6.5
CVE-2026-21894 - n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripeβ¦
5.3
CVE-2026-21874 - NiceGUI has Redis connection leak via tab storage causes service degradation
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation whenβ¦
7.2
CVE-2026-21873 - Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been β¦
6.1
CVE-2026-21872 - NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided linβ¦
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in versioβ¦
6.1
CVE-2026-21871 - NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()
NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL β¦
6.4
CVE-2025-14984 - Gutenverse Form <= 2.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitizatiβ¦
5.3
CVE-2026-0676 - WordPress Zorka theme <= 1.5.7 - Broken Access Control vulnerability
Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7.
0.0
CVE-2026-0675 -
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
4.3
CVE-2026-0674 - WordPress Campaign Monitor for WordPress plugin <= 2.9.1 - Broken Access Control vulnerability
Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.1.
5.4
CVE-2025-69169 - WordPress Easy Media Download plugin <= 1.1.11 - CSS Injection vulnerability
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11.