4.7
CVE-2026-4406 - Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter
The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form_ids` parameter in the `gform_get_config` AJAX action in all versions up to, and including, 2.9.30. This is due to the `GFCommon::send_json()` method outputting JSON-encoded data wrapped in HTML commโฆ
5.4
CVE-2026-4401 - Download Monitor <= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling
The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This maโฆ
5.3
CVE-2026-2263 - Hustle โ Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unโฆ
The Hustle โ Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticโฆ
8.5
CVE-2026-1342 - Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Acceโฆ
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from โฆ
8.7
CVE-2026-5747 - Out-of-bounds Write in Firecracker virtio-pci Transport
An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtioโฆ
6.9
CVE-2025-20628 - Insufficient granularity of access control for Remote Connector Servers in client mode
An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exisโฆ
6.9
CVE-2026-39936 - Stored XSS in Score due to usage of non-reserved data attributes
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Score Extension.
6.9
CVE-2026-39935 - XSS-via-i18n in localised wiki names
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS).ย This issue was remediated only on the `master` branch.
0.0
CVE-2026-31789 - Heap Buffer Overflow in Hexadecimal Conversion
Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker cโฆ
7.5
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo
Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denialโฆ