8.8
CVE-2025-13067 - Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.phpโฆ
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possibleโฆ
7.5
CVE-2026-2413 - Ally โ Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path
The Ally โ Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenโฆ
2.7
CVE-2026-3911 - Org.keycloak.services.resources.admin.userresource: keycloak: information disclosure of disabled usโฆ
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized informaโฆ
9.3
CVE-2026-29515 - MiCode FileExplorer SwiFTP Server Authentication Bypass
MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grantโฆ
6.5
CVE-2026-23817 - Unauthenticated Open Redirect allows URL Manipulation in Web Interface
A vulnerability in the web-based management interface of AOS-CX Switches could allow an unauthenticated remote attacker to redirect users to an arbitrary URL.
7.2
CVE-2026-23816 - Authenticated Command Injection found in admin AOS-CX CLI command
A vulnerability in the command line interface of AOS-CX Switches could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
7.2
CVE-2026-23815 - Authenticated Command Injection found in AOS-CX Administrative CLI Command
A vulnerability in a custom binary used in AOS-CX Switches' CLI could allow an authenticated remote attacker with high privileges to perform command injection. Successful exploitation could allow an attacker to execute unauthorized commands.
8.8
CVE-2026-23814 - Authenticated Command Injection found in AOS-CX CLI Command
A vulnerability in the command parameters of a certain AOS-CX CLI command could allow a low-privilege authenticated remote attacker to inject malicious commands resulting in unwanted behavior.
9.8
CVE-2026-23813 - Authentication Bypass in Web Interface allows Unauthenticated Admin Password Reset
A vulnerability has been identified in the web-based management interface of AOS-CX switches that could potentially allow an unauthenticated remote actor to circumvent existing authentication controls. In some cases this could enable resetting the admin password.
8.1
CVE-2026-3453 - ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitraryโฆ
The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout AJAX handler acceptsโฆ