🔐 CVE Alert

Real-Time CVE Alerts & Vulnerability Tracker

Search enriched vulnerability intelligence — EPSS exploitability scores, CVSS severity, CISA KEV status — and get instant alerts to Slack, Telegram, Discord or Google Chat.

⚡ Immediate or digest alerts 🎯 Filter by ecosystem, severity, EPSS 🔑 CISA KEV tracking 🆓 Free forever

253,537 results

CVE-2026-35147HIGH 8.2

HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access.

HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. The application fails to verify the user's authentication status when accessing specific API endpoints, allowing an unauthenticated attacker to interact with the APIs and perform unauthorized actions without valid credentials.

EPSS
0.0%
hcl software / dfxserverJul 16, 2026
CVE-2026-35149HIGH 8.2

HCL DFXServer is affected by an Authentication Bypass vulnerability via server response manipulation.

HCL DFXServer is affected by an Authentication Bypass vulnerability via server response manipulation. An unauthorized user without valid credentials can exploit this flaw by intercepting and altering the server's authentication responses, allowing them to gain unauthorized access to the application without verification.

EPSS
0.0%
hcl software / dfxserverJul 16, 2026
CVE-2026-35148MEDIUM 6.3

HCL DFXServer is affected by a Missing Access Control vulnerability

HCL DFXServer is affected by a Missing Access Control vulnerability. This vulnerability states that certain endpoints are accessible without any form of authentication in another browser. This allows any network user to invoke these APIs and interact with the application without verification of their identity or authorization level.

EPSS
0.0%
hcl software / dfxserverJul 16, 2026
CVE-2026-35146MEDIUM 6.3

HCL DFXServer is affected by an Unencrypted Communication vulnerability.

HCL DFXServer is affected by an Unencrypted Communication vulnerability. The application permits users to establish connections over unencrypted channels via the HTTP protocol, which could allow a remote attacker to intercept network traffic and expose sensitive data transmitted between the user and the application.

EPSS
0.0%
hclsoftware / dfxserverJul 16, 2026
CVE-2023-49899CRITICAL 9.8

Origin Validation Error in X-Rite MA-T6

An unauthenticated remote attacker can execute any command on the affected device due to not correctly verifying the origin of a communication channel.

EPSS
0.0%
x-rite / ma-t6Jul 16, 2026
CVE-2023-49900CRITICAL 9.8

Origin Validation Error in X-Rite MA-T6

An unauthenticated remote attacker is able to perform remote code execution due to incorrectly sanitized user input in the SetParameter command.

EPSS
0.0%
x-rite / ma-t6Jul 16, 2026
CVE-2026-22752CRITICAL 9.6

Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata

Authentication bypass by primary weakness vulnerability in Spring Security Spring Authorization Server. This issue affects Spring Authorization Server: from 7.0.0 through 7.0.4, from 1.5.0 through 1.5.6, from 1.4.0 through 1.4.9, from 1.3.0 through 1.3.10.

EPSS
0.0%
spring security / spring authorization serverJul 16, 2026
CVE-2026-6424UNKNOWN 0.0

Use-after-free vulnerability in ESET security products for Linux

Use-after-free vulnerability in ESET Linux products potentially allowed an attacker to trigger kernel panic on the system

EPSS
0.0%
eset, spol. s.r.o. / eset endpoint antivirus for linuxJul 16, 2026
CVE-2026-15324MEDIUM 4.4

SysBasics Customize My Account for WooCommerce <= 4.4.14 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'row_type' Parameter

The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'row_type' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

EPSS
0.0%
phppoet / sysbasics customize my account for woocommerce – live my account customizerJul 16, 2026
CVE-2026-15103HIGH 8.8

WPFunnels <= 3.12.8 - Authenticated (Funnel Manager+) Privilege Escalation via 'group_id' Path Parameter

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option — which satisfies the route's loose `[\w-]+` regex — to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability.

EPSS
0.0%
getwpfunnels / wpfunnels – funnel builder for woocommerce with checkout & one click upsellJul 16, 2026
CVE-2026-15727MEDIUM 4.9

WP Bulk Delete <= 1.4.2 - Authenticated (Administrator+) SQL Injection via 'delete_user_roles' Parameter

The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'delete_user_roles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink.

EPSS
0.0%
xylus / wp bulk deleteJul 16, 2026
CVE-2026-15021MEDIUM 6.4

wpForo Forum <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'location' Profile Field

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The sanitize_text_field() function applied at input does not encode double quotes, allowing attribute breakout via a payload that escapes the href attribute context and injects event handler attributes.

EPSS
0.0%
tomdever / wpforo forumJul 16, 2026
CVE-2026-15005HIGH 8.8

Loco Translate <= 2.8.5 - Cross-Site Request Forgery to Remote Code Execution via 'template' Parameter

The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by supplying a php://filter stream wrapper URI as the 'template' parameter, which bypasses path validation and is passed directly to the include sink in execTemplate() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

EPSS
0.0%
timwhitlock / loco translateJul 16, 2026
CVE-2026-13741HIGH 8.8

Digits: WordPress Mobile Number Signup and Login <= 9.1.0.5 - Authenticated (Subscriber+) Privilege Escalation via 'digits_reg_userrole' Parameter

The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and role validation in the `dig_update_wpwc_custom_fields()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, granted the site administrator has configured the built-in DIGITS User Role field.

EPSS
0.0%
unitedover / digits: wordpress mobile number signup and loginJul 16, 2026
CVE-2026-58078UNKNOWN 0.0

Joomla Extension - themexpert.com - Unauthenticated SQL injection in Quix Page Builder Pro < 6.2.1

The Joomla extension Quix Page Builder Pro is vulnerable to an unauthenticated SQL injection.

EPSS
0.0%
themexpert.com / quix page builder pro extension for joomlaJul 16, 2026
CVE-2026-6423UNKNOWN 0.0

Local privilege escalation via unauthenticated ALPC in ESET Inspect Connector

A local privilege escalation vulnerability in ESET Inspect Connector.  The vulnerability was caused by improper authentication in an IPC channel.

EPSS
0.0%
eset, spol. s.r.o. / eset inspect connectorJul 16, 2026
CVE-2026-13755MEDIUM 6.4

Tickera <= 3.6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Successful execution of the injected script is limited to victims who have the referenced ticket ID present in their cart cookie, meaning the payload only fires for users who have previously added that ticket to their cart.

EPSS
0.0%
tickera / tickera – sell tickets & manage eventsJul 16, 2026
CVE-2026-15610MEDIUM 4.3

WPBot <= 8.5.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary RAG Document Re-Sync via ajax_rag_manual_sync() Function

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger arbitrary re-embedding of stored RAG documents, modifying the rag_documents table and consuming the site owner's paid third-party AI API credits (OpenAI, Gemini, OpenRouter, or xAI).

EPSS
0.0%
quantumcloud / wpbot – ai chatbot for live support, lead generation, ai servicesJul 16, 2026
CVE-2026-15106MEDIUM 5.3

WPBot <= 8.5.6 - Missing Authorization to Unauthenticated Arbitrary Chat Session Deletion via 'userid' Parameter

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary chat session records from the wpbot_user and wpbot_conversation tables, including chat history and conversation logs, by supplying a crafted userid value.

EPSS
0.0%
quantumcloud / wpbot – ai chatbot for live support, lead generation, ai servicesJul 16, 2026
CVE-2026-15407MEDIUM 4.3

Themify Builder <= 7.7.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Stylesheet Write/Delete via tb_generate_on_fly AJAX Action

The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page.

EPSS
0.0%
themifyme / themify builderJul 16, 2026

Never miss a critical vulnerability

Set up free alerts in 60 seconds. Filter by ecosystem, CVSS score or EPSS — get notified to Slack, Telegram, Discord or Google Chat the moment a new CVE matches.

Set Up Free Alerts → Create Free Account

Slack · Telegram · Discord · Google Chat