SQL injection
CVE-2026-49079 affects JetSearch through 3.5.17. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Moderno
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-49108
Moderno theme - unauthenticated PHP object injection
CVE-2026-49108 affects Moderno before 1.43. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
JobSearch
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.3
CVE-2026-54186
JobSearch - unauthenticated SQL injection
CVE-2026-54186 affects JobSearch through 3.2.9. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Travel Gutenberg Blocks
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.3
CVE-2026-54808
WP Travel Gutenberg Blocks - SQL injection
CVE-2026-54808 affects WP Travel Gutenberg Blocks through 3.9.4. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GIFT4U
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.3
CVE-2026-54809
GIFT4U - SQL injection
CVE-2026-54809 affects GIFT4U through 1.0.10. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP eMember
WordPress / Community 1 CVE 2026-06-17 CVSS 9.3
CVE-2026-54811
WP eMember - unauthenticated SQL injection
CVE-2026-54811 affects WP eMember before 10.9.4. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Lagom
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-60229
Lagom theme - PHP object injection
CVE-2025-60229 affects Lagom through 2.0. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
The Barber Shop
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-60230
The Barber Shop theme - PHP object injection
CVE-2025-60230 affects The Barber Shop through 1.9. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
The Hospital
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-60231
The Hospital theme - PHP object injection
CVE-2025-60231 affects The Hospital through 1.8.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Creatify
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-60236
Creatify theme - PHP object injection
CVE-2025-60236 affects Creatify through 1.5. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Reisen
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-69111
Reisen theme - unauthenticated PHP object injection
CVE-2025-69111 affects Reisen through 1.4.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Support Board
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-27395
Support Board - unauthenticated privilege escalation
CVE-2026-27395 affects Support Board before 3.8.9. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Nifty
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-27429
Nifty theme - unauthenticated PHP object injection
CVE-2026-27429 affects Nifty through 1.4.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Elementra
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-39529
Elementra theme - unauthenticated PHP object injection
CVE-2026-39529 affects Elementra through 1.0.9. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WooCommerce Product Filters
WordPress / Ecommerce 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-40725
WooCommerce Product Filters - unauthenticated PHP object injection
CVE-2026-40725 affects WooCommerce Product Filters before 2.0.6. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
AI Lab
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-42380
AI Lab theme - unauthenticated PHP object injection
CVE-2026-42380 affects AI Lab before 5.4.2. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
LoginPress Pro
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-49058
LoginPress Pro - unauthenticated privilege escalation
CVE-2026-49058 affects LoginPress Pro through 6.2.2. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Thrive Apprentice
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-49107
Thrive Apprentice - unauthenticated PHP object injection
CVE-2026-49107 affects Thrive Apprentice before 10.8.10.2. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
SMS Alert Order Notifications
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-54803
SMS Alert Order Notifications - subscriber privilege escalation
CVE-2026-54803 affects SMS Alert Order Notifications through 3.9.4. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Registration Form for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-54807
Registration Form for WooCommerce - unauthenticated privilege escalation
CVE-2026-54807 affects Registration Form for WooCommerce through 1.0.9. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Grip
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.9
CVE-2024-52488
Grip theme - subscriber arbitrary file upload
CVE-2024-52488 affects Grip through 1.0.9. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
ThemeREX Addons
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-60205
ThemeREX Addons - unauthenticated PHP object injection
CVE-2025-60205 affects ThemeREX Addons through 2.36.1.1. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
PT Luxa Addons
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.9
CVE-2025-60218
PT Luxa Addons - subscriber arbitrary file upload
CVE-2025-60218 affects PT Luxa Addons through 1.2.2. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Hot Coffee
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-69108
Hot Coffee theme - unauthenticated PHP object injection
CVE-2025-69108 affects Hot Coffee through 1.7. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
SeaFood Company
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-69122
SeaFood Company theme - unauthenticated PHP object injection
CVE-2025-69122 affects SeaFood Company through 1.4. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WordPress & WooCommerce Scraper Plugin, Import Data from Any Site
WordPress / Ecommerce 1 CVE 2026-06-17 CVSS 10.0
CVE-2025-69129
WordPress and WooCommerce Scraper - unauthenticated arbitrary file upload
CVE-2025-69129 affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site through 1.0.7. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Support Ticket Management System
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.8
CVE-2025-69179
Support Ticket Management System - unauthenticated privilege escalation
CVE-2025-69179 affects Support Ticket Management System through 1.9. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
Restaurt
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.9
CVE-2026-22327
Restaurt theme - subscriber arbitrary file upload
CVE-2026-22327 affects Restaurt through 1.0.4. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
WishList Member X
WordPress / Community 1 CVE 2026-06-17 CVSS 9.9
CVE-2026-25446
WishList Member X - subscriber arbitrary file upload
CVE-2026-25446 affects WishList Member X through 3.29.0. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
ACPT Pro - Custom Post Types Plugin for WordPress
WordPress / Plugin 1 CVE 2026-06-17 CVSS 10.0
CVE-2026-25470
ACPT Pro - remote code execution
CVE-2026-25470 affects ACPT Pro - Custom Post Types Plugin for WordPress through 2.0.47. Confirm the installed version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Public PoC
Webenvo
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.9
CVE-2026-39589
Webenvo theme - subscriber arbitrary file upload
CVE-2026-39589 affects Webenvo through 0.0.6. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Restaurant Zone
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.9
CVE-2026-40746
Restaurant Zone theme - subscriber arbitrary file upload
CVE-2026-40746 affects Restaurant Zone through 0.7.8. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Ecommerce Zone
WordPress / Ecommerce 1 CVE 2026-06-17 CVSS 9.9
CVE-2026-40747
Ecommerce Zone theme - subscriber arbitrary file upload
CVE-2026-40747 affects Ecommerce Zone through 0.9.7. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Kids Gift Shop
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.9
CVE-2026-40748
Kids Gift Shop theme - subscriber arbitrary file upload
CVE-2026-40748 affects Kids Gift Shop through 0.5.4. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
Charity Zone
WordPress / Plugin 1 CVE 2026-06-17 CVSS 9.9
CVE-2026-40749
Charity Zone theme - subscriber arbitrary file upload
CVE-2026-40749 affects Charity Zone through 1.1.1. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
MySQL Router
Database / Middleware 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-46860
MySQL Router - June 2026 Oracle CPU critical issue
CVE-2026-46860 affects MySQL Router 9.0.0 through 9.7.0. Patch public or internal routers and review routing logs, crashes, and unexpected client activity.
MySQL NDB Cluster
Database / Kubernetes 1 CVE 2026-06-17 CVSS 9.6
CVE-2026-46861
MySQL NDB Cluster Operator - June 2026 Oracle CPU critical issue
CVE-2026-46861 affects MySQL NDB Cluster Operator versions in the 8.0, 8.4, and 9.x lines listed by Oracle. Patch the operator and review cluster control-plane access.
Apache Airflow
Workflow / Data Platform 1 CVE 2026-06-17 CVSS 9.1
CVE-2026-50203
Apache Airflow SFTP provider - path traversal write risk
CVE-2026-50203 affects Apache Airflow SFTP provider workflows where a malicious or compromised SFTP server can influence retrieved paths. Patch the provider and review DAG output directories.
Public PoC
JimuReport
Java / Reporting 1 CVE 2026-06-18 CVSS 9.1
CVE-2026-36418
JimuReport - Aviator expression remote code execution risk
CVE-2026-36418 affects JimuReport 2.3.4 and below through unsafe expression handling. Patch, restrict report execution APIs, and review report templates and server logs.
Public PoC
Python StateMachine
Python Library 1 CVE 2026-06-17 CVSS 9.8
CVE-2026-47103
Python StateMachine - SCXML document code execution risk
CVE-2026-47103 affects Python StateMachine 3.0.0 before 3.2.0 when untrusted SCXML documents are processed. Upgrade and review services that import state machine definitions.
TypeBot
Chatbot / SaaS Builder 1 CVE 2026-06-18 CVSS 9.3
CVE-2026-48768
TypeBot - unauthenticated file upload URL generation issue
CVE-2026-48768 affects TypeBot 3.16.1 and earlier through unauthenticated file upload URL generation. Patch, review storage buckets, and rotate exposed upload credentials if needed.
Public PoC
Network-AI
Node.js / Agent Platform 1 CVE 2026-06-18 CVSS 9.1
CVE-2026-48814
Network-AI - unauthenticated cross-origin MCP tool invocation
CVE-2026-48814 affects Network-AI 5.7.1 and earlier when MCP SSE endpoints allow unauthenticated cross-origin tool invocation. Patch and review tool invocation logs.
Public PoC
Android
Mobile Platform 1 CVE 2026-06-17 CVSS 10.0
CVE-2026-28587
Android MmsSmsProvider - permission check information disclosure
CVE-2026-28587 affects Android MmsSmsProvider permission handling. Managed fleets should apply the Android security bulletin update and review devices that process sensitive messaging data.
Splunk AI Toolkit
SIEM / AI Extension 1 CVE 2026-06-18 CVSS 9.1
CVE-2026-20266
Splunk AI Toolkit - admin OS command execution risk
CVE-2026-20266 affects Splunk AI Toolkit versions below 5.7.4. Splunk admins should patch and review AI Toolkit actions, app changes, and host-level process activity.
OpenSIPS Control Panel
VoIP / Control Panel 1 CVE 2026-06-15 CVSS 8.8
CVE-2026-36670
OpenSIPS Control Panel - alias management SQL injection
CVE-2026-36670 affects OpenSIPS Control Panel before 9.3.3. Authenticated users with access to the alias management module can trigger SQL injection behavior, so exposed panels should be upgraded and logs reviewed.
Public PoC
OpenClaw
Node.js / Developer Tooling 1 CVE 2026-06-16 CVSS 8.1
CVE-2026-53864
OpenClaw - Node.js control variable sanitizer bypass
CVE-2026-53864 affects OpenClaw before 2026.5.26. Review workspace .env files, tool environment overrides, and skill environment blocks for unexpected Node.js control variables before re-enabling shared workspaces.
Public PoC
Kids Online Store theme
WordPress Theme 1 CVE 2026-06-16 CVSS 9.9
CVE-2026-40750
WordPress Kids Online Store theme - dangerous file upload
CVE-2026-40750 affects the WordPress Kids Online Store theme through 0.8.9. Site owners should patch or replace the theme, block script execution from uploads, and review recent files and admin users.
Premmerce Dev Tools
WordPress / Plugin 1 CVE 2026-06-16 CVSS 8.8
CVE-2026-6933
Premmerce Dev Tools - Remote code execution
CVE-2026-6933 affects Premmerce Dev Tools through 2.0. Confirm the installed version, patch or disable the plugin, and review changed files, cron jobs, users, and web server logs before closing the incident.
Paid Videochat Turnkey Site
WordPress / Community 1 CVE 2026-06-16 CVSS 8.1
CVE-2026-27333
Paid Videochat Turnkey Site - Deserialization
CVE-2026-27333 affects Paid Videochat Turnkey Site through 7.3.23. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, users, and unexpected plugin settings before closing the incident.
WP BASE Booking
WordPress / Community 1 CVE 2026-06-16 CVSS 8.1
CVE-2026-39587
WP BASE Booking - Privilege escalation
CVE-2026-39587 affects WP BASE Booking through 5.9.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
CloudSecure WP Security
WordPress / Plugin 1 CVE 2026-06-16 CVSS 8.1
CVE-2026-42411
CloudSecure WP Security - Broken authentication
CVE-2026-42411 affects CloudSecure WP Security through 1.4.7. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Really Simple SSL
WordPress / Plugin 1 CVE 2026-06-16 CVSS 8.1
CVE-2026-48970
Really Simple SSL - Broken authentication
CVE-2026-48970 affects Really Simple SSL through 9.5.10. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Projectopia
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.5
CVE-2025-59133
Projectopia - IDOR
CVE-2025-59133 affects Projectopia through 5.1.25.2. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
WpTravelly
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-27089
WpTravelly - Bypass vulnerability
CVE-2026-27089 affects WpTravelly through 2.1.7. Confirm the installed version, patch or disable the plugin, and review permission checks, account activity, and exposed private records before closing the incident.
IDPay Payment Gateway for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-34891
IDPay Payment Gateway for WooCommerce - Sensitive data exposure
CVE-2026-34891 affects IDPay Payment Gateway for WooCommerce through 2.2.5. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Event Tickets Manager for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-34898
Event Tickets Manager for WooCommerce - Broken access control
CVE-2026-34898 affects Event Tickets Manager for WooCommerce through 1.5.3. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Backup Migration
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-39480
Backup Migration - Sensitive data exposure
CVE-2026-39480 affects Backup Migration through 2.1.1. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Easy Digital Downloads
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-39503
Easy Digital Downloads - Broken access control
CVE-2026-39503 affects Easy Digital Downloads through 3.6.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Easy Appointments
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-39513
Easy Appointments - Broken access control
CVE-2026-39513 affects Easy Appointments through 3.12.21. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
AWP Classifieds
WordPress / Directory 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-39533
AWP Classifieds - Broken access control
CVE-2026-39533 affects AWP Classifieds through 4.4.4. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WP Directory Kit
WordPress / Directory 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-39534
WP Directory Kit - Broken access control
CVE-2026-39534 affects WP Directory Kit through 1.5.0. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Redsys for WooCommerce Light
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-40741
Redsys for WooCommerce Light - Broken access control
CVE-2026-40741 affects Redsys for WooCommerce Light through 7.0.0. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WPGraphQL
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-40762
WPGraphQL - SQL injection
CVE-2026-40762 affects WPGraphQL before 2.11.1. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Event Solution
WordPress / Community 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-40776
WP Event Solution - Broken access control
CVE-2026-40776 affects WP Event Solution through 4.1.8. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
ReviewX
WordPress / Community 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-40781
ReviewX - Broken authentication
CVE-2026-40781 affects ReviewX through 2.3.6. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Salon booking system
WordPress / Community 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-42666
Salon booking system - Broken access control
CVE-2026-42666 affects Salon booking system through 10.30.25. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Email Marketing for WooCommerce by Omnisend
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-42668
Email Marketing for WooCommerce by Omnisend - Broken authentication
CVE-2026-42668 affects Email Marketing for WooCommerce by Omnisend through 1.18.0. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
WpEvently
WordPress / Community 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-45441
WpEvently - Other vulnerability
CVE-2026-45441 affects WpEvently through 5.3.3. Confirm the installed version, patch or disable the plugin, and review users, files, logs, and plugin settings before closing the incident.
Contact Form by WPForms
WordPress / Forms 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-48835
Contact Form by WPForms - Broken access control
CVE-2026-48835 affects Contact Form by WPForms through 1.10.0.4. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Simple Shopping Cart
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-48868
Simple Shopping Cart - IDOR
CVE-2026-48868 affects Simple Shopping Cart through 5.2.9. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
EmbedPress
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-48872
EmbedPress - Sensitive data exposure
CVE-2026-48872 affects EmbedPress through 4.5.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Montonio for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-48873
Montonio for WooCommerce - Broken access control
CVE-2026-48873 affects Montonio for WooCommerce through 10.1.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WPC Product Bundles for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-48883
WPC Product Bundles for WooCommerce - Broken access control
CVE-2026-48883 affects WPC Product Bundles for WooCommerce through 8.5.3. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-49056
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels - Sensitive data exposure
CVE-2026-49056 affects WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels through 4.9.4. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
WPC Product Options for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-49061
WPC Product Options for WooCommerce - Arbitrary file download
CVE-2026-49061 affects WPC Product Options for WooCommerce through 3.2.1. Confirm the installed version, patch or disable the plugin, and review download logs, exposed files, and backup paths before closing the incident.
Conekta Payment Gateway
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-49066
Conekta Payment Gateway - Sensitive data exposure
CVE-2026-49066 affects Conekta Payment Gateway through 6.0.0. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Knit Pay
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-49070
Knit Pay - Broken access control
CVE-2026-49070 affects Knit Pay through 9.4.0.0. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Upsell Order Bump Offer for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-49110
Upsell Order Bump Offer for WooCommerce - Broken authentication
CVE-2026-49110 affects Upsell Order Bump Offer for WooCommerce through 3.1.4. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
Affiliates Manager
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-52692
Affiliates Manager - Sensitive data exposure
CVE-2026-52692 affects Affiliates Manager through 2.9.50. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
Signature Add-On for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-52694
Signature Add-On for WooCommerce - Sensitive data exposure
CVE-2026-52694 affects Signature Add-On for WooCommerce through 2.0. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
ABC Crypto Checkout
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-52695
ABC Crypto Checkout - Sensitive data exposure
CVE-2026-52695 affects ABC Crypto Checkout through 1.8.2. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
VikRentCar
WordPress / Directory 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-52699
VikRentCar - IDOR
CVE-2026-52699 affects VikRentCar through 1.4.5. Confirm the installed version, patch or disable the plugin, and review object access logs, order history, bookings, and user activity before closing the incident.
Royal MCP
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.3
CVE-2026-40775
Royal MCP - Broken access control
CVE-2026-40775 affects Royal MCP through 1.4.2. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
CTX Feed
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.2
CVE-2026-39434
CTX Feed - PHP object injection
CVE-2026-39434 affects CTX Feed through 6.6.26. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WooCommerce Cart Abandonment Recovery
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.2
CVE-2026-39470
WooCommerce Cart Abandonment Recovery - Privilege escalation
CVE-2026-39470 affects WooCommerce Cart Abandonment Recovery before 2.1.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
WooCommerce PDF Invoices & Packing Slips
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.2
CVE-2026-39472
WooCommerce PDF Invoices & Packing Slips - PHP object injection
CVE-2026-39472 affects WooCommerce PDF Invoices & Packing Slips before 5.9.0. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Advanced Product Fields for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.2
CVE-2026-39499
Advanced Product Fields for WooCommerce - PHP object injection
CVE-2026-39499 affects Advanced Product Fields for WooCommerce through 1.6.19. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
iRobots.txt SEO
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2025-68840
iRobots.txt SEO - Cross-site scripting
CVE-2025-68840 affects iRobots.txt SEO through 1.1.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Okay Toolkit
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2025-68851
Okay Toolkit - Cross-site scripting
CVE-2025-68851 affects Okay Toolkit through 2.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Eli's WordCents AdSense Widget with Analytics
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2025-68872
Eli's WordCents AdSense Widget with Analytics - Cross-site scripting
CVE-2025-68872 affects Eli's WordCents AdSense Widget with Analytics through 1.3.03.27. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Redirection for Contact Form 7
WordPress / Forms 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-23970
Redirection for Contact Form 7 - Cross-site scripting
CVE-2026-23970 affects Redirection for Contact Form 7 through 3.2.8. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
GiveWP
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-34900
GiveWP - Cross-site scripting
CVE-2026-34900 affects GiveWP through 4.14.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
WooCommerce Product Table Lite
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-34902
WooCommerce Product Table Lite - Cross-site scripting
CVE-2026-34902 affects WooCommerce Product Table Lite through 4.6.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
CformsII
WordPress / Forms 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-39435
CformsII - Cross-site scripting
CVE-2026-39435 affects CformsII through 15.1.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Contact Form to Any API
WordPress / Forms 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-39449
Contact Form to Any API - Cross-site scripting
CVE-2026-39449 affects Contact Form to Any API through 3.0.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
ManageWP Worker
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-39463
ManageWP Worker - Cross-site scripting
CVE-2026-39463 affects ManageWP Worker through 4.9.31. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Social Slider Feed
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-39507
Social Slider Feed - Cross-site scripting
CVE-2026-39507 affects Social Slider Feed through 2.3.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Paid Member Subscriptions
WordPress / Community 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-39514
Paid Member Subscriptions - Cross-site scripting
CVE-2026-39514 affects Paid Member Subscriptions through 2.17.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Notification for Telegram
WordPress / Community 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-40732
Notification for Telegram - Cross-site scripting
CVE-2026-40732 affects Notification for Telegram through 3.5. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Favicon Rotator
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-42649
Favicon Rotator - Cross-site scripting
CVE-2026-42649 affects Favicon Rotator through 1.2.11. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Classified Listing
WordPress / Directory 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-42658
Classified Listing - Cross-site scripting
CVE-2026-42658 affects Classified Listing through 5.3.8. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Post SMTP
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-48838
Post SMTP - Cross-site scripting
CVE-2026-48838 affects Post SMTP through 3.6.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
MW WP Form
WordPress / Forms 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-48871
MW WP Form - Cross-site scripting
CVE-2026-48871 affects MW WP Form through 5.1.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Stop Spammers
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-48876
Stop Spammers - Cross-site scripting
CVE-2026-48876 affects Stop Spammers through 2026.3. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
HollerBox
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-48885
HollerBox - Cross-site scripting
CVE-2026-48885 affects HollerBox through 2.3.10.1. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Drag and Drop Multiple File Upload - Contact Form 7
WordPress / Forms 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-49055
Drag and Drop Multiple File Upload - Contact Form 7 - Cross-site scripting
CVE-2026-49055 affects Drag and Drop Multiple File Upload - Contact Form 7 through 1.3.9.7. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
SEO Redirection
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-52702
SEO Redirection - Cross-site scripting
CVE-2026-52702 affects SEO Redirection through 9.17. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
LatePoint
WordPress / Community 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-49083
LatePoint - Privilege escalation
CVE-2026-49083 affects LatePoint through 5.5.1. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
AI Engine
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.2
CVE-2026-27407
AI Engine - Privilege escalation
CVE-2026-27407 affects AI Engine through 3.4.9. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
Link Library
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.7
CVE-2026-40779
Link Library - Arbitrary file deletion
CVE-2026-40779 affects Link Library through 7.8.8. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
ShortPixel Image Optimizer
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.2
CVE-2026-39471
ShortPixel Image Optimizer - PHP object injection
CVE-2026-39471 affects ShortPixel Image Optimizer through 6.4.3. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Modula Image Gallery
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.2
CVE-2026-39481
Modula Image Gallery - PHP object injection
CVE-2026-39481 affects Modula Image Gallery through 2.14.18. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
YayMail
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.2
CVE-2026-39498
YayMail - PHP object injection
CVE-2026-39498 affects YayMail through 4.3.3. Confirm the installed version, patch or disable the plugin, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Chatway Live Chat
WordPress / Community 1 CVE 2026-06-16 CVSS 7.4
CVE-2026-49082
Chatway Live Chat - Sensitive data exposure
CVE-2026-49082 affects Chatway Live Chat through 1.4.8. Confirm the installed version, patch or disable the plugin, and review exports, orders, form data, bookings, and access logs before closing the incident.
FunnelKit Automations
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-39450
FunnelKit Automations - Broken authentication
CVE-2026-39450 affects FunnelKit Automations through 3.7.3. Confirm the installed version, patch or disable the plugin, and review new sessions, password changes, and account history before closing the incident.
ChatBot
WordPress / Community 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-40788
ChatBot - Broken access control
CVE-2026-40788 affects ChatBot through 7.9.7. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Welcart e-Commerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 6.5
CVE-2026-49775
Welcart e-Commerce - Broken access control
CVE-2026-49775 affects Welcart e-Commerce through 2.11.28. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Abandoned Contact Form 7
WordPress / Forms 1 CVE 2026-06-16 CVSS 5.3
CVE-2026-9187
Abandoned Contact Form 7 - Arbitrary file deletion
CVE-2026-9187 affects Abandoned Contact Form 7 through 2.2. Confirm the installed version, patch or disable the plugin, and review missing plugin files, media files, and backups before closing the incident.
WP Event SOlution
WordPress / Community 1 CVE 2026-06-16 CVSS 7.5
CVE-2025-68045
WP Event SOlution - Broken access control
CVE-2025-68045 affects WP Event SOlution through 4.1.12. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
JupiterX Core
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-39490
JupiterX Core - Broken access control
CVE-2026-39490 affects JupiterX Core through 4.14.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
InPost Gallery
WordPress / Plugin 1 CVE 2026-06-16 CVSS 9.3
CVE-2026-39574
InPost Gallery - SQL injection
CVE-2026-39574 affects InPost Gallery through 2.1.4.6. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Sessions Time Monitoring Full Automatic
WordPress / Plugin 1 CVE 2026-06-16 CVSS 8.5
CVE-2026-39581
WP Sessions Time Monitoring Full Automatic - SQL injection
CVE-2026-39581 affects WP Sessions Time Monitoring Full Automatic through 1.1.4. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
The Events Calendar
WordPress / Community 1 CVE 2026-06-16 CVSS 9.3
CVE-2026-49772
The Events Calendar - SQL injection
CVE-2026-49772 affects The Events Calendar 6.15.12 - 6.16.2. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
RD Station
WordPress / Plugin 1 CVE 2026-06-16 CVSS 9.9
CVE-2026-49774
RD Station - Remote code execution
CVE-2026-49774 affects RD Station through 5.6.0. Confirm the installed version, patch or disable the plugin, and review changed files, cron jobs, users, and web server logs before closing the incident.
WooCommerce POS
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.5
CVE-2026-52711
WooCommerce POS - Broken access control
CVE-2026-52711 affects WooCommerce POS through 1.8.14. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
GEO my WordPress
WordPress / Plugin 1 CVE 2026-06-16 CVSS 9.3
CVE-2026-52715
GEO my WordPress - SQL injection
CVE-2026-52715 affects GEO my WordPress through 4.5.5. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Attendance Manager
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.6
CVE-2026-52712
Attendance Manager - SQL injection
CVE-2026-52712 affects Attendance Manager through 0.6.2. Confirm the installed version, patch or disable the plugin, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Min Max Step Quantity Limits Manager for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-39437
Min Max Step Quantity Limits Manager for WooCommerce - Cross-site scripting
CVE-2026-39437 affects Min Max Step Quantity Limits Manager for WooCommerce through 5.2.2. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
Pods
WordPress / Plugin 1 CVE 2026-06-16 CVSS 7.1
CVE-2026-54191
Pods - Cross-site scripting
CVE-2026-54191 affects Pods through 3.3.8. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
WooCommerce Stripe Payment Gateway
WordPress / Ecommerce 1 CVE 2026-06-16 CVSS 6.5
CVE-2026-2381
WooCommerce Stripe Payment Gateway - Broken access control
CVE-2026-2381 affects WooCommerce Stripe Payment Gateway through 10.3.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
Metro Magazine
WordPress / Plugin 1 CVE 2026-06-16 CVSS 6.5
CVE-2026-40809
Metro Magazine - Broken access control
CVE-2026-40809 affects Metro Magazine through 1.4.1. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
i18next-http-middleware
Node.js / i18n Middleware 1 CVE 2026-06-15 CVSS 9.1
CVE-2026-48714
i18next-http-middleware - remote prototype pollution risk in missing-key handling
CVE-2026-48714 affects i18next-http-middleware before 3.9.7 when missing-key write handling is exposed with vulnerable backend behavior. Upgrade, restrict the handler, and review translation persistence logs for unexpected writes.
Public PoC
DbGate
Database Tool / DevOps 1 CVE 2026-06-15 CVSS 8.8
CVE-2026-48017
DbGate - authenticated server-side code execution risk
CVE-2026-48017 affects DbGate 7.1.8 and earlier when authenticated users can reach vulnerable server-side runner behavior. Upgrade, limit access to trusted admins, review runner activity, and rotate stored credentials if suspicious use cannot be ruled out.
Public PoC
PowerPress Podcasting
WordPress / Plugin 1 CVE 2026-06-15 CVSS 8.5
CVE-2026-24637
PowerPress Podcasting - contributor SQL injection
CVE-2026-24637 affects PowerPress Podcasting through 11.15.10. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Responsive Slider by MetaSlider
WordPress / Plugin 1 CVE 2026-06-15 CVSS 9.1
CVE-2026-39465
Responsive Slider by MetaSlider - editor remote code execution
CVE-2026-39465 affects Responsive Slider by MetaSlider through 3.106.0. WordPress owners should confirm the plugin version, patch or disable the component, and review changed files, cron jobs, users, and web server logs before closing the incident.
Anti-Malware Security and Brute-Force Firewall
WordPress / Plugin 1 CVE 2026-06-15 CVSS 8.8
CVE-2026-39478
Anti-Malware Security and Brute-Force Firewall - contributor PHP object injection
CVE-2026-39478 affects Anti-Malware Security and Brute-Force Firewall through 4.23.87. WordPress owners should confirm the plugin version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Events Calendar for GeoDirectory
WordPress / Community 1 CVE 2026-06-15 CVSS 8.8
CVE-2026-39532
Events Calendar for GeoDirectory - contributor PHP object injection
CVE-2026-39532 affects Events Calendar for GeoDirectory through 2.3.25. WordPress owners should confirm the plugin version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
B Blocks
WordPress / Plugin 1 CVE 2026-06-15 CVSS 8.8
CVE-2026-39579
B Blocks - contributor privilege escalation
CVE-2026-39579 affects B Blocks through 2.0.31. WordPress owners should confirm the plugin version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
MasterStudy LMS
WordPress / Community 1 CVE 2026-06-15 CVSS 8.5
CVE-2026-40766
MasterStudy LMS - subscriber SQL injection
CVE-2026-40766 affects MasterStudy LMS through 3.7.25. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Contact Form Extender for Divi
WordPress / Forms 1 CVE 2026-06-15 CVSS 8.6
CVE-2026-40769
Contact Form Extender for Divi - unauthenticated arbitrary file deletion
CVE-2026-40769 affects Contact Form Extender for Divi through 1.0.6. WordPress owners should confirm the plugin version, patch or disable the component, and review missing plugin files, media files, and backups before closing the incident.
WP Customer Area
WordPress / Plugin 1 CVE 2026-06-15 CVSS 8.8
CVE-2026-42661
WP Customer Area - custom role path traversal
CVE-2026-42661 affects WP Customer Area through 8.3.4. WordPress owners should confirm the plugin version, patch or disable the component, and review file access logs and unexpected downloads before closing the incident.
AI Product Search for WooCommerce - Motive Commerce Search
WordPress / Ecommerce 1 CVE 2026-06-15 CVSS 8.2
CVE-2026-42664
AI Product Search for WooCommerce - unauthenticated broken access control
CVE-2026-42664 affects AI Product Search for WooCommerce - Motive Commerce Search through 1.38.2. WordPress owners should confirm the plugin version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
GamiPress
WordPress / Plugin 1 CVE 2026-06-15 CVSS 8.5
CVE-2026-48874
GamiPress - subscriber SQL injection
CVE-2026-48874 affects GamiPress through 7.8.7. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
TrueBooker
WordPress / Plugin 1 CVE 2026-06-15 CVSS 9.1
CVE-2026-48881
TrueBooker - unauthenticated broken access control
CVE-2026-48881 affects TrueBooker through 1.1.9. WordPress owners should confirm the plugin version, patch or disable the component, and review new sessions, booking records, order changes, and account history before closing the incident.
ELEX WordPress HelpDesk & Customer Ticketing System
WordPress / Plugin 1 CVE 2026-06-15 CVSS 8.5
CVE-2026-48964
ELEX WordPress HelpDesk - subscriber SQL injection
CVE-2026-48964 affects ELEX WordPress HelpDesk & Customer Ticketing System through 3.3.6. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Taskbuilder
WordPress / Plugin 1 CVE 2026-06-15 CVSS 8.5
CVE-2026-52697
Taskbuilder - subscriber SQL injection
CVE-2026-52697 affects Taskbuilder through 5.0.7. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WCMultiShipping
WordPress / Plugin 1 CVE 2026-06-15 CVSS 8.5
CVE-2026-52700
WCMultiShipping - subscriber SQL injection
CVE-2026-52700 affects WCMultiShipping through 3.0.2. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Feed KuantoKusta for WooCommerce Free
WordPress / Ecommerce 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-39441
Feed KuantoKusta for WooCommerce - unauthenticated SQL injection
CVE-2026-39441 affects Feed KuantoKusta for WooCommerce Free through 5.3. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Maps
WordPress / Directory 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-39492
WP Maps - unauthenticated SQL injection
CVE-2026-39492 affects WP Maps through 4.9.1. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Form Maker by 10Web
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-39502
Form Maker by 10Web - unauthenticated SQL injection
CVE-2026-39502 affects Form Maker by 10Web through 1.15.38. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Photo Album Plus
WordPress / Directory 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-39511
WP Photo Album Plus - unauthenticated SQL injection
CVE-2026-39511 affects WP Photo Album Plus through 9.1.08.001. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
SpeakOut! Email Petitions
WordPress / Community 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-39530
SpeakOut! Email Petitions - unauthenticated SQL injection
CVE-2026-39530 affects SpeakOut! Email Petitions through 4.6.5. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Order Delivery Date for WooCommerce
WordPress / Ecommerce 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-42386
Order Delivery Date for WooCommerce - unauthenticated SQL injection
CVE-2026-42386 affects Order Delivery Date for WooCommerce through 4.5.1. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
GD Rating System
WordPress / Plugin 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-42639
GD Rating System - unauthenticated SQL injection
CVE-2026-42639 affects GD Rating System through 3.6.2. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
WP Data Access
WordPress / Plugin 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-42665
WP Data Access - unauthenticated SQL injection
CVE-2026-42665 affects WP Data Access through 5.5.70. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Realtyna Organic IDX
WordPress / Directory 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-45439
Realtyna Organic IDX - unauthenticated SQL injection
CVE-2026-45439 affects Realtyna Organic IDX through 5.1.0. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
Advanced 301 and 302 Redirect
WordPress / Plugin 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-49067
Advanced 301 and 302 Redirect - unauthenticated SQL injection
CVE-2026-49067 affects Advanced 301 and 302 Redirect through 1.6.9. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
eCommerce Product Catalog
WordPress / Ecommerce 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-52693
eCommerce Product Catalog - unauthenticated SQL injection
CVE-2026-52693 affects eCommerce Product Catalog through 3.5.5. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
FastDup
WordPress / Plugin 1 CVE 2026-06-15 CVSS 9.6
CVE-2026-52703
FastDup - unauthenticated path traversal
CVE-2026-52703 affects FastDup through 2.7.2. WordPress sites should patch or disable the component, then review file access logs and unexpected downloads before closing the incident.
Broadcast Live Video
WordPress / Plugin 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-27053
Broadcast Live Video - unauthenticated PHP object injection
CVE-2026-27053 affects Broadcast Live Video before 7.1.3. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
iControlWP
WordPress / Plugin 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-34901
iControlWP - unauthenticated privilege escalation
CVE-2026-34901 affects iControlWP through 5.5.3. WordPress sites should patch or disable the component, then review new users, role changes, and administrator sessions before closing the incident.
Datalogics Ecommerce Delivery
WordPress / Ecommerce 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-39583
Datalogics Ecommerce Delivery - unauthenticated privilege escalation
CVE-2026-39583 affects Datalogics Ecommerce Delivery through 2.6.62. WordPress sites should patch or disable the component, then review new users, role changes, and administrator sessions before closing the incident.
WP-BusinessDirectory
WordPress / Directory 1 CVE 2026-06-15 CVSS 9.9
CVE-2026-39591
WP-BusinessDirectory - subscriber arbitrary file upload
CVE-2026-39591 affects WP-BusinessDirectory through 4.0.0. WordPress sites should patch or disable the component, then review upload directories, new PHP files, and web access logs before closing the incident.
Easy Invoice
WordPress / Ecommerce 1 CVE 2026-06-15 CVSS 10.0
CVE-2026-48836
Easy Invoice - unauthenticated remote code execution
CVE-2026-48836 affects Easy Invoice through 2.1.19. WordPress sites should patch or disable the component, then review changed files, cron jobs, users, and web server logs before closing the incident.
WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49085
WP Insightly form integrations - unauthenticated PHP object injection
CVE-2026-49085 affects WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms through 1.1.4. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49104
Keap and form integrations - unauthenticated PHP object injection
CVE-2026-49104 affects Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms through 1.2.1. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49105
WP Zendesk form integrations - unauthenticated PHP object injection
CVE-2026-49105 affects WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms through 1.1.4. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Contact Form 7 and Constant Contact
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49106
Constant Contact and Contact Form 7 integration - unauthenticated PHP object injection
CVE-2026-49106 affects Integration for Contact Form 7 and Constant Contact through 1.1.6. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49109
Salesforce and form integrations - unauthenticated PHP object injection
CVE-2026-49109 affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms through 1.4.3. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for Contact Form 7 HubSpot
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49763
Contact Form 7 HubSpot integration - unauthenticated PHP object injection
CVE-2026-49763 affects Integration for Contact Form 7 HubSpot through 1.3.7. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
RegistrationMagic
WordPress / Community 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49764
RegistrationMagic - unauthenticated broken authentication
CVE-2026-49764 affects RegistrationMagic through 6.0.8.6. WordPress sites should patch or disable the component, then review new sessions, password changes, and account history before closing the incident.
Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49765
Mailchimp and form integrations - unauthenticated PHP object injection
CVE-2026-49765 affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms through 1.1.8. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
WP User Manager
WordPress / Community 1 CVE 2026-06-15 CVSS 9.9
CVE-2026-49766
WP User Manager - subscriber arbitrary file deletion
CVE-2026-49766 affects WP User Manager through 2.9.16. WordPress sites should patch or disable the component, then review missing plugin files, media files, and backups before closing the incident.
Happyforms
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49768
Happyforms - unauthenticated PHP object injection
CVE-2026-49768 affects Happyforms through 1.26.13. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
OttoKit
WordPress / Plugin 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-49781
OttoKit - unauthenticated PHP object injection
CVE-2026-49781 affects OttoKit through 1.1.27. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms
WordPress / Forms 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-9691
ActiveCampaign and form integrations - unauthenticated PHP object injection
CVE-2026-9691 affects Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms through 1.1.1. WordPress sites should patch or disable the component, then review PHP errors, changed files, and unexpected plugin settings before closing the incident.
Amasty Order Attributes for Magento 2
Magento / Ecommerce 1 CVE 2026-06-12 CVSS 9.8
CVE-2026-53787
Magento Amasty Order Attributes - unauthenticated arbitrary file upload
CVE-2026-53787 affects Amasty Order Attributes for Magento 2 before 4.0.0. Magento stores should patch, review upload directories, and block script execution from media paths.
jmespath.php
PHP Library 1 CVE 2026-06-12 CVSS 9.8
CVE-2026-54133
jmespath.php - compiler runtime code execution risk
CVE-2026-54133 affects jmespath.php before 2.9.1 when untrusted expressions reach the compiler runtime. Patch and use the non-compiler runtime for user-controlled expressions.
Public PoC
Moby / Docker Engine
Containers 1 CVE 2026-06-12 CVSS 7.2
CVE-2026-42306
Moby Docker Engine - container networking and firewall exposure
CVE-2026-42306 affects Docker Engine and Moby daemon versions before fixed releases. Review daemon version, published container ports, and host firewall state after upgrade.
MDJM Event Management
WordPress / CMS 1 CVE 2026-06-06 CVSS 7.2
CVE-2026-7537
MDJM Event Management - administrator file upload leading to RCE risk
CVE-2026-7537 affects MDJM Event Management for WordPress through 1.7.8.3. Review administrator activity, plugin email attachments, and upload locations for unexpected executable files.
Public PoC
All-In-One Security (AIOS)
WordPress / CMS 1 CVE 2026-06-06 CVSS 7.2
CVE-2026-8438
All-In-One Security (AIOS) - stored XSS in debug log handling
CVE-2026-8438 affects AIOS for WordPress through 5.4.7 when REST blocking and debug logging expose unescaped request-path data in admin log views.
Integration for Freshsales
WordPress / CMS 1 CVE 2026-06-06 CVSS 7.2
CVE-2026-8901
Integration for Freshsales - stored XSS in CRM form submission logs
CVE-2026-8901 affects Integration for Freshsales for WordPress through 1.0.15. Review failed CRM API logs and administrator screens after patching.
Photo Gallery by 10Web
WordPress / CMS 1 CVE 2026-06-06 CVSS 6.5
CVE-2026-9829
Photo Gallery by 10Web - contributor-level SQL injection risk
CVE-2026-9829 affects Photo Gallery by 10Web through 1.8.41. Review contributor accounts, gallery shortcodes, database errors, and suspicious slow queries.
Public PoC
Ad Inserter
WordPress / CMS 1 CVE 2026-06-06 CVSS 6.1
CVE-2026-9280
Ad Inserter - reflected XSS in iframe mode
CVE-2026-9280 affects Ad Inserter through 2.8.15 when iframe mode is enabled. Patch the plugin and clear affected ad/cache pages.
Public PoC
WPForms
WordPress / CMS 1 CVE 2026-06-06 CVSS 5.3
CVE-2026-7792
WPForms PayPal Commerce - webhook verification gap
CVE-2026-7792 affects WPForms PayPal Commerce webhook handling through 1.10.0.4. Reconcile subscriptions, payment status changes, and webhook configuration after patching.
MailerPress
WordPress / WooCommerce 1 CVE 2026-06-09 CVSS 6.4
CVE-2026-8599
MailerPress - stored XSS in campaign admin preview
CVE-2026-8599 affects MailerPress through 2.0.4. Review author accounts, campaign HTML changes, and admin preview activity before sending newsletters.
Public PoC
Debug Log Manager
WordPress / CMS 1 CVE 2026-06-06 CVSS 5.3
CVE-2026-9016
Debug Log Manager - forged JavaScript error log entries
CVE-2026-9016 affects Debug Log Manager through 2.5.0 when JavaScript error logging is enabled. Patch first, then review whether forged log entries affected incident triage.
Public PoC
WP Ticket
WordPress / CMS 1 CVE 2026-06-13 CVSS 7.5
CVE-2026-9848
WP Ticket - unauthenticated SQL injection via WordPress search
CVE-2026-9848 affects the WP Ticket plugin through 6.0.4. Sites using WP Ticket should update to 6.0.5 or newer, then review support-ticket searches, database errors, and unusual front-end search traffic.
LiteSpeed cPanel Plugin
cPanel / Hosting 1 CVE 2026-06-14 CVSS 8.5
CVE-2026-54420
LiteSpeed cPanel Plugin - shared hosting privilege escalation risk
CVE-2026-54420 affects LiteSpeed cPanel user-end plugin deployments before 2.4.8, including bundled WHM Plugin deployments before the fixed 5.3.2.1 line. Shared hosts using CloudLinux/CageFS should patch and review cPanel logs because the vendor reported active exploitation.
Active Exploit Public PoC
BUK TS-G Gas Station Automation System
PHP / Automation 1 CVE 2026-06-13 CVSS 9.8
CVE-2026-12183
BUK TS-G - authentication weakness in system configuration handling
CVE-2026-12183 affects BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux. Treat exposed panels as high risk, restrict access to trusted networks, patch, and review system configuration or administrative changes.
Public PoC
ShopXO
PHP / Ecommerce 1 CVE 2026-06-15 CVSS 7.5
CVE-2026-12204
ShopXO - unauthenticated scheduled task endpoint authorization bypass
CVE-2026-12204 affects ShopXO up to 6.7.1 in app/api/controller/Crontab.php. Stores should restrict scheduled task endpoints, review order/payment state changes, and preserve logs before cleanup.
Public PoC
Metacat
Data Repository / Java 1 CVE 2026-06-15 CVSS 9.8
CVE-2026-48114
Metacat 2.x - unauthenticated SQL injection
CVE-2026-48114 affects Metacat 2.x through 2.19.1 in the harvester registration path. Operators should upgrade to Metacat 3.x, restrict legacy servlet exposure, and review PostgreSQL and repository logs.
Public PoC
GStreamer gst-plugins-bad
Media Framework 1 CVE 2026-06-15 CVSS 7.1
CVE-2026-52719
GStreamer gst-plugins-bad - VA JPEG out-of-bounds read
CVE-2026-52719 affects the VA JPEG decoder in GStreamer gst-plugins-bad before 1.28.4. Systems that parse untrusted media should update packages and review crashes from media thumbnailing or ingestion jobs.
GStreamer librfb
Media Framework 1 CVE 2026-06-15 CVSS 8.8
CVE-2026-52720
GStreamer librfb - heap overflow in RFB/VNC client handling
CVE-2026-52720 affects GStreamer's librfb RFB/VNC client handling. Hosts that connect to untrusted VNC/RFB sources or process remote media streams should update packages and review crashes or unusual client-side failures.
GStreamer VMnc decoder
Media Framework 1 CVE 2026-06-15 CVSS 7.1
CVE-2026-52722
GStreamer VMnc decoder - signed integer overflow
CVE-2026-52722 affects GStreamer's VMnc decoder. Systems that index, preview, transcode, or open untrusted media should update packages and review application crashes, thumbnailer failures, and desktop media logs.
Cisco Catalyst SD-WAN Manager
Network Management 1 CVE 2026-06-15 CVSS 6.5
CVE-2026-20262
Cisco Catalyst SD-WAN Manager - authenticated arbitrary file write
CVE-2026-20262 affects Cisco Catalyst SD-WAN Manager web UI upload handling. The reported path requires valid low-privilege credentials but can create or overwrite files, so exposed management planes need patching and account review.
CISA KEV Active Exploit Public PoC
WooCommerce PDF Invoice Builder
WordPress / WooCommerce 1 CVE 2026-06-15 CVSS 10.0
CVE-2026-52704
WooCommerce PDF Invoice Builder - remote code inclusion risk
CVE-2026-52704 affects WooCommerce PDF Invoice Builder through 2.0.8. Stores should disable or patch the plugin, review generated invoice files and templates, and check administrator activity before reopening payments.
404 Redirection Manager
WordPress / Redirects 1 CVE 2026-06-15 CVSS 8.8
CVE-2016-20071
404 Redirection Manager - unauthenticated SQL injection
CVE-2016-20071 affects the 404 Redirection Manager plugin version 1.0. WordPress sites still carrying the old plugin should remove it, check redirect tables, and preserve database logs if unusual requests appear.
Public PoC
Faust.Js
WordPress / Headless 1 CVE 2026-06-15 CVSS 8.8
CVE-2026-49062
Faust.Js - password recovery authentication bypass
CVE-2026-49062 affects WP Engine Faust.Js through 1.8.7. Headless WordPress sites should patch, then review password recovery emails, reset tokens, and administrator session history.
Simple-Backup
WordPress / Backup 1 CVE 2026-06-15 CVSS 8.7
CVE-2016-20076
Simple-Backup - arbitrary file delete and download
CVE-2016-20076 affects Simple-Backup 2.7.11. Old WordPress sites should remove the plugin, review backup directories, and check whether sensitive files were downloaded or deleted.
Public PoC
HB Audio Gallery Lite
WordPress / Media 1 CVE 2026-06-15 CVSS 8.7
CVE-2016-20081
HB Audio Gallery Lite - path traversal file download
CVE-2016-20081 affects HB Audio Gallery Lite 1.0.0. Sites should remove the abandoned plugin and inspect access logs for file reads outside the intended audio gallery.
Public PoC
CherryFramework Themes
WordPress / Theme 1 CVE 2026-06-15 CVSS 8.7
CVE-2018-25437
CherryFramework Themes - backup archive disclosure
CVE-2018-25437 affects CherryFramework Themes 3.1.4. Review whether theme backup archives are publicly reachable, remove exposed archives, and check access logs before rotating secrets.
Public PoC
GetPaid
WordPress / Payment 1 CVE 2026-06-15 CVSS 7.5
CVE-2026-49064
GetPaid - sensitive information exposure
CVE-2026-49064 affects GetPaid through 2.8.49. Payment sites should patch, clear caches, and review whether invoice, customer, or payment-related data was exposed in sent responses.
IMDb Profile Widget
WordPress / Media 1 CVE 2026-06-15 CVSS 6.9
CVE-2016-20078
IMDb Profile Widget - local file inclusion
CVE-2016-20078 affects IMDb Profile Widget 1.0.8. Sites should remove the legacy plugin and inspect logs for suspicious file reads before deciding whether to rotate credentials.
Public PoC
Brandfolder
WordPress / DAM 1 CVE 2026-06-15 CVSS 6.9
CVE-2016-20080
Brandfolder - local and remote file inclusion
CVE-2016-20080 affects the Brandfolder WordPress plugin through 3.0. Remove the plugin, review file inclusion indicators, and verify no unexpected PHP files or credentials were exposed.
Public PoC
Responsive FileManager
PHP / File Manager 1 CVE 2026-06-15 CVSS 9.3
CVE-2026-5482
Responsive FileManager - unrestricted file upload to RCE risk
CVE-2026-5482 affects Tecrail Responsive FileManager through 9.14.0. The project was reported as unmaintained at assignment time, so exposed deployments should be removed or isolated and upload directories reviewed.
Public PoC
multer
Node.js / File Upload 1 CVE 2026-06-15 CVSS 7.5
CVE-2026-5079
multer - denial of service via deeply nested field names
CVE-2026-5079 affects multer upload parsing when deeply nested multipart field names are accepted. Node.js services should update from the affected multer line, enforce upload limits, and monitor upload endpoints for memory pressure.
Public PoC
Koha
Library App / Database 1 CVE 2026-06-13 CVSS 7.6
CVE-2026-6428
Koha - SQL injection risk in catalogue report handling
CVE-2026-6428 affects Koha catalogue report handling when a staff account has Reports permission on vulnerable branches. Upgrade to the fixed Koha branch, review report exports and database errors, and remove unnecessary Reports access.
Public PoC
cPanel WP Toolkit
Hosting Control Panel / WordPress 1 CVE 2026-06-12 CVSS 9.9
CVE-2026-47365
cPanel WP Toolkit - cross-tenant command authorization bypass
CVE-2026-47365 affects WP Toolkit before 6.11.0 as used in cPanel & WHM. Hosting providers should update WP Toolkit, review account boundaries, and check recent wp-toolkit CLI activity.
Schema & Structured Data for WP & AMP
WordPress Plugin 1 CVE 2026-06-12 CVSS 9.1
CVE-2026-9067
Schema & Structured Data for WP & AMP - arbitrary media upload
CVE-2026-9067 affects Schema & Structured Data for WP & AMP before 1.60. WordPress sites should update the plugin, review media uploads, and check for unexpected files under wp-content/uploads.
Splunk Secure Gateway
SIEM / Logging 1 CVE 2026-06-10 CVSS 8.8
CVE-2026-20251
Splunk Secure Gateway - unsafe deserialization remote code execution
CVE-2026-20251 affects Splunk Secure Gateway through unsafe deserialization. Confirm Splunk Enterprise and Secure Gateway versions, patch fixed releases, and review app activity and admin logs.
Spring Security
Java / Framework 1 CVE 2026-06-12 CVSS 7.6
CVE-2026-41003
Spring Security - SAML relying-party registration exposure
CVE-2026-41003 affects Spring Security applications that render attacker-influenced SAML relying-party registration values. Review SAML configuration sources and move to fixed Spring Security releases.
Spring Data Commons
Java / Framework 1 CVE 2026-06-12 CVSS 7.5
CVE-2026-41695
Spring Data Commons - untrusted property path handling
CVE-2026-41695 affects Spring Data Commons when untrusted property path strings reach MappingContext resolution. Patch affected branches and review filter, sort, and projection inputs.
Spring for GraphQL
Java / GraphQL 1 CVE 2026-06-12 CVSS 7.5
CVE-2026-41856
Spring for GraphQL - method-security boundary issue
CVE-2026-41856 affects Spring for GraphQL controller hierarchies that rely on method-security annotations. Upgrade fixed releases and review authorization behavior around inherited controller methods.
PbootCMS
CMS / PHP 1 CVE 2026-06-12 CVSS 5.5
CVE-2026-12066
PbootCMS - password recovery exposure
CVE-2026-12066 affects PbootCMS up to 3.2.12 in the member password recovery flow. Review exposed member recovery pages, account changes, admin logins, and vendor patch status.
Public PoC
UDS Identity Config
Kubernetes / Identity 1 CVE 2026-06-05 CVSS 10.0
CVE-2026-46389
UDS Identity Config - Keycloak client authentication bypass
CVE-2026-46389 affects UDS Identity Config 0.11.0 through 0.26.0. Deployments using the client-kubernetes-secret Keycloak authenticator should update to 0.26.1 and review service-account token activity.
Mem0
AI / Self-hosted 1 CVE 2026-06-10 CVSS 8.6
CVE-2026-49948
Mem0 self-hosted server - missing authorization on configuration changes
CVE-2026-49948 affects Mem0 self-hosted server versions through 0.2.8. Check exposed server instances, admin/API-key usage, LLM provider settings, embedder settings, and unexpected configuration changes.
Apache Cordova
Mobile App / JavaScript 1 CVE 2026-06-08 CVSS 9.5
CVE-2026-47430
Cordova Plugin InAppBrowser iOS - callback boundary weakness
CVE-2026-47430 affects cordova-plugin-inappbrowser 3.1.0 through 6.0.0 on iOS. Apps that open OAuth, payment, deep-link, or marketing pages in InAppBrowser should upgrade to 6.0.1 and review plugin callback trust boundaries.
Open XDMoD
HPC / Web Portal 1 CVE 2026-06-05 CVSS 9.3
CVE-2026-45777
Open XDMoD - unauthenticated remote code execution
CVE-2026-45777 affects Open XDMoD 9.5.0 through 11.0.2. HPC portals should upgrade to 11.0.3 or newer, restrict web access, and review web-server process activity and application logs.
Active Exploit
Check Point Remote Access VPN / Mobile Access
VPN / Firewall 1 CVE 2026-06-08 CVSS 9.3
CVE-2026-50751
Check Point - deprecated IKEv1 VPN authentication bypass
CVE-2026-50751 affects Check Point Remote Access VPN and Mobile Access deployments that still accept deprecated IKEv1. Check Point reported exploitation in the wild; operators should patch, disable or restrict IKEv1, and review VPN logs from 2026-05-07 onward.
Active Exploit
YesWiki
PHP / Wiki 1 CVE 2026-06-08 CVSS 9.8
CVE-2026-52778
YesWiki - Bazar CalcField unsafe formula handling
CVE-2026-52778 affects YesWiki before 4.6.6 through the Bazar CalcField formula calculator. Public YesWiki sites should upgrade, review Bazar forms, and check logs for repeated form submissions or PHP file changes.
Nginx Proxy Manager
Reverse Proxy / Admin Panel 1 CVE 2026-06-08 CVSS 7.7
CVE-2026-40519
Nginx Proxy Manager - certificate plugin command injection
CVE-2026-40519 affects Nginx Proxy Manager certificate plugin setup when an account can manage certificates. Review admin exposure, certificate permissions, DNS challenge credentials, and update to a build containing the upstream fix.
Apinizer
API Gateway / API Management 1 CVE 2026-06-11 CVSS 9.8
CVE-2026-11561
Apinizer - expression language injection code injection
CVE-2026-11561 affects Apinizer 2026.04.0 before 2026.04.6. API gateway owners should identify exposed Apinizer nodes, upgrade to a fixed release, and review gateway logs, admin activity, and policy changes.
Russh
SSH / Rust Library 1 CVE 2026-06-10 CVSS 5.3
CVE-2026-48108
Russh - SSH identification pre-authentication resource handling
CVE-2026-48108 affects Rust services built on russh 0.34.0-beta.1 before 0.61.0. Check embedded SSH services, patch russh, and review connection limits around the pre-authentication phase.
Public PoC
CodeAstro Human Resource Management System
PHP / HRMS 1 CVE 2026-06-12 CVSS 6.5
CVE-2026-12131
CodeAstro HRMS - SQL injection in payroll invoice handling
CVE-2026-12131 affects CodeAstro Human Resource Management System 1.0 in payroll invoice handling. Confirm whether HRMS is deployed, restrict the payroll module, patch, and review invoice and database logs.
Public PoC
Product Filter by WBW
WordPress / WooCommerce 1 CVE 2026-06-11 CVSS 9.3
CVE-2026-39494
Product Filter by WBW - blind SQL injection
CVE-2026-39494 affects Product Filter by WBW through 3.1.2. WooCommerce stores should patch, review filter traffic, database errors, and unusual product catalog queries.
JoomSport
WordPress / Sports Plugin 1 CVE 2026-06-11 CVSS 9.3
CVE-2026-42647
JoomSport - blind SQL injection
CVE-2026-42647 affects JoomSport through 5.7.7. Site owners should patch, review league-management traffic, database logs, and editor/admin activity.
SliceWP
WordPress / Affiliate Plugin 1 CVE 2026-06-11 CVSS 7.1
CVE-2026-42653
SliceWP - stored XSS
CVE-2026-42653 affects SliceWP through 1.2.6. Review affiliate dashboards, administrator sessions, payout settings, and plugin update state.
Quest Bot
CI/CD / GitHub Actions 1 CVE 2026-06-11 CVSS 9.5
CVE-2026-47172
Quest Bot - privileged deploy workflow exposure
CVE-2026-47172 affects Quest Bot before 1.0.3. Review GitHub Actions workflows that promote pull-request builds into privileged Docker deployment jobs.
Public PoC
Duck Site
CI/CD / GitHub Actions 1 CVE 2026-06-11 CVSS 9.5
CVE-2026-47174
Duck Site - privileged deploy workflow exposure
CVE-2026-47174 affects Duck Site before 1.0.1. Review build-to-deploy workflow boundaries, package-write permissions, and production image publishing rules.
Public PoC
Boxlite
Container / Sandbox 1 CVE 2026-06-10 CVSS 9.6
CVE-2026-46703
Boxlite - OCI image extraction path handling
CVE-2026-46703 affects Boxlite before 0.9.0 when untrusted OCI images are loaded into sandbox hosts. Patch and review image sources, host file changes, and sandbox runtime logs.
Public PoC
migration-planner
Kubernetes / Migration 1 CVE 2026-06-10 CVSS 9.6
CVE-2026-53474
migration-planner - RVTools spreadsheet SQL injection
CVE-2026-53474 affects migration-planner when uploaded RVTools spreadsheets are processed. Review import history, service account exposure, and patched build status.
Public PoC
mcp-server-kubernetes
Kubernetes / MCP 1 CVE 2026-06-11 CVSS 8.8
CVE-2026-46519
mcp-server-kubernetes - tool restriction bypass
CVE-2026-46519 affects mcp-server-kubernetes before 3.6.0 where tool restrictions may be enforced in discovery but not execution. Patch and review connected MCP clients and Kubernetes permissions.
Public PoC
Azure Kubernetes Service
Kubernetes / Managed Cloud 1 CVE 2026-06-09 CVSS 8.8
CVE-2026-32193
Azure Kubernetes Service - path traversal
CVE-2026-32193 affects Azure Kubernetes Service. Public records describe a path traversal issue that can allow an authorized attacker to execute code locally. Review AKS update state, RBAC, node pool access, and recent cluster activity.
Grafana Operator
Kubernetes / Observability 1 CVE 2026-06-13 CVSS 6.4
CVE-2026-11769
Grafana Operator - jsonnet dashboard service account exposure
CVE-2026-11769 affects Grafana Operator versions 5.23 and earlier. Upgrade to 5.24.0 or newer, review users who can create GrafanaDashboard or GrafanaLibraryPanel resources, and check operator service account exposure.
Apache Airflow Samba provider
Data Pipeline / Apache 1 CVE 2026-06-09 CVSS 6.5
CVE-2026-49818
Apache Airflow Samba provider - destination path containment
CVE-2026-49818 affects the Apache Airflow Samba provider GCSToSambaOperator. Upgrade apache-airflow-providers-samba to 4.12.6 or newer, then review DAGs that transfer GCS objects to SMB destinations.
mysql-mcp-server
MCP / Database 1 CVE 2026-06-08 CVSS 6.5
CVE-2026-11529
mysql-mcp-server - mysql URI handler injection
CVE-2026-11529 affects mysql-mcp-server before 0.3.0 in the mysql URI handler. Upgrade to 0.3.0, restrict the database account used by the MCP server, and review query logs from connected clients.
Public PoC
KanaDojo
CI/CD / GitHub Actions 1 CVE 2026-06-11 CVSS 8.5
CVE-2026-48546
KanaDojo - GitHub Actions sandbox escape
CVE-2026-48546 affects KanaDojo before 0.1.18. Repositories using similar issue auto-response workflows should review runner permissions, token scope, and pull-request execution paths.
Public PoC
Keras
AI / Python 1 CVE 2026-06-11 CVSS 8.1
CVE-2026-11816
Keras - archive extraction path traversal
CVE-2026-11816 affects Keras before 3.14.0 archive extraction utilities. ML services should patch and review dataset/model import paths, CI runners, Jupyter jobs, and container working directories.
Public PoC
Vim
Developer Tools / Editor 1 CVE 2026-06-11 CVSS 7.5
CVE-2026-52860
Vim - Python omni-completion execution risk
CVE-2026-52860 affects Vim before 9.2.0597 when Python omni-completion processes hostile buffers. Patch developer images and discourage completion on untrusted files until updated.
Public PoC
js-libp2p
Node.js / Networking 1 CVE 2026-06-10 CVSS 7.5
CVE-2026-46679
js-libp2p gossipsub - unauthenticated heap exhaustion
CVE-2026-46679 affects @libp2p/gossipsub before 15.0.23. Public peer nodes should patch and review memory alerts, peer churn, and gossipsub traffic exposure.
Public PoC
GitLab CE/EE
DevOps / GitLab 1 CVE 2026-06-11 CVSS 7.5
CVE-2026-7250
GitLab CE/EE - Grape API JSON parsing denial of service
CVE-2026-7250 affects GitLab CE/EE API request parsing. Public self-managed GitLab instances should upgrade and review API error spikes and application availability metrics.
Apache Answer
Enterprise App / Apache 1 CVE 2026-06-10 CVSS 7.2
CVE-2026-25700
Apache Answer - admin token invalidation weakness
CVE-2026-25700 affects Apache Answer through 2.0.0 where administrative tokens may remain usable after account suspension, deletion, or deactivation. Upgrade and rotate admin tokens.
S2OPC
Industrial / OPC UA 1 CVE 2026-06-10 CVSS 7.3
CVE-2026-9758
S2OPC - trusted certificate comparison weakness
CVE-2026-9758 affects S2OPC certificate trust comparison. OPC UA operators should patch, rebuild trust lists, and review certificate enrollment and connection logs.
openSIS Classic
Education / PHP App 1 CVE 2026-06-11 CVSS 7.1
CVE-2026-8406
openSIS Classic - messaging module IDOR
CVE-2026-8406 affects openSIS Classic 9.3 messaging. School portals should patch, review sent-message access, student/staff accounts, and web logs around messaging routes.
Public PoC
thaipalliative_lte
Healthcare / PHP App 1 CVE 2026-06-11 CVSS 9.8
CVE-2026-38581
thaipalliative_lte - SQL injection in study form handling
CVE-2026-38581 affects thaipalliative_lte through 3.0. Operators should restrict public access, review study form traffic, database logs, and patient-data exposure before reopening.
Public PoC
UpdraftPlus
WordPress / Backup 1 CVE 2026-06-11 CVSS 8.1
CVE-2026-10795
UpdraftPlus - UpdraftCentral remote communication authentication bypass
CVE-2026-10795 affects UpdraftPlus through 1.26.4 when the site has been connected to UpdraftCentral. Review remote communication logs, backup activity, plugin changes, and administrator accounts before treating the site as clean.
Spring Web Services
Java / Spring 1 CVE 2026-06-11 CVSS 8.2
CVE-2026-40998
Spring Web Services - Jaxp13XPathTemplate XXE via StreamSource and SAXSource
CVE-2026-40998 affects Spring Web Services applications that evaluate XPath over untrusted XML through Jaxp13XPathTemplate with StreamSource or SAXSource. Upgrade and review XML entry points.
Splunk
Logging / SIEM 1 CVE 2026-06-10 CVSS 9.8
CVE-2026-20253
Splunk - unauthenticated PostgreSQL sidecar file operation exposure
CVE-2026-20253 affects some Splunk Enterprise and Splunk Cloud Platform versions where a PostgreSQL sidecar service endpoint lacks authentication controls. Patch and review service exposure, file changes, apps, and admin activity.
Concrete CMS
PHP / CMS 1 CVE 2026-06-10 CVSS 8.4
CVE-2026-10721
Concrete CMS - PHP object injection in permission, cache, and search components
CVE-2026-10721 affects Concrete CMS before 9.5.2 through unsafe serialized data paths. Check the running CMS version, recent cache or permission errors, and patch the site.
DedeCMS
PHP / CMS 1 CVE 2026-06-10 CVSS 9.8
CVE-2026-38615
DedeCMS - command execution in file management code
CVE-2026-38615 affects DedeCMS V5.7.118 file management code. Legacy public installs should be removed or patched, and operators should review file manager activity, upload directories, and unexpected PHP files.
Public PoC
FrankenPHP
PHP / App Server 1 CVE 2026-06-10 CVSS 8.1
CVE-2026-45062
FrankenPHP - PHP script routing confusion with non-ASCII paths
CVE-2026-45062 affects FrankenPHP 1.11.2 through 1.12.2 when user-controlled files can be routed as PHP scripts. Upgrade to 1.12.3 and review upload, media, and file-sharing paths.
Public PoC
Doctreat Core
WordPress / Directory 1 CVE 2026-06-10 CVSS 9.8
CVE-2025-6254
Doctreat Core - unauthenticated administrator registration
CVE-2025-6254 affects Doctreat Core through 1.6.8 and can allow unauthenticated administrator registration. Review new admins, registration logs, role changes, and plugin version.
WPZOOM Portfolio
WordPress / Portfolio 1 CVE 2026-06-10 CVSS 7.1
CVE-2026-49069
WPZOOM Portfolio - reflected XSS
CVE-2026-49069 affects WPZOOM Portfolio through 1.4.21. Patch and review admin-session exposure if editors or administrators opened untrusted links while logged in.
WP Mail Log
WordPress / Mail 1 CVE 2026-06-11 CVSS 7.1
CVE-2023-33999
WP Mail Log - DOM-based XSS
CVE-2023-33999 affects WP Mail Log through 1.0.2. Patch or remove the plugin and review whether administrators opened untrusted mail-log views while logged in.
samlify
Node.js / SAML SSO 1 CVE 2026-06-08 CVSS 8.7
CVE-2026-46490
samlify - SAML AttributeValue XML injection privilege escalation
CVE-2026-46490 affects samlify before 2.13.0. Node.js SAML SSO services should upgrade, review IdP attribute templates, SP role/group mapping, and recent login events where SAML attributes drive authorization.
Public PoC
SimpleSAMLphp CAS Server
PHP / SSO 1 CVE 2026-06-10 CVSS 8.6
CVE-2026-46491
SimpleSAMLphp CAS Server - FileSystemTicketStore path traversal
CVE-2026-46491 affects simplesamlphp-module-casserver before 7.0.3 when the file-based ticket store is used and public CAS validation or proxy endpoints are reachable. Check whether FileSystemTicketStore is enabled, upgrade to 7.0.3, and review PHP filesystem permissions.
Public PoC
Spring Data MongoDB
Java / Spring 1 CVE 2026-06-10 CVSS 8.1
CVE-2026-41717
Spring Data MongoDB - SpEL injection in annotated query binding
CVE-2026-41717 affects Spring Data MongoDB applications that expose annotated repository methods with capture-all placeholders to untrusted input. Upgrade affected branches and search for risky @Query or @Aggregation patterns.
Spring Data REST
Java / Spring 1 CVE 2026-06-10 CVSS 8.1
CVE-2026-41729
Spring Data REST - SpEL injection through JSON Patch map keys
CVE-2026-41729 affects Spring Data REST when JSON Patch reaches Map-typed persistent properties. Upgrade affected branches and restrict PATCH exposure while reviewing map-backed resources.
Spring for Apache Kafka
Java / Messaging 1 CVE 2026-06-10 CVSS 8.1
CVE-2026-41731
Spring for Apache Kafka - broad trusted-package deserialization
CVE-2026-41731 affects Spring for Apache Kafka header mappers where broad trusted-package matching can expose JDK classes to deserialization. Upgrade and review JsonKafkaHeaderMapper or DefaultKafkaHeaderMapper configuration.
Spring for Apache Pulsar
Java / Messaging 1 CVE 2026-06-10 CVSS 8.1
CVE-2026-41732
Spring for Apache Pulsar - trusted-package deserialization risk
CVE-2026-41732 affects Spring for Apache Pulsar when JsonPulsarHeaderMapper trusted-package matching is too broad or empty configuration falls back to trusting all packages. Upgrade and review header mapper configuration.
LimeSurvey
Survey / PHP 1 CVE 2026-06-09 CVSS 8.8
CVE-2026-50636
LimeSurvey - RemoteControl invite/remind SQL injection
CVE-2026-50636 affects LimeSurvey RemoteControl invite_participants and remind_participants flows when the RPC interface is enabled and a caller has token update permission. Disable RemoteControl if unused, reduce permissions, and apply the vendor fix.
Public PoC
The Events Calendar for GeoDirectory
WordPress / Events 1 CVE 2026-06-09 CVSS 8.8
CVE-2026-11616
The Events Calendar for GeoDirectory - Subscriber privilege escalation
The Events Calendar for GeoDirectory CVE-2026-11616 can let a low-privilege WordPress account alter role-related user metadata through the event interest flow. Update to 2.3.29 or newer, then review admin users, role changes, and AJAX logs.
Simple Personal Message
WordPress / Messaging 1 CVE 2026-06-09 CVSS 7.1
CVE-2016-20063
Simple Personal Message - Authenticated SQL injection in legacy WordPress plugin
CVE-2016-20063 is a legacy Simple Personal Message WordPress plugin SQL injection issue. Check whether the plugin still exists, confirm the installed version, update to 2.0.0 or remove it, and review admin activity and database access if it was exposed.
Public PoC
Recover Exit for WooCommerce
WordPress / WooCommerce 1 CVE 2026-06-09 CVSS 8.1
CVE-2026-9662
Recover Exit for WooCommerce - Unauthenticated LFI via tpf include path
Recover Exit for WooCommerce exposes a reported local file inclusion path through a POST value that reaches include(). Stores should remove or disable the plugin, check the affected PHP files, and review logs before reopening checkout flows.
6Storage Rentals
WordPress / Rentals 1 CVE 2026-06-09 CVSS 7.5
CVE-2026-9185
6Storage Rentals - Unauthenticated tenant profile exposure
6Storage Rentals may expose tenant profile read or update paths without login. Site owners should disable the plugin, preserve access logs, inspect tenant records, and notify affected users if data changed.
FV Flowplayer
WordPress / Media 1 CVE 2026-06-09 CVSS 7.2
CVE-2026-7556
FV Flowplayer Video Player - Stored XSS review for WordPress sites
FV Flowplayer CVE-2026-7556 should be treated as a stored XSS cleanup and permission review, not as a confirmed unauthenticated RCE. Check plugin version, recent video embeds, editor accounts, and cached pages.
WordPress Seotheme
WordPress / Theme 1 CVE 2026-06-08 CVSS 9.8
CVE-2023-54352
WordPress Seotheme - Unauthenticated Remote Code Execution
WordPress Seotheme unauthenticated RCE with a public technical signal. Site owners should check for the known shell IOC, related seoplugins paths, unexpected admins, modified theme files, and web-log hits before cleanup.
Public PoC
code-projects Simple Flight Ticket Booking
Booking / PHP App 1 CVE 2026-06-08 CVSS 7.5
CVE-2026-11488
Simple Flight Ticket Booking - checkUser.php SQL Injection
code-projects Simple Flight Ticket Booking System 1.0 SQL injection in login handling. Check stale booking demos, login SQL handling, web logs, and database privileges.
Public PoC
Kushan2k student-management-system
Education / PHP App 1 CVE 2026-06-08 CVSS 7.5
CVE-2026-11474
Student Management System - Unrestricted Upload via stimg
Kushan2k student-management-system may allow dangerous file uploads through the stimg registration image field. Check public/profiles for PHP-like files, block script execution in upload directories, and preserve logs.
Public PoC
BeikeShop
E-commerce / Payments 1 CVE 2026-06-07 CVSS 7.5
CVE-2026-11462
BeikeShop Stripe Plugin - Missing Webhook Signature Verification
BeikeShop Stripe plugin callback may process webhook data without verifying the Stripe-Signature header. Store owners should patch, configure the webhook secret, review /callback/stripe logs, and match paid orders against Stripe.
Public PoC
Chanjet CRM
CRM / Business Software 1 CVE 2026-06-07 CVSS 7.3
CVE-2026-11456
Chanjet CRM - SQL Injection in system table handling
Chanjet CRM 1.0 SQL injection in a system table endpoint. Exposed CRM systems should restrict the endpoint, review web logs, and preserve evidence.
Public PoC
FreePBX
VoIP / Phone System 1 CVE 2026-05-29 CVSS 9.3
FreePBX-Cluster-2026-05
FreePBX May 2026 Cluster β 4 CVEs in one day (UCP takeover Β· CDR SQLi Β· OAuth bypass Β· path traversal)
Four FreePBX CVEs published the same day. CVE-2026-46376 (9.3) is a pre-auth UCP takeover via hard-coded initial template credentials. CVE-2026-44238 (8.5) is SQL injection in the CDR Reports module via order/sort parameters. CVE-2026-44237 (7.6) β the OAuth2 validateClient() method unconditionally returns true. CVE-2026-44239 (7.6) is PHP path traversal in the Dashboard module's getcontent handler. Patch lines: 16.0.50 / 17.0.11.
Public PoC
VS Code
Developer Tools 1 CVE 2026-05-27 CVSS 9.3
CVE-2026-48027
Nx Console VS Code Extension β Supply Chain Attack (Actively Exploited)
Malicious Nx Console version 18.95.0 was published to VS Code Marketplace for ~18 minutes and OpenVSX for ~36 minutes on May 19, 2026. The compromised extension contained embedded malicious code (CWE-506) that executed at activation. Auto-update users may have installed it. CISA has added this to the Known Exploited Vulnerabilities catalog.
CISA KEV Active Exploit Public PoC
Docker
Container / DevOps 1 CVE 2026-05-27 CVSS 10.0
CVE-2026-44329
BentoML Docker Build β Dockerfile Injection β Full Host RCE
BentoML's Dockerfile template can mishandle docker.base_image from bento.yaml. Malicious build configuration may alter generated Dockerfile behavior during image builds. Patch BentoML and review build inputs before rebuilding.
Public PoC
2026-06-15 CVSS 6.5
CVE-2026-20262
Cisco Catalyst SD-WAN Manager - authenticated arbitrary file write
CVE-2026-20262 affects Cisco Catalyst SD-WAN Manager web UI upload handling. The reported path requires valid low-privilege credentials but can create or overwrite files, so exposed management planes need patching and account review.
Cisco Catalyst SD-WAN Manager CISA KEV Active Exploit Public PoC
2026-06-14 CVSS 8.5
CVE-2026-54420
LiteSpeed cPanel Plugin - shared hosting privilege escalation risk
CVE-2026-54420 affects LiteSpeed cPanel user-end plugin deployments before 2.4.8, including bundled WHM Plugin deployments before the fixed 5.3.2.1 line. Shared hosts using CloudLinux/CageFS should patch and review cPanel logs because the vendor reported active exploitation.
LiteSpeed cPanel Plugin Active Exploit Public PoC
2026-06-11 CVSS 10.0
CVE-2026-10520
Ivanti Sentry - unauthenticated root-level command injection
CVE-2026-10520 affects Ivanti Sentry and was added to CISA KEV on 2026-06-11. Confirm version state, restrict management access, patch, and review appliance logs and unexpected accounts.
Ivanti Sentry CISA KEV Active Exploit
2026-06-08 CVSS 9.3
CVE-2026-50751
Check Point - deprecated IKEv1 VPN authentication bypass
CVE-2026-50751 affects Check Point Remote Access VPN and Mobile Access deployments that still accept deprecated IKEv1. Check Point reported exploitation in the wild; operators should patch, disable or restrict IKEv1, and review VPN logs from 2026-05-07 onward.
Check Point Remote Access VPN / Mobile Access Active Exploit
2026-06-05 CVSS 9.3
CVE-2026-45777
Open XDMoD - unauthenticated remote code execution
CVE-2026-45777 affects Open XDMoD 9.5.0 through 11.0.2. HPC portals should upgrade to 11.0.3 or newer, restrict web access, and review web-server process activity and application logs.
Open XDMoD Active Exploit
2026-06-02 CVSS 9.8
CVE-2026-8206
Kirki Page Builder β Unauthenticated Admin Account Takeover via Password Reset
Kirki 6.0.0β6.0.6 password reset endpoint sends reset link to attacker-supplied email instead of account owner. One unauthenticated request hijacks any admin. 500K+ installs, Wordfence blocking 222+ attacks/day.
WordPress Active Exploit Public PoC
2026-05-27 CVSS 9.3
CVE-2026-48027
Nx Console VS Code Extension β Supply Chain Attack (Actively Exploited)
Malicious Nx Console version 18.95.0 was published to VS Code Marketplace for ~18 minutes and OpenVSX for ~36 minutes on May 19, 2026. The compromised extension contained embedded malicious code (CWE-506) that executed at activation. Auto-update users may have installed it. CISA has added this to the Known Exploited Vulnerabilities catalog.
VS Code CISA KEV Active Exploit Public PoC
2026-04-28 CVSS 9.8
CVE-2026-41940
cPanel/WHM Pre-Auth CRLF Injection β Root Access
Pre-authentication CRLF injection in cPanel & WHM session handling leading to root access. 44,000 IPs compromised, 7,135 hit by .sorry ransomware. Persistent Mr_Rot13 Filemanager backdoor survives the patch. Second emergency TSR on May 8.
cPanel CISA KEV Active Exploit Public PoC
Need hands-on help?
Free tools see the problem. Our services fix it.
Professional remediation by the same team that tracks these threats. Most engagements close within 24 hours.
$19/mo Private CVE Watch Stack-specific alerts by Telegram or email
$49 Quick Patch Call 30-min screenshare, we patch together
$99 Compromise Check IOC scan + backdoor hunt + report
From $299 Emergency Repair Cleanup, containment, and written handoff
Sources verified against NVD, CISA KEV, Shadowserver, Censys, F5, Rapid7, watchTowr, cPanel, WordPress plugin advisories, and FreePBX security advisories. Last updated 2026-06-29.