5.5
CVE-2025-9497 - Hardcoded Upgrade Decryption Passwords
Use of Hard-coded Credentials vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.0.
5.1
CVE-2026-4995 - wandb OpenUI Window Message Event index.html cross site scripting
A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulnerability is an unknown functionality of the file frontend/public/annotator/index.html of the component Window Message Event Handler. This manipulation causes cross site scripting. The attack can be initiated remotely. Tโฆ
5.3
CVE-2026-2442 - Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injeโฆ
The Page Builder: Pagelayer โ Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlโฆ
5.1
CVE-2026-4994 - wandb OpenUI APIStatusError server.py generic_exception_handler information exposure
A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the function generic_exception_handler of the file backend/openui/server.py of the component APIStatusError Handler. The manipulation of the argument key results in information exposure through error message. Access to the loโฆ
4.8
CVE-2026-4993 - wandb OpenUI config.py hard-coded credentials
A vulnerability has been found in wandb OpenUI up to 0.0.0.0/1.0. This impacts an unknown function of the file backend/openui/config.py. The manipulation of the argument LITELLM_MASTER_KEY leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to theโฆ
0.0
CVE-2026-23399 - nf_tables: nft_dynset: fix possible stateful expression memleak in error path
In the Linux kernel, the following vulnerability has been resolved: nf_tables: nft_dynset: fix possible stateful expression memleak in error path If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place without being releasโฆ
6.5
CVE-2026-1307 - Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Ediโฆ
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for aโฆ
0.0
CVE-2025-15445 - Restaurant Cafeteria <= 0.4.6 - Subscriber+ Arbitrary Plugin Installation/Activation
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP cโฆ
7.2
CVE-2025-12886 - Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web applicatiโฆ
7.5
CVE-2026-4987 - SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'
The SureForms โ Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-conโฆ