8.6
CVE-2026-1222 - BROWAN COMMUNICATIONS ο½PrismX MX100 AP controller - Arbitrary File Upload
PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
9.3
CVE-2026-1221 - BROWAN COMMUNICATIONS ο½PrismX MX100 AP controller - Use of Hard-coded Credentials
PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware.
6.5
CVE-2025-12573 - Bookingor <= 1.0.12 - Subscriber+ Category Deletion
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data.
5.3
CVE-2026-1218 - Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml exβ¦
A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity reference. The attack is possible to be carried ouβ¦
4.4
CVE-2026-1042 - WP Hello Bar <= 1.02 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'digit_one' aβ¦
The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrβ¦
4.4
CVE-2026-1045 - Viet contact <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'll1', 'll2'β¦
The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and β¦
5.3
CVE-2025-14348 - weMail <= 2.0.7 - Insufficient Authorization via x-wemail-user Header to Sensitive Information Discβ¦
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identifβ¦
8.1
CVE-2025-14977 - Dokan: AI Powered WooCommerce Multivendor Marketplace Solution β Build Your Own Amazon, eBay, Etsy β¦
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution β Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on aβ¦
9.8
CVE-2026-0906 - Malicious Omnibox Spoofing via Incorrect Security UI
Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
5.4
CVE-2026-0903 - Bypass Dangerous File Type Protections in Chrome Downloads on Windows
Inappropriate implementation in Downloads in Google Chrome on Windows prior to 144.0.7559.59 allowed a remote attacker to bypass dangerous file type protections via a malicious file. (Chromium security severity: Medium)