6.7
CVE-2026-21425 - Incorrect Privilege Assignment Enables Local Privilege Escalation in Dell PowerScale OneFS
Dell PowerScale OneFS, versions prior to 9.10.1.6 and versions 9.11.0.0 through 9.12.0.1, contains an incorrect privilege assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
6.6
CVE-2026-24732 - Improper permission checks in Extension:NSFileRepo
Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This β¦
4.3
CVE-2026-3058 - Seraphinite Accelerator <= 2.28.14 - Authenticated (Subscriber+) Exposure of Sensitive Information β¦
The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makeβ¦
4.3
CVE-2026-3056 - Seraphinite Accelerator <= 2.28.14 - Missing Authorization to Authenticated (Subscriber+) Log Clearβ¦
The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subsβ¦
6.5
CVE-2026-1674 - Gutena Forms β Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1β¦
The Gutena Forms β Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization within the save_gutena_forms_schema() function in all versions up to, and including, 1.6.0. This maβ¦
6.4
CVE-2026-2355 - My Calendar β Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scβ¦
The My Calendar β Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attβ¦
6.1
CVE-2026-1706 - All-in-One Video Gallery <= 4.7.1 - Reflected Cross-Site Scripting via 'vi' Parameter
The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary wβ¦
7.5
CVE-2023-7337 - JS Help Desk β AI-Powered Support & Ticketing System 2.8.2 - Unauthenticated SQL Injection via 'js-β¦
The JS Help Desk β AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the 'js-support-ticket-token-tkstatus' cookie in version 2.8.2 due to an incomplete fix for CVE-2023-50839 where a second sink was left with insufficient escaping on the user supplied vaβ¦
4.9
CVE-2026-3439 - SonicOS Certificate Handling Buffer Overflow Enables Firewall Crash
A post-authentication Stack-based Buffer Overflow vulnerability in SonicOS certificate handling allows a remote attacker to crash a firewall.
9.5
CVE-2026-27441 - PDF Password CMDi
SEPPmail Secure Email Gateway before version 15.0.1 insufficiently neutralizes the PDF encryption password, allowing OS command execution.