Threat Intelligence Feed

MED · CVE-2026-9104 The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up HIGH · CVE-2026-9018 The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation MED · CVE-2026-7509 The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` short MED · CVE-2026-7249 The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability c MED · CVE-2026-6864 The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' param MED · CVE-2026-4070 The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and incl MED · CVE-2026-44409 There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control m MED · CVE-2026-3481 The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in al MED · CVE-2026-2518 The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing ca CVE-2026-9054 An attacker sending tcp, il, rudp, rudp, or gre packets with a length less than the header size would trigger a kernel p CVE-2026-9053 Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website wi HIGH · CVE-2026-4834 The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'search_key' parameter in all versions up to, CVE-2026-46598 For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when CVE-2026-46597 An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafte CVE-2026-46595 Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of cal CVE-2026-42508 Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and CVE-2026-39835 SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be c CVE-2026-39834 When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload CVE-2026-39833 The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enf CVE-2026-39832 When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serializ CVE-2026-39831 The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did CVE-2026-39830 A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection CVE-2026-39829 The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessive CVE-2026-39828 When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were CVE-2026-39827 An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory gr CVE-2026-9264 A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution an HIGH · CVE-2026-34911 A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in Un CRIT · CVE-2026-34910 A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS CRIT · CVE-2026-34909 A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to a CRIT · CVE-2026-34908 A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS de CRIT · CVE-2026-33000 A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerabilit CVE-2026-5297 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2026-8435 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file appr CVE-2026-8434 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file resc CVE-2026-8433 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file resc CVE-2026-8432 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star CVE-2026-8427 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file remo CVE-2026-8416 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addF CVE-2026-8415 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/as CVE-2026-8414 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/dupl MED · CVE-2026-9104 The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up HIGH · CVE-2026-9018 The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation MED · CVE-2026-7509 The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` short MED · CVE-2026-7249 The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability c MED · CVE-2026-6864 The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' param MED · CVE-2026-4070 The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and incl MED · CVE-2026-44409 There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control m MED · CVE-2026-3481 The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in al MED · CVE-2026-2518 The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing ca CVE-2026-9054 An attacker sending tcp, il, rudp, rudp, or gre packets with a length less than the header size would trigger a kernel p CVE-2026-9053 Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website wi HIGH · CVE-2026-4834 The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'search_key' parameter in all versions up to, CVE-2026-46598 For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when CVE-2026-46597 An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafte CVE-2026-46595 Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of cal CVE-2026-42508 Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and CVE-2026-39835 SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be c CVE-2026-39834 When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload CVE-2026-39833 The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enf CVE-2026-39832 When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serializ CVE-2026-39831 The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did CVE-2026-39830 A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection CVE-2026-39829 The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessive CVE-2026-39828 When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were CVE-2026-39827 An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory gr CVE-2026-9264 A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution an HIGH · CVE-2026-34911 A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in Un CRIT · CVE-2026-34910 A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS CRIT · CVE-2026-34909 A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to a CRIT · CVE-2026-34908 A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS de CRIT · CVE-2026-33000 A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerabilit CVE-2026-5297 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2026-8435 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file appr CVE-2026-8434 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file resc CVE-2026-8433 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file resc CVE-2026-8432 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star CVE-2026-8427 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file remo CVE-2026-8416 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addF CVE-2026-8415 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/as CVE-2026-8414 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/dupl