4.4
CVE-2026-2396 - List View Google Calendar <= 7.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting viaβ¦
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-leβ¦
6.5
CVE-2025-15470 - Eleganzo <= 1.2 - Authenticated (Subscriber+) Arbitrary Directory Deletion
The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to dβ¦
8.3
CVE-2026-39884 - MCP Server Kubernetes has Argument Injection in its port_forward tool via space-splitting
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/port_forward.ts, where a kubectl command is constructed via string concatenation with user-controlleβ¦
10
CVE-2026-39842 - OpenRemote is Vulnerable to Expression Injection
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval() withβ¦
9.6
CVE-2026-39399 - NuGet Gallery: Arbitrary Blob Overwrite via Nuspec Confusion and URI Fragment Truncation
NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend jobβs handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may β¦
7.8
CVE-2026-27297 - Adobe Framemaker | Integer Underflow (Wrap or Wraparound) (CWE-191)
Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
5.5
CVE-2026-27300 - Adobe Framemaker | Access of Uninitialized Pointer (CWE-824)
Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim muβ¦
7.8
CVE-2026-27296 - Adobe Framemaker | Integer Underflow (Wrap or Wraparound) (CWE-191)
Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
8.6
CVE-2026-27290 - Adobe Framemaker | Untrusted Search Path (CWE-426)
Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, then an attacker could moβ¦
7.8
CVE-2026-27298 - Adobe Framemaker | Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)
Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must opβ¦