0.0
CVE-2026-27031 -
Not used
0.0
CVE-2026-27035 -
Not used
0.0
CVE-2026-27032 -
Not used
8.7
CVE-2026-25903 - Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates
Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to tβ¦
7.2
CVE-2026-1216 - RSS Aggregator <= 5.0.10 - Reflected Cross-Site Scripting via 'template' Parameter
The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackβ¦
5.8
CVE-2026-0829 - Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending
The Frontend File Manager Plugin WordPress plugin through 23.5 allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as an open relay for spam or phishing emails to anyone. Attackers can also guess file IDs to access andβ¦
5.3
CVE-2026-1657 - EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_mβ¦
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, β¦
7.7
CVE-2026-2592 - Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update
The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'Return_from_ZarinPal_Gateway' failing to validate that the authority token provided inβ¦
4.4
CVE-2026-2002 - Forminator Forms β Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Admiβ¦
The Forminator Forms β Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form_name parameter in all versions up to, and including, 1.50.2 due to insufficient input sanitization and output escaping. This makes it possible for aβ¦
9.3
CVE-2026-26220 - LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE
LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A β¦