By severity

High-severity vulnerabilities

CVEs rated High by CVSS, with SEC.co remediation and prioritization guidance.

1343 published vulnerabilities · page 13 of 14

  • CVE-2026-30761HIGH 7.3

    SourceBans Material Admin v1.1.6 contains a critical weakness in its image upload functionality that allows unauthenticated attackers to upload malicious files and execute arbitrary code on affected servers. An attacker can craft a specially designed image file that bypasses upload validation, leading to remote code execution without needing valid credentials or user interaction. This is a direct pathway to full system compromise.

  • CVE-2026-36609HIGH 7.3

    A vulnerability in Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 allows attackers on the network to recover administrator passwords. The router uses a static authentication nonce (a security token) that remains the same for requests from the same IP address, and combines this with weak password encoding. An attacker who captures authentication traffic can reverse-engineer the encoding to extract plaintext credentials, potentially gaining full administrative control of the router.

  • CVE-2026-36611HIGH 7.3

    A Mercusys AC12G (EU) V1 router with firmware version AC12G(EU)_V1_200909 has a vulnerability that exposes uninitialized memory to attackers on the same network. When the router receives certain requests on its UPnP port without proper headers, it returns 128 bytes of raw memory content that should have been inaccessible. An attacker with network access can exploit this to leak sensitive internal data without needing credentials.

  • CVE-2026-37579HIGH 7.3

    SMSGate sms-core versions 2.1.13.6 and earlier contain a remote code execution vulnerability in the CMPP7 message handling component. An unauthenticated attacker on the network can exploit this flaw to execute arbitrary code on affected systems without any user interaction, potentially gaining full control of the SMS gateway infrastructure.

  • CVE-2026-39292HIGH 7.3

    Falco Solutions PHPPageBuilder version 0.31.0 has a file upload vulnerability that lets attackers upload malicious files without proper checks. An attacker can exploit this to upload executable code and run commands on the affected server, potentially taking complete control of the web application.

  • CVE-2026-42061HIGH 7.3

    Acronis DeviceLock DLP on Windows contains a local privilege escalation vulnerability stemming from improper permission assignment to child processes. An authenticated user with limited privileges can exploit this flaw to gain elevated system access, potentially compromising data loss prevention controls and system integrity. The vulnerability requires local access and user interaction but delivers high-impact consequences including confidentiality, integrity, and availability breaches.

  • CVE-2026-42675HIGH 7.3

    Themefic Hydra Booking versions up to 1.1.41 contain a missing authorization flaw that allows attackers to bypass access controls and perform unauthorized actions. An attacker without authentication can exploit incorrectly configured security levels to access or modify booking data and functionality that should be restricted. This is a network-based vulnerability requiring no user interaction or special privileges.

  • CVE-2026-44185HIGH 7.3

    Apache HTTP Server contains a buffer over-read flaw that can be exploited when the server makes outbound OCSP (Online Certificate Status Protocol) requests to verify certificate revocation. An attacker controlling a malicious OCSP server can send specially crafted responses that cause the Apache process to read beyond allocated memory boundaries. This affects all versions from 2.4.0 through 2.4.67. The vulnerability allows information disclosure, integrity compromise, and service disruption, though exploitation requires the attacker to position themselves as a trusted OCSP responder or intercept OCSP traffic.

  • CVE-2026-44186HIGH 7.3

    Apache HTTP Server versions 2.4.0 through 2.4.67 contain a vulnerability in the mod_proxy_ftp module that can be triggered when the server proxies requests to a backend FTP server under attacker control. The vulnerability manifests as an infinite loop—a condition where the module becomes stuck in a repeating sequence and never exits cleanly. This can cause the affected worker process to hang indefinitely, consuming CPU resources and becoming unresponsive. An attacker does not need credentials or user interaction to exploit this; they only need to control or compromise the FTP server that the Apache proxy is configured to forward requests to.

  • CVE-2026-44609HIGH 7.3

    Acronis DeviceLock DLP for Windows contains a local privilege escalation flaw rooted in insecure executable (EXE) hijacking. An attacker with local system access and user-level privileges can exploit this vulnerability by substituting a legitimate executable that the application loads, forcing the system to run malicious code with elevated permissions. This is a user-interaction scenario—the victim must perform an action that triggers the vulnerable code path—but once activated, it grants an attacker full system control over the affected machine.

  • CVE-2026-44682HIGH 7.3

    Acronis DeviceLock DLP for Windows contains a vulnerability that allows a local user to gain elevated system privileges through DLL hijacking. An attacker with basic user-level access can exploit this flaw to escalate to administrator or system privileges, potentially compromising the entire endpoint. The vulnerability requires the user to interact with the application, such as launching a dialog or feature that triggers the malicious DLL load.

  • CVE-2026-45360HIGH 7.3

    Apache Airflow's scheduler contains a deserialization vulnerability in how it handles deadline references created by DAG authors. When a DAG author creates a custom deadline reference, the scheduler deserializes it without validating what code it might execute. An attacker who can author a DAG—or influence its contents—can embed malicious class paths that the scheduler will import and instantiate, gaining the ability to execute arbitrary code within the scheduler's security context and access its database connection.

  • CVE-2026-45364HIGH 7.3

    Better Auth, a TypeScript authentication library, contained a rate-limiting bypass that allowed attackers to circumvent protections on sensitive endpoints like sign-in, sign-up, and password reset. The vulnerability exploited how the library handled IPv6 addresses in rate-limiting checks. IPv6 clients could generate an enormous number of distinct request origins (up to 2^64 per /64 subnet) by rotating through different source addresses, or bypass limits by varying how a single IPv6 address was encoded (uppercase vs. lowercase, compressed vs. full format, IPv4-mapped notation). This rendered rate limiting ineffective against brute-force attacks on authentication endpoints. Fixed in versions 1.4.17 and 1.5.0-beta.9.

  • CVE-2026-45481HIGH 7.3

    A cross-site scripting (XSS) vulnerability in Microsoft Office SharePoint allows an authenticated user to inject malicious scripts into web pages. An attacker with valid SharePoint access can craft a specially formed input that bypasses input validation, causing the server to generate pages containing attacker-controlled JavaScript. When other authorized users view the compromised page, their browser executes the injected script in the context of the SharePoint application, enabling the attacker to impersonate them, steal session tokens, or perform actions on their behalf. The vulnerability requires user interaction (clicking a link or visiting a page) but poses significant risk within organizations that rely on SharePoint for document management and collaboration.

  • CVE-2026-46250HIGH 7.3

    CVE-2026-46250 is a critical initialization failure in the Linux kernel affecting MIPS-based systems. The vulnerability arises from a compiler bug in LLVM versions 18–21 where the compiler incorrectly restores the `$gp` (global pointer) register even when code intentionally modifies it as a global register variable. On MIPS, the kernel uses `$gp` to track the current thread info, and during boot the kernel relocates itself and updates `$gp` accordingly. When LLVM restores the old `$gp` value after this intentional modification, the register points to pre-relocation memory, causing the kernel to crash during the `init_idle` phase of scheduler initialization. This affects MIPS-based systems including Loongson and other MIPS processors, particularly those compiled with affected LLVM versions.

  • CVE-2026-46328HIGH 7.3

    A vulnerability exists in the Linux kernel's AppArmor security module where resource limits (rlimits) for POSIX CPU timers are not being properly enforced. AppArmor is designed to restrict what processes can do, but this flaw means the CPU timer limits may not be correctly applied when a process is confined by AppArmor policies. An attacker with local access could exploit this to exceed intended resource restrictions, potentially causing performance degradation or denial of service on the affected system.

  • CVE-2026-47634HIGH 7.3

    A vulnerability in Microsoft Office SharePoint allows someone with valid access to inject malicious content that tricks downstream components into displaying fake or spoofed information to other users. The attacker must have legitimate credentials and convince a user to interact with the malicious content, but once triggered, the attack succeeds reliably and can achieve high impact by either stealing sensitive data or modifying what users see.

  • CVE-2026-48913HIGH 7.3

    Apache HTTP Server's HTTP/2 module (mod_http2) contains a use-after-free vulnerability that can be triggered when the system runs out of available file handles. An unauthenticated attacker on the network can exploit this flaw to cause memory corruption, potentially leading to information disclosure, data modification, or service disruption. The vulnerability affects versions 2.4.55 through 2.4.67 of Apache HTTP Server.

  • CVE-2026-49942HIGH 7.3

    Net::CIDR::Set, a Perl library for managing CIDR network blocks, contains a validation flaw in versions through 0.20 that allows attackers to bypass network access controls. The vulnerability stems from improper handling of network masks—the library accepts Unicode digit characters (such as Arabic-Indic numerals) and non-digit characters in mask fields, treating them as valid input. Additionally, leading zeros in masks are processed as decimal rather than octal, creating confusion about which networks are actually permitted. Together, these issues can cause the library to accept significantly larger or differently scoped networks than intended, potentially allowing unauthorized traffic or connections that should have been blocked.

  • CVE-2026-50033HIGH 7.3

    Acronis DeviceLock DLP for Windows contains a local privilege escalation flaw caused by insecure DLL loading. An authenticated user with limited privileges can trick the application into loading a malicious DLL from an attacker-controlled location, gaining elevated system rights. The vulnerability requires local access and user interaction, but can result in complete system compromise.

  • CVE-2026-50593HIGH 7.3

    Graphite, a font rendering engine, contains a flaw where it fails to properly validate memory boundaries when processing certain font actions. An attacker can craft a malicious font file that, when opened by a user, triggers an integer underflow—a type of math error that causes the program to write data outside the intended memory area. This out-of-bounds write can corrupt memory, crash the application, or potentially execute arbitrary code. The vulnerability requires user interaction (opening the font) and affects local users on the system.

  • CVE-2026-8876HIGH 7.3

    Securly version 3.0.7 of their Chrome Extension contains hardcoded encryption keys embedded directly in the minified JavaScript file. These keys are meant to protect sensitive data like crisis alert keywords and intervention site configurations, but because they're hardcoded and visible in the browser extension code, anyone with access to the extension can decrypt that data. This is a classic case of storing secrets where they shouldn't be stored—effectively rendering the encryption useless.

  • CVE-2026-9334HIGH 7.3

    CVE-2026-9334 is a type-confusion vulnerability in Cpanel::JSON::XS (a Perl JSON parsing library) that occurs when a specific feature called dupkeys_as_arrayref is enabled. When decoding JSON with duplicate object keys, the library crashes and attempts to dereference attacker-controlled data as a pointer. An attacker can exploit this by sending crafted JSON to any application using this library with the vulnerable setting enabled, potentially leading to denial of service or information disclosure.

  • CVE-2026-9658HIGH 7.3

    Plack::Middleware::Security::Common, a security middleware for Perl web applications, contains a flaw in how it filters HTTP header injection attacks when they appear in request paths. The middleware was designed to block header injections but only reliably caught attacks that were double-encoded. Single-encoded CRLF sequences (carriage return/line feed) embedded in request paths could slip through, potentially allowing attackers to inject malicious HTTP headers. The actual impact depends on how reverse proxies and the underlying Plack-based server process these malformed requests, which remains unclear in practice.

  • CVE-2026-9795HIGH 7.3

    A flaw in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature allows a limited administrator to bypass security controls and inject high-privilege roles into a client application. When users authenticate to that client, the injected roles appear in their authentication tokens, granting them unauthorized access. An attacker with restricted admin rights can escalate their own permissions or those of other users without triggering standard approval workflows.

  • CVE-2023-54351HIGH 7.2

    The Sonaar Music Plugin for WordPress version 4.7 contains a stored cross-site scripting (XSS) vulnerability. An attacker can inject malicious JavaScript code through the comment functionality on music playlist pages. When site visitors view these playlists, the malicious script executes in their browsers, potentially allowing attackers to steal session cookies, redirect users, deface content, or perform actions on behalf of the victim. No authentication is required to exploit this vulnerability.

  • CVE-2025-11262HIGH 7.2

    Link Whisper Free, a WordPress plugin, contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially allowing attackers to steal credentials, redirect users, or perform actions on their behalf. The vulnerability stems from improper handling of the user_id parameter and affects all versions up to 0.9.0.

  • CVE-2025-41265HIGH 7.2

    Waterfall Security's WF-500 TX Host contains a command injection flaw in its web-based administration interface. An attacker with valid administrative credentials can inject malicious operating system commands through the web UI, leading to arbitrary command execution on the device itself. This is a post-authentication attack—the attacker must already have admin-level access—but once inside, they can run any OS-level commands the host permits.

  • CVE-2025-41266HIGH 7.2

    A command injection vulnerability exists in the Waterfall WF-500 TX Host administration interface that allows authenticated users with elevated privileges to execute arbitrary system commands. An attacker who has already gained administrative access can leverage this flaw to run operating system-level commands, potentially compromising the entire appliance. The vulnerability affects version 7.9.1.0 R2502171040 and requires the attacker to be authenticated and have high-level privileges, reducing but not eliminating the risk in environments where admin credential exposure is a concern.

  • CVE-2025-41267HIGH 7.2

    A command injection vulnerability exists in the Waterfall WF-500 TX Host administration web interface that allows authenticated administrators to execute arbitrary operating system commands. An attacker with administrative credentials can craft malicious input through the WebUI to bypass command sanitization and gain direct OS-level access to the device. This is a post-authentication attack requiring valid admin credentials, but once exploited, provides complete system compromise.

  • CVE-2025-41279HIGH 7.2

    Nozomi Networks Labs discovered a command injection vulnerability in Waterfall's WF-500 RX Host administration interface. An authenticated attacker with administrative privileges can inject operating system commands through the web UI, leading to arbitrary code execution on the affected device. This is a serious risk for organizations using this industrial security appliance, as the attacker would gain full control of the host system.

  • CVE-2026-10072HIGH 7.2

    DreamMaker, a product developed by Interinfo, contains a vulnerability that allows attackers with privileged access to upload arbitrary files to the server. An attacker exploiting this flaw could upload malicious web shells, gaining the ability to execute code and maintain persistent access to the affected system. The vulnerability requires the attacker to have elevated credentials, but once leveraged, it provides complete control over server operations.

  • CVE-2026-10586HIGH 7.2

    The Gutenberg Essential Blocks plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated users with Author-level permissions or higher to make unauthorized web requests from the vulnerable server. An attacker could use this flaw to communicate with internal services, potentially extracting sensitive information or modifying data that should only be accessible internally. The vulnerability exists in the image generation feature and affects all versions through 6.1.3.

  • CVE-2026-10727HIGH 7.2

    Ivanti EPMM (Enterprise Patch Management and Mobility) contains an OS command injection flaw that allows authenticated users with elevated privileges to run arbitrary commands with root-level permissions. An attacker who has already gained administrative access to the system can exploit this weakness to execute malicious code, potentially compromising the entire endpoint management infrastructure. The vulnerability affects versions prior to 12.9.0.1, 12.8.0.3, and 12.7.0.2.

  • CVE-2026-10843HIGH 7.2

    OpenShift's Cloud Credential Operator, when running in Mint mode, assigns AWS credentials with excessive permissions. Instead of limiting destructive actions to resources owned by the cluster, the operator grants account-wide scope. If an attacker compromises these credentials, they can perform destructive actions across the entire AWS account, not just the cluster—making lateral movement and account-wide damage possible.

  • CVE-2026-10870HIGH 7.2

    Shibby Tomato version 1.28.0000 contains a command injection vulnerability in its web-based configuration interface that allows authenticated administrators to execute arbitrary operating system commands on the router. An attacker with administrative access can manipulate the DHCP client startup function to inject malicious commands, potentially compromising the entire device and any network it serves. Exploit code has been published publicly, increasing the risk of opportunistic attacks.

  • CVE-2026-10871HIGH 7.2

    Shibby Tomato 1.28.0000 contains a remote command injection vulnerability in its Web UI. An authenticated administrator can craft a malicious request targeting the IPv6 6rd tunnel configuration function, injecting arbitrary operating system commands that execute with the privileges of the affected service. The vulnerability has been publicly disclosed, increasing the likelihood of active exploitation attempts.

  • CVE-2026-10872HIGH 7.2

    Shibby Tomato 1.28.0000 contains a vulnerability in the Web UI component that allows authenticated users with high-level privileges to inject operating system commands through the VPN server startup function. An attacker with administrative access could manipulate input parameters to execute arbitrary commands on the device, potentially compromising the entire router system. Public exploit information exists for this vulnerability.

  • CVE-2026-10873HIGH 7.2

    Shibby Tomato 1.28.0000 contains a command injection vulnerability in its web interface that allows authenticated administrators to execute arbitrary operating system commands. The vulnerability exists in the rstats_path function within the /bin/rstats component. Because exploit code has been publicly disclosed, the risk of active exploitation is elevated. Note that this project has been superseded by FreshTomato, and users should verify their upgrade path accordingly.

  • CVE-2026-2374HIGH 7.2

    The Login No Captcha reCAPTCHA WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in all versions up to 1.8.0. An unauthenticated attacker can exploit this by triggering a login attempt from a non-standard login page URL (such as xmlrpc.php), which causes the plugin to store malicious JavaScript in the WordPress admin dashboard settings. When an administrator logs in within 30 seconds of the attack, that JavaScript executes in their browser with the administrator's privileges. The vulnerability requires the admin to have a whitelisted IP address configured in the plugin, which is a common configuration for sites restricting login access.

  • CVE-2026-24085HIGH 7.2

    A memory corruption vulnerability exists in multiple Qualcomm wireless chipsets and their firmware when processing display command line information. The flaw stems from improper initialization of a variable during command parsing, which could allow a high-privilege attacker with physical access to trigger memory corruption and potentially execute arbitrary code or crash the device. The vulnerability affects a broad range of Qualcomm wireless components used in enterprise and consumer devices.

  • CVE-2026-3820HIGH 7.2

    Supermicro's BMC (Baseboard Management Controller) SMTP service in the AS-2115HS-TNR contains a vulnerability that allows attackers with administrator-level access to inject malicious characters into SMTP configuration fields. This injection can lead the system to execute unintended commands, potentially resulting in loss of service, unauthorized code execution, or complete compromise of the BMC itself. While the attack requires existing high-level privileges, the consequences—especially arbitrary code execution on out-of-band management hardware—are severe.

  • CVE-2026-39276HIGH 7.2

    Emlog Pro v2.6.9 contains a path traversal flaw in its template upload feature that allows authenticated administrators to upload malicious files and execute arbitrary PHP code on the server. An attacker with admin credentials can craft a specially crafted ZIP archive with directory traversal sequences (such as '../') in filenames to escape the intended upload directory, overwrite legitimate template files, or inject malicious code that gets executed by the web server. This is a post-authentication vulnerability, meaning the attacker must already have admin access to the Emlog installation.

  • CVE-2026-40961HIGH 7.2

    Apache Airflow contains a flaw in its login redirect mechanism that allows authenticated users to redirect people to malicious websites. The vulnerability exists because the URL safety check (`is_safe_url`) can be circumvented through crafted URLs, enabling attackers to potentially harvest credentials or distribute malware by making the redirect appear to come from a trusted Airflow instance. Any organization running Airflow and allowing authentication should treat this as a priority.

  • CVE-2026-41567HIGH 7.2

    A critical weakness in Moby (the open-source container runtime underlying Docker) allows a malicious container to execute code with full daemon privileges—potentially gaining root access to the host system. The vulnerability occurs when compressed files are uploaded into a container using `docker cp` or the API endpoint `PUT /containers/{id}/archive`. Instead of using decompression tools from the host system, Moby incorrectly uses tools from inside the container itself. If a container image contains a trojanized decompression binary (like xz or unpigz), attackers can exploit this ordering mistake to run arbitrary commands with daemon-level privileges. Versions before Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14 are affected.

  • CVE-2026-45609HIGH 7.2

    mcp-security, a Spring AI component that manages security and authorization for the Model Context Protocol, contains a Server-Side Request Forgery (SSRF) vulnerability in versions before 0.1.9. When Dynamic Client Registration is enabled, the framework processes OAuth discovery and metadata URLs without properly validating them, allowing an attacker to redirect requests to internal network resources or malicious endpoints. This could lead to information disclosure or unauthorized actions on systems the application can reach.

  • CVE-2026-46492HIGH 7.2

    md-fileserver is a tool for viewing markdown files directly in a web browser. Before version 1.10.3, the application failed to sanitize HTML tags embedded within markdown content. An attacker could craft a markdown file containing malicious JavaScript (such as in a <script> tag) that would execute when the file is viewed in the browser. This allows arbitrary code execution in the security context of the affected domain, potentially compromising user sessions or stealing sensitive data.

  • CVE-2026-49196HIGH 7.2

    CVE-2026-49196 is a command injection vulnerability in Acer Predator Connect W6X Wi-Fi devices. The device's built-in feature for blocking Wi-Fi connections fails to properly validate MAC addresses before processing them, creating an opening for attackers to inject and execute arbitrary shell commands. An attacker with administrative access could leverage this to compromise the device and potentially the network it protects.

  • CVE-2026-50231HIGH 7.2

    Lyrion Music Server version 9.2.0 contains a stored cross-site scripting (XSS) vulnerability in its log viewer that allows attackers to inject malicious JavaScript without authentication. The vulnerability exists because the application fails to properly escape template variables, allowing crafted input to be permanently stored and executed in the browsers of users who view the logs. Attackers can inject payloads through multiple vectors including search parameters, log line numbers, file paths, or by manipulating values that the server naturally logs such as HTTP headers, stream titles, and player names.

  • CVE-2026-50232HIGH 7.2

    Lyrion Music Server version 9.2.0 has a stored cross-site scripting (XSS) vulnerability that lets attackers embed malicious code into audio file metadata fields such as GENRE, ARTIST, and ALBUM. When users browse or play these files through the web interface, the injected scripts execute in their browser, potentially granting attackers access to server management functions and sensitive configuration details. Unlike reflected XSS attacks that require a specially crafted link, this vulnerability persists in the server's database, affecting any user who interacts with a poisoned media file.

  • CVE-2026-7052HIGH 7.2

    HT Contact Form, a popular WordPress form builder plugin, contains a stored cross-site scripting (XSS) vulnerability affecting all versions through 2.8.2. An unauthenticated attacker can inject malicious scripts through file upload fields that persist in the database and execute in administrators' browsers when viewing form submissions. The vulnerability requires the 'Store Submissions' setting to be enabled—a common configuration. This is a stored rather than reflected attack, making it more dangerous because the payload remains active until manually removed.

  • CVE-2026-7537HIGH 7.2

    The MDJM Event Management plugin for WordPress contains a file upload vulnerability that allows administrators to upload and execute malicious files on a website. Because there are no checks on file types, extensions, or formats, an attacker with admin access could upload executable files and run arbitrary code on the server. This affects all versions through 1.7.8.3.

  • CVE-2026-7556HIGH 7.2

    The FV Flowplayer Video Player plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in versions up to 7.5.49.7212. An unauthenticated attacker can inject malicious scripts into page comments that execute when users visit the affected page. However, exploitation requires two conditions: the site administrator must have enabled the 'Parse Vimeo and YouTube links' setting (which is not enabled by default), and a moderator must approve the malicious comment before it becomes visible. Once those conditions are met, the injected code runs in the browsers of everyone who views the page.

  • CVE-2026-7634HIGH 7.2

    The SlimStat Analytics plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts through the User-Agent header. When an administrator has enabled the 'show_complete_user_agent_tooltip' setting, these injected scripts will execute in the browsers of users who visit affected pages. This is a stored vulnerability, meaning the malicious payload persists in the database rather than requiring a specially crafted link. All versions up to and including 5.4.11 are affected.

  • CVE-2026-8438HIGH 7.2

    The All-In-One Security (AIOS) WordPress plugin contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 5.4.7. An unauthenticated attacker can inject malicious JavaScript into debug logs by crafting specially designed REST API requests. When site administrators view the debug logs page, the injected script executes in their browser, potentially allowing the attacker to steal session credentials, execute unauthorized actions, or compromise the entire WordPress site. The vulnerability requires two specific plugin features to be enabled: the 'Disable REST API for non-logged in users' setting and debug logging.

  • CVE-2026-8901HIGH 7.2

    A WordPress plugin called 'Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More' contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.0.15. Attackers can inject malicious scripts through form submissions. The injected code executes when a form submission fails to reach the CRM API and an administrator later views the error details in the WordPress admin dashboard. This affects any WordPress site using the vulnerable plugin versions without requiring the attacker to be logged in.

  • CVE-2026-9851HIGH 7.2

    The Booking Package plugin for WordPress contains a critical flaw that allows authenticated editors and higher-privileged users to seize control of any WordPress account, including administrator accounts. An attacker with editor-level access can bypass security checks in the plugin's user management functionality to change email addresses and passwords of other users without proper authorization. This effectively enables complete site takeover.

  • CVE-2016-20063HIGH 7.1

    Single Personal Message version 1.0.3 contains a SQL injection flaw that allows authenticated users to inject malicious database commands through the message parameter. An attacker with user credentials can craft specially-designed messages to execute arbitrary SQL queries, potentially extracting sensitive data such as user credentials and site configuration details from the underlying database.

  • CVE-2018-25392HIGH 7.1

    MaxOn ERP Software versions 8.x through 9.x contain a SQL injection flaw that lets authenticated users inject malicious SQL commands through specific parameters in the activity logging function. An attacker with valid credentials can craft POST requests to extract sensitive database information such as version numbers and database names. While exploitation requires authentication, the impact—unauthorized access to database structure and sensitive data—represents a meaningful security risk for organizations running these versions.

  • CVE-2018-25410HIGH 7.1

    SIM-PKH version 2.4.1 contains a SQL injection flaw in its admin media management interface. An authenticated attacker can craft malicious requests to the /admin/media.php endpoint that inject SQL code, allowing them to extract sensitive database information such as usernames, database names, and version details. The vulnerability requires valid login credentials but poses a meaningful risk to data confidentiality within affected deployments.

  • CVE-2018-25429HIGH 7.1

    Paroiciel version 11.20 contains an SQL injection vulnerability in the zpro.php endpoint that allows authenticated users to execute arbitrary database queries by manipulating the zProIdPro parameter. An attacker with valid credentials can craft malicious SQL statements to extract sensitive information from the database, including usernames, database names, and version details. This is a post-authentication attack that does not require user interaction.

  • CVE-2018-25430HIGH 7.1

    Paroiciel version 11.20 contains a SQL injection flaw in its egeq.php endpoint. Authenticated users can craft malicious requests that embed SQL commands into the eGeqIdEquipe parameter, allowing them to query the underlying database directly. This bypasses normal access controls and could expose sensitive information such as database version details and other stored data. The vulnerability requires valid login credentials, so it represents an insider threat or compromised-account scenario.

  • CVE-2018-25431HIGH 7.1

    No-Cms 1.0 contains a SQL injection flaw in its privilege management export feature. An authenticated user can craft a specially formatted request to extract sensitive data from the application's database by injecting malicious SQL commands into the order_by parameter. The vulnerability requires valid credentials but poses significant risk to data confidentiality.

  • CVE-2025-15654HIGH 7.1

    CVE-2025-15654 is a reflected cross-site scripting (XSS) vulnerability in Fox-themes Prague versions 2.2.8 and earlier. An attacker can craft a malicious URL containing unsanitized input that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the vulnerable application. This allows the attacker to steal session cookies, perform actions on behalf of the victim, or redirect them to phishing sites—all without modifying the application itself.

  • CVE-2025-52612HIGH 7.1

    HCL iControl contains a vulnerability that combines CSV injection with reflected cross-site scripting (XSS) in its export function. An authenticated attacker can craft malicious input that, when a user interacts with exported CSV content or follows a specially crafted link, executes arbitrary JavaScript in the victim's browser session. The vulnerability stems from inadequate input validation and sanitization, allowing attackers to inject both CSV formulas and script payloads.

  • CVE-2025-52759HIGH 7.1

    A reflected cross-site scripting (XSS) vulnerability exists in the UnboundStudio Accordion FAQ plugin affecting versions up to 2.2.1. An attacker can craft a malicious link that, when clicked by a user, executes arbitrary JavaScript in the victim's browser within the context of the affected site. This allows theft of session cookies, credential harvesting, malware injection, or other client-side attacks. The vulnerability requires user interaction—specifically clicking a malicious link—but has no authentication barrier, making it a straightforward social engineering vector.

  • CVE-2025-67448HIGH 7.1

    A stored cross-site scripting (XSS) vulnerability exists in the SMS module of Neterbit NW-431F routers running firmware version 20241014-IR03 and earlier. An attacker can craft a malicious SMS message and send it to a router user; when that user views the message, the embedded script executes in their browser. This allows attackers to steal session tokens, redirect users, inject fake content, or perform actions on behalf of the victim—all without the victim realizing they've been compromised through what appears to be a routine SMS.

  • CVE-2026-10840HIGH 7.1

    OpenShift Pipelines operator contains a privilege escalation vulnerability stemming from overly permissive role-based access control (RBAC). The tekton-scheduler-rolebinding automatically grants any authenticated user write access to Kueue and cert-manager custom resources. This means that anyone with cluster login credentials—including low-privilege service accounts or developers without special permissions—can interfere with workload scheduling, tamper with certificate management, and potentially overwrite critical TLS secrets used by ingress controllers. The vulnerability is particularly dangerous in multi-tenant clusters where separation of duties is expected.

  • CVE-2026-11269HIGH 7.1

    Google Chrome versions prior to 149.0.7827.53 contain a vulnerability in how the browser handles extensions that allows an attacker positioned on the same network as a user to execute arbitrary code within Chrome's sandbox. The attacker must craft a malicious extension and the user must interact with it (such as installing or clicking something), making this a moderate-complexity attack. While Chromium rated this as low severity internally, the CVSS assessment reflects the potential for complete compromise of the sandboxed process.

  • CVE-2026-11422HIGH 7.1

    Markdown Preview Enhanced, a popular VS Code extension that renders Markdown with enhanced visualization features, contains a critical flaw in how it processes WaveDrom diagrams. An attacker can craft a malicious Markdown file containing specially crafted WaveDrom code that, when previewed in VS Code, executes arbitrary JavaScript with the privileges of the extension. This JavaScript can then read files from your computer and write new files to your filesystem, potentially installing malware or stealing sensitive data. The vulnerability affects version 0.8.x when used with crossnote engine 0.9.28.

  • CVE-2026-21032HIGH 7.1

    Samsung Assistant versions before 9.3.14 contain a flaw in how they expose certain application components. A person with local access to an Android device can exploit this misconfiguration to run arbitrary scripts with elevated privileges, potentially gaining unauthorized control over the device or sensitive functions.

  • CVE-2026-21033HIGH 7.1

    Samsung Assistant versions before 9.3.14 contain a flaw in how it exports Android application components, specifically in the ExpressHomeWidgetReceiver. A local attacker with standard user privileges can exploit this misconfiguration to execute arbitrary code or scripts on a device. The vulnerability requires local access but no special interaction from the user, making it a practical concern for devices where untrusted applications may be installed.

  • CVE-2026-21037HIGH 7.1

    Samsung Members versions before 5.8.01.5 contain a flaw that fails to properly check what input users provide. A local attacker—someone already with access to the device—can exploit this to redirect the app to any URL and launch other features or apps while pretending to be Samsung Members, which runs with elevated privileges on the device.

  • CVE-2026-24090HIGH 7.1

    A cryptographic weakness in how Qualcomm processors handle partition table entries during boot allows a local attacker with standard user privileges to modify the boot process without authorization. This could enable an attacker to alter how a device loads its operating system or firmware, potentially leading to installation of malicious code or bypass of security controls. The vulnerability requires direct access to the device and cannot be exploited remotely.

  • CVE-2026-24349HIGH 7.1

    A vulnerability in Siemens SIMATIC WinCC Unified PC Runtime allows an attacker with local access to extract sensitive cryptographic material from the Certificate Manager component. The issue stems from inadequate protection of key material stored on disk or in memory, potentially exposing certificates and private keys that protect SCADA/HMI communications. While exploitation requires local system access, the impact is significant because certificate compromise can enable downstream attacks on industrial control systems and their communications.

  • CVE-2026-31942HIGH 7.1

    LibreChat versions up to 0.7.6 contain a critical flaw in how API keys are managed. Any authenticated user can manipulate API key settings for other users by injecting parameters into requests, allowing them to replace legitimate API keys (from providers like OpenAI, Anthropic, or Azure) with their own or invalid ones. This means an attacker could intercept conversations through attacker-controlled API endpoints or disable a victim's service entirely.

  • CVE-2026-34194HIGH 7.1

    CVE-2026-34194 is a memory management flaw in GPU-accelerated software that allows a non-privileged user to trigger incorrect memory references through improper GPU system calls. When the software performs mathematical operations across GPU buffers of different sizes, it can incorrectly access memory locations outside its intended scope. This can corrupt data or crash the application, but does not enable privilege escalation or data theft. The vulnerability requires local system access and is triggered through the application itself—not remotely.

  • CVE-2026-36176HIGH 7.1

    GNCC GP5 version 7.1.76 leaks Backblaze B2 cloud storage upload credentials to the device's serial console in plaintext. An attacker with physical access to the hardware can monitor the UART interface and capture active, pre-signed upload URLs intended for file transfers. Once captured, these URLs can be used to upload or manipulate files in the connected B2 storage bucket without authorization. The vulnerability requires proximity to the device but poses significant risk to organizations using this gateway in sensitive environments.

  • CVE-2026-36606HIGH 7.1

    Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 store backup files that are encrypted with a hardcoded, publicly discoverable key using weak encryption. Anyone who obtains a backup file—whether through direct device access, cloud storage misconfiguration, or phishing—can decrypt it and extract sensitive credentials including the admin password, WiFi pre-shared key, and DDNS login information. This is a local attack that depends on an attacker first gaining access to the backup file itself.

  • CVE-2026-41845HIGH 7.1

    Spring Framework contains a flaw in its JavaScriptUtils.javaScriptEscape() function that fails to properly escape certain characters. This weakness allows attackers to inject malicious JavaScript code that executes in users' browsers, potentially stealing session data, credentials, or performing actions on behalf of the user. The vulnerability requires user interaction—specifically clicking a malicious link or visiting a compromised page—but does not require authentication. Multiple versions of Spring Framework across the 5.3, 6.1, 6.2, and 7.0 release lines are affected.

  • CVE-2026-42654HIGH 7.1

    WP Swings Wallet System for WooCommerce contains a flaw that allows attackers with an existing user account to bypass normal authentication safeguards and exploit the password recovery mechanism. An authenticated attacker could use this vulnerability to take over other user accounts, including administrative ones, without knowing their passwords. The vulnerability affects all versions up to and including 2.7.5.

  • CVE-2026-42678HIGH 7.1

    GiveWP, a popular WordPress donation and fundraising plugin maintained by Liquid Web/StellarWP, contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by site visitors. Unlike traditional XSS flaws, this vulnerability operates at the DOM (Document Object Model) level in the browser, meaning the attack payload is crafted and executed client-side rather than originating from the server. An attacker can trick a user into clicking a malicious link or visiting a compromised page, leading to credential theft, session hijacking, or unauthorized actions taken on behalf of the victim within the vulnerable GiveWP installation.

  • CVE-2026-42681HIGH 7.1

    E2Pdf.Com's e2pdf plugin contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. When a user visits a crafted link, the injected code executes in their browser within the context of the affected site, potentially allowing theft of session data, credentials, or sensitive information. The vulnerability affects e2pdf versions up to and including 1.32.14.

  • CVE-2026-42683HIGH 7.1

    VikBooking Hotel Booking Engine & PMS contains a DOM-based cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious link or embed JavaScript in user-controllable input fields; when a victim visits the page or interacts with the compromised element, the script executes in their browser with access to session data and sensitive information. This is a client-side vulnerability requiring user interaction but affecting multiple users through a single compromised page.

  • CVE-2026-42685HIGH 7.1

    Ahmad WP Job Portal versions up to 2.5.1 contain a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a specially designed link and trick a user into clicking it, causing the injected code to execute in that user's browser with their privileges. This vulnerability requires user interaction—the victim must click a malicious link—but once triggered, it can be used to steal session tokens, deface content, redirect users to phishing sites, or perform actions on behalf of the victim.

  • CVE-2026-44751HIGH 7.1

    An ABAP application server fails to verify user permissions when processing report generation commands. An authenticated attacker can bypass authorization checks to execute reports that overwrite data belonging to other users, effectively gaining unauthorized access to modify information they should not be able to touch. This is a privilege escalation vulnerability accessible to anyone with valid login credentials.

  • CVE-2026-44798HIGH 7.1

    A vulnerability in Nautobot allows authenticated users with GitRepository management permissions to manipulate an internal field (current_head) via the REST API that should not be user-editable. By setting this field to arbitrary values, an attacker could cause Nautobot's local repository clones to checkout outdated commits or become unusable entirely, creating operational disruption and potentially stale or corrupted network automation state. The issue affects versions prior to 2.4.33 and 3.1.2.

  • CVE-2026-45649HIGH 7.1

    A flaw in Microsoft Office apps on Android devices allows someone with local access to spoof or impersonate document content without requiring special permissions or user interaction beyond launching the app. An attacker with physical or logical access to the device could manipulate what appears in Word, Excel, or PowerPoint documents, potentially tricking the device owner or others into trusting falsified information. The vulnerability affects the access control layer that should prevent unauthorized modification of displayed document content.

  • CVE-2026-45722HIGH 7.1

    A vulnerability in Nextcloud's Tables app allows authenticated users to inject malicious SQL code through the ORDER BY clause of database queries. While this type of SQL injection is more limited than typical variants—attackers can extract only small amounts of data per request or cause database delays—it still poses a meaningful confidentiality and availability risk. The flaw affects Nextcloud Tables versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1. Nextcloud has released patches that organizations should apply promptly.

  • CVE-2026-46130HIGH 7.1

    A bug in the Linux kernel's dm-verity-fec (forward error correction) component can cause it to read data from outside the intended memory buffer. This occurs when parity bytes used to verify disk integrity are split across storage blocks in a specific way. Under certain non-default configurations and low-memory conditions, the code attempts to access more data than is available, leading to potential information disclosure or system instability. The issue only manifests with particular combinations of error correction parameters and buffer allocation scenarios.

  • CVE-2026-46140HIGH 7.1

    A flaw in the Linux kernel's Bluetooth driver (btmtk) fails to verify that incoming firmware responses contain sufficient data before reading from them. If a Bluetooth device sends a truncated or malformed response, the kernel code will read beyond the valid data boundaries, potentially exposing sensitive kernel memory. A local attacker with Bluetooth access could exploit this to leak information or crash the system.

  • CVE-2026-46149HIGH 7.1

    A vulnerability in the Linux kernel's SCSI target subsystem allows a local attacker with low privileges to read sensitive kernel memory and potentially crash the system. The issue occurs in the configfs interface where storage path group membership information is displayed. When a storage fabric's name is unusually long, the kernel writes more data than expected to a temporary buffer, and then copies that overrun data to a user-readable sysfs file. On systems with fortify checks enabled, this causes a kernel panic; on others, it leaks kernel memory to unprivileged users.

  • CVE-2026-46150HIGH 7.1

    A flaw in the Linux kernel's fanotify file monitoring subsystem can allow a local user with minimal privileges to bypass permission checks on file access events. The vulnerability stems from a logic error where the kernel incorrectly returns false for marks belonging to unrelated monitoring groups, causing permission event validation to be skipped. An attacker with local access could exploit this to circumvent intended file access restrictions.

  • CVE-2026-46175HIGH 7.1

    A flaw in the Linux kernel's F2FS (Flash-Friendly File System) garbage collection process can cause the system to incorrectly track file metadata during node block migration. When the garbage collector moves data blocks, it fails to properly clear internal markers that indicate whether data has been explicitly synced by a user. This confusion causes file system consistency checks (fsck) to report false inconsistencies, potentially leading to data integrity warnings or failures. The issue is triggered by specific sequences of file creation, deletion, and garbage collection operations, particularly when the system experiences power loss after garbage collection but before a checkpoint is written.

  • CVE-2026-46190HIGH 7.1

    A memory access flaw exists in the Linux kernel's SPI NOR flash debugging code. When displaying flash chip parameters through the debugfs interface, the kernel incorrectly calculates the size of an internal lookup table, treating the table's byte-size instead of its element count. This can cause the kernel to read memory beyond the intended bounds when processing certain flag values. An unprivileged local user could exploit this to crash the system or potentially leak sensitive kernel memory.

  • CVE-2026-46191HIGH 7.1

    CVE-2026-46191 is a memory access vulnerability in the Linux kernel's framebuffer console (fbcon) subsystem. When the kernel attempts to rotate the console display and the memory reallocation fails, it continues using an undersized font buffer. If a user then prints characters with high numeric codes to the rotated console, the kernel will write beyond the buffer's boundaries, potentially corrupting kernel memory. An attacker with local system access can trigger this by printing specific characters after inducing a console rotation failure.

  • CVE-2026-46199HIGH 7.1

    A flaw in the Linux kernel's AMD GPU video codec (VCN4) driver allows a local attacker to read memory beyond the intended boundaries of a buffer when processing decode messages. An authenticated user with local access can exploit this to access sensitive kernel memory, potentially exposing confidential data or triggering a system crash. The vulnerability requires local access and valid user privileges, limiting its reach but making it a concern for multi-user systems and containerized environments.

  • CVE-2026-46203HIGH 7.1

    A flaw in the Linux kernel's Cadence QuadSPI controller driver can cause the system to access hardware registers without proper power management during driver shutdown. When the driver is unloaded, it attempts to disable the controller without ensuring the hardware is powered up first, potentially causing system instability or data corruption. This is a local issue requiring user-level access to trigger.

  • CVE-2026-46204HIGH 7.1

    A bounds-checking vulnerability exists in the Linux kernel's AMD GPU video codec (VCN4) instruction buffer parser. When the kernel processes instruction buffers from user space, it can read beyond allocated memory if malicious or malformed data is provided. A local attacker with basic user privileges can trigger out-of-bounds reads, potentially exposing sensitive kernel memory or causing a denial of service. The fix involves rewriting the parser to use proper bounds-checking functions.

  • CVE-2026-46218HIGH 7.1

    A vulnerability exists in the Linux kernel's AMD GPU driver where video codec processing code (used for UVD, VCE, and VCN hardware) accesses memory buffers without verifying those buffers are large enough. An attacker with local access could exploit this to read sensitive kernel memory or cause a system crash. The fix adds proper bounds checking before these memory accesses and corrects an integer type to prevent overflow conditions that could bypass the checks.