7.1
CVE-2025-68930 - Traccar Missing Origin Validation in WebSockets
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypโฆ
9.3
CVE-2026-23693 - ElementsKit Lite < 3.7.9 Unauthenticated Mailchimp REST Endpoint
ElementsKit Lite (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including โฆ
5.1
CVE-2026-23694 - Aruba HiSpeed Cache < 3.0.5 CSRF in Multiple Administrative AJAX Actions
Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capabโฆ
6.9
CVE-2026-3026 - erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotโฆ
6.9
CVE-2026-3025 - ShuoRen Smart Heating Integrated Management Platform ExampleNodeService.asmx unrestricted upload
A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP/Service/Webservice/ExampleNodeService.asmx. Executing a manipulation of the argument File can lead to unrestricted upload. It is possible tโฆ
7.5
CVE-2026-27623 - Valkey has Pre-Authentication DOS from malformed RESP request
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking staโฆ
7.5
CVE-2026-21863 - Malformed Valkey Cluster bus message can lead to Remote DoS
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing โฆ
8.5
CVE-2025-67733 - Valkey Affected by RESP Protocol Injection via Lua error_reply
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connโฆ
5.7
CVE-2026-2698 - Improper Access Control
An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope.
7.1
CVE-2026-27514 - Tenda F3 Plaintext Credential Exposure in Configuration Download
Shenzhen Tenda F3 Wireless Routerย firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits approโฆ