{"sector":{"id":"finance","name":"Finance & Banking","sector":"financial-services","description":"Retail and corporate banking, payment processors, card networks, and fintech.\nOptimised for threats touching the payment rails, online banking and core\nbanking systems.","visibility":"public"},"top_24h":[{"id":"70873402-2eec-40f2-a494-d8eb1922f688","threat_type":"cve","title":"The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Byp","summary":"The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN `callback` handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data — including `payment_status` and the `custom` field encoding the target `user_id` — before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's `user_id` with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account.","severity":"medium","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-27T08:16:45.893000Z","last_modified_at":"2026-06-27T08:28:16.043515Z","external_id":"CVE-2026-9242","description":"The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN `callback` handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data — including `payment_status` and the `custom` field encoding the target `user_id` — before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's `user_id` with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.1/includes/class_rm_utilities.php#L1384","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.1/public/class_rm_public.php#L728","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.1/services/class_rm_paypal_service.php#L110","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.1/services/class_rm_paypal_service.php#L155","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.4/includes/class_rm_utilities.php#L1384","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.4/public/class_rm_public.php#L728","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.4/services/class_rm_paypal_service.php#L110","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.4/services/class_rm_paypal_service.php#L155","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/includes/class_rm_utilities.php#L1384","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/public/class_rm_public.php#L728","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_paypal_service.php#L110","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/services/class_rm_paypal_service.php#L155","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3532900%40custom-registration-form-builder-with-submission-manager&new=3532900%40custom-registration-form-builder-with-submission-manager&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/1dcf68fd-e9d3-4a46-8bd4-15c2598b91fe?source=cve"],"sources":["nvd"],"score":25.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["payment"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":5.3,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":25,"final_score":25.0},"calculated_at":"2026-06-28T02:00:19.649510Z"},{"id":"bb053ece-aa91-4371-9e64-7bf1ffd27514","threat_type":"cve","title":"The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'proc","summary":"The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.","severity":"medium","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-27T08:16:44.923000Z","last_modified_at":"2026-06-27T08:28:15.993650Z","external_id":"CVE-2026-3462","description":"The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/reepay-checkout-gateway/trunk/includes/Admin/MigrationMobilepayToVipps.php#L129","https://plugins.trac.wordpress.org/browser/reepay-checkout-gateway/trunk/includes/Admin/MigrationMobilepayToVipps.php#L170","https://plugins.trac.wordpress.org/browser/reepay-checkout-gateway/trunk/includes/Admin/MigrationMobilepayToVipps.php#L42","https://plugins.trac.wordpress.org/changeset/3485246/","https://www.wordfence.com/threat-intel/vulnerabilities/id/cf1ca22a-7fb6-457c-bde0-83f6744185be?source=cve"],"sources":["nvd"],"score":25.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["payment"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":6.5,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":25,"final_score":25.0},"calculated_at":"2026-06-28T02:00:02.918402Z"},{"id":"a52ab66f-8168-4dfa-8493-9f3b35c35092","threat_type":"cve","title":"The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed","summary":"The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.","severity":"medium","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-27T08:16:44.563000Z","last_modified_at":"2026-06-27T08:28:15.920220Z","external_id":"CVE-2026-12432","description":"The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3840","https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3865","https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L706","https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-database.php#L2652","https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3840","https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3865","https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L706","https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-database.php#L2652","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3584355%40wp-full-stripe-free&new=3584355%40wp-full-stripe-free&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/c5811d13-0c5d-4a10-86a1-6318cc2e7663?source=cve"],"sources":["nvd"],"score":25.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["payment"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":5.3,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":25,"final_score":25.0},"calculated_at":"2026-06-28T02:00:19.437139Z"},{"id":"b8e911e1-c4c6-419c-91cb-9e859b783498","threat_type":"cve","title":"The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and ","summary":"The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta — outside the scope of WordPress's unfiltered_html carve-out — meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend.","severity":"medium","cvss_score":6.4,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-27T08:16:44.800000Z","last_modified_at":"2026-06-27T08:28:15.964850Z","external_id":"CVE-2026-13295","description":"The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta — outside the scope of WordPress's unfiltered_html carve-out — meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/siteorigin-panels/tags/2.34.1/inc/admin.php#L1085","https://plugins.trac.wordpress.org/browser/siteorigin-panels/tags/2.34.1/inc/admin.php#L236","https://plugins.trac.wordpress.org/browser/siteorigin-panels/tags/2.34.1/inc/admin.php#L254","https://plugins.trac.wordpress.org/browser/siteorigin-panels/tags/2.34.1/inc/renderer.php#L950","https://plugins.trac.wordpress.org/browser/siteorigin-panels/tags/2.34.3/inc/admin.php#L1085","https://plugins.trac.wordpress.org/browser/siteorigin-panels/tags/2.34.3/inc/admin.php#L236","https://plugins.trac.wordpress.org/browser/siteorigin-panels/tags/2.34.3/inc/admin.php#L254","https://plugins.trac.wordpress.org/browser/siteorigin-panels/tags/2.34.3/inc/renderer.php#L950","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3585987%40siteorigin-panels&new=3585987%40siteorigin-panels&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/7830b3dc-7d20-4516-b4d6-57636ca773e9?source=cve"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":6.4,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-06-28T02:00:16.765313Z"},{"id":"54228f66-aa7a-4b9f-bb1d-c91ef712e5be","threat_type":"cve","title":"The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings","summary":"The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","severity":"medium","cvss_score":4.4,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-27T08:16:44.443000Z","last_modified_at":"2026-06-27T08:28:15.899175Z","external_id":"CVE-2026-12399","description":"The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.6.3/lib/framework/helper.php#L1440","https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.6.3/lib/framework/helper.php#L1775","https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.6.3/lib/framework/includes/class-api.php#L1956","https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.6.3/lib/framework/includes/class-frontend-generator.php#L147","https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.6.3/lib/framework/includes/class-global-variable.php#L78","https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.8.0/lib/framework/helper.php#L1440","https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.8.0/lib/framework/helper.php#L1775","https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.8.0/lib/framework/includes/class-api.php#L1956","https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.8.0/lib/framework/includes/class-frontend-generator.php#L147","https://plugins.trac.wordpress.org/browser/gutenverse/tags/3.8.0/lib/framework/includes/class-global-variable.php#L78","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578328%40gutenverse&new=3578328%40gutenverse&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/fd1c679b-43e0-4e3a-ae2d-f6ff8a657512?source=cve"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":4.4,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-06-28T02:00:19.406387Z"},{"id":"85d87c35-d9b2-464e-aadd-71f011706110","threat_type":"cve","title":"The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cr","summary":"The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious payload is delivered to site visitors — including unauthenticated users — when the store search widget inserts the unescaped AJAX response HTML into the DOM via jQuery's .html() method.","severity":"medium","cvss_score":6.4,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-27T08:16:44.197000Z","last_modified_at":"2026-06-27T08:28:15.848346Z","external_id":"CVE-2026-11783","description":"The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious payload is delivered to site visitors — including unauthenticated users — when the store search widget inserts the unescaped AJAX response HTML into the DOM via jQuery's .html() method.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Product/Hooks.php#L117","https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Product/Hooks.php#L137","https://plugins.trac.wordpress.org/browser/dokan-lite/tags/4.3.3/includes/Product/Hooks.php#L161","https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.3/includes/Product/Hooks.php#L117","https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.3/includes/Product/Hooks.php#L137","https://plugins.trac.wordpress.org/browser/dokan-lite/tags/5.0.3/includes/Product/Hooks.php#L161","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578095%40dokan-lite&new=3578095%40dokan-lite&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/21065544-8a48-485b-88af-2e638b400de4?source=cve"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":6.4,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-06-28T02:00:16.760704Z"},{"id":"7d127343-d396-47cc-9b82-7e8bd158ad63","threat_type":"cve","title":"The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in version","summary":"The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode attributes in the surbma_infusionsoft_shortcode_shortcode() function, which are concatenated directly into a  tag's src attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","severity":"medium","cvss_score":6.4,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-27T08:16:43.910000Z","last_modified_at":"2026-06-27T08:28:15.800987Z","external_id":"CVE-2026-11597","description":"The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode attributes in the surbma_infusionsoft_shortcode_shortcode() function, which are concatenated directly into a  tag's src attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/surbma-infusionsoft-shortcode/tags/2.0/surbma-infusionsoft-shortcode.php#L31","https://plugins.trac.wordpress.org/browser/surbma-infusionsoft-shortcode/tags/2.0/surbma-infusionsoft-shortcode.php#L35","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581906%40surbma-infusionsoft-shortcode&new=3581906%40surbma-infusionsoft-shortcode&sfp_email=&sfph_mail=","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581936%40surbma-infusionsoft-shortcode&new=3581936%40surbma-infusionsoft-shortcode&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/c2a91fe9-f642-4a61-a175-ed5bb537bf08?source=cve"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":6.4,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-06-28T02:00:19.401266Z"},{"id":"e809ca72-df81-49b2-bd3d-3325a6bf2cb9","threat_type":"cve","title":"Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object (struct ge","summary":"Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object (struct getaddrinfo_state ai_state) as the user_data of an asynchronous DNS resolver query. The socket layer waits on a semaphore with a timeout deliberately set slightly longer than the resolver's own per-query timeout. When that semaphore wait nonetheless times out (-EAGAIN) - which can occur when the resolver's timeout work is delayed by workqueue contention, or in the documented multi-retry configuration where CONFIG_NET_SOCKETS_DNS_TIMEOUT exceeds CONFIG_NET_SOCKETS_DNS_BACKOFF_INTERVAL - the pre-fix code retries the query (goto again) without cancelling the previous one and without resetting the semaphore. The previous query slot remains active in the resolver with its callback and the stack pointer as user_data, and ai_state-dns_id is overwritten so the stale query can no longer be cancelled. A subsequent DNS response delivered over UDP and matched by its 16-bit transaction id (in dispatcher_cb()/dns_read()), or the resolver's own delayed query-timeout work, then invokes dns_resolve_cb() against the now out-of-scope stack frame, writing through the stale pointer (state-status, state-idx, state-ai_arr[], and k_sem_give()). Because the triggering response is network-delivered and its 16-bit id is spoofable/replayable by an on- or off-path attacker, this is a network-influenceable use-after-return that can corrupt reused stack memory, leading to crashes/denial of service or memory corruption. The fix cancels the timed-out query by name and type before retrying and resets the local semaphore, eliminating the stale callback path. Affected: Zephyr v4.0.0 through v4.4.0.","severity":"high","cvss_score":7.4,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-28T05:16:21.083000Z","last_modified_at":"2026-06-28T05:49:26.935615Z","external_id":"CVE-2026-10646","description":"Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object (struct getaddrinfo_state ai_state) as the user_data of an asynchronous DNS resolver query. The socket layer waits on a semaphore with a timeout deliberately set slightly longer than the resolver's own per-query timeout. When that semaphore wait nonetheless times out (-EAGAIN) - which can occur when the resolver's timeout work is delayed by workqueue contention, or in the documented multi-retry configuration where CONFIG_NET_SOCKETS_DNS_TIMEOUT exceeds CONFIG_NET_SOCKETS_DNS_BACKOFF_INTERVAL - the pre-fix code retries the query (goto again) without cancelling the previous one and without resetting the semaphore. The previous query slot remains active in the resolver with its callback and the stack pointer as user_data, and ai_state-dns_id is overwritten so the stale query can no longer be cancelled. A subsequent DNS response delivered over UDP and matched by its 16-bit transaction id (in dispatcher_cb()/dns_read()), or the resolver's own delayed query-timeout work, then invokes dns_resolve_cb() against the now out-of-scope stack frame, writing through the stale pointer (state-status, state-idx, state-ai_arr[], and k_sem_give()). Because the triggering response is network-delivered and its 16-bit id is spoofable/replayable by an on- or off-path attacker, this is a network-influenceable use-after-return that can corrupt reused stack memory, leading to crashes/denial of service or memory corruption. The fix cancels the timed-out query by name and type before retrying and resets the local semaphore, eliminating the stale callback path. Affected: Zephyr v4.0.0 through v4.4.0.","affected_products":[],"references":["https://github.com/zephyrproject-rtos/zephyr/commit/cd27da58eedb8d0fe380dd340b81ca5afa35de45","https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-h752-vhmf-29w6"],"sources":["nvd"],"score":15.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.4,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":15,"final_score":15.0},"calculated_at":"2026-06-28T05:49:27.051271Z"},{"id":"ea8053e6-31b5-47d9-88c8-1752025cf54f","threat_type":"cve","title":"RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session ","summary":"RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.","severity":"high","cvss_score":7.6,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-28T02:16:32.860000Z","last_modified_at":"2026-06-28T02:46:21.869116Z","external_id":"CVE-2026-58056","description":"RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.","affected_products":[],"references":["https://github.com/bikini/exploitarium/tree/main/rustdesk-session-permission-pocs","https://www.vulncheck.com/advisories/rustdesk-filetransfer-session-authorization-scope-bypass"],"sources":["nvd"],"score":15.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.6,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":15,"final_score":15.0},"calculated_at":"2026-06-28T02:46:22.024608Z"},{"id":"36a667c9-474c-4e00-8801-3dcf3fa83e55","threat_type":"cve","title":"MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the","summary":"MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.","severity":"high","cvss_score":7.2,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-28T02:16:32.550000Z","last_modified_at":"2026-06-28T02:46:21.820772Z","external_id":"CVE-2026-58054","description":"MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group (gid 4) and its datahandler's verify_usergroup() unconditionally returns true. An admin holding only the delegated user-management permission can assign the Administrators group to an account and escalate to the full Administrator permission set.","affected_products":[],"references":["https://github.com/bikini/exploitarium/tree/main/mybb-limited-acp-to-admin","https://www.vulncheck.com/advisories/mybb-privilege-escalation-from-limited-acp-user-management-to-administrator"],"sources":["nvd"],"score":15.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.2,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":15,"final_score":15.0},"calculated_at":"2026-06-28T02:46:21.993865Z"}],"top_7d":[{"id":"ca8d4e1f-904d-4f99-ba3f-607ee66cdd2a","threat_type":"cve","title":"n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to injec","summary":"n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier values in node configuration parameters. Attackers with workflow creation permissions can supply specially crafted table or column names to execute unauthorized database commands and compromise data integrity.","severity":"high","cvss_score":8.2,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-24T13:16:36.473000Z","last_modified_at":"2026-06-26T02:59:41.310332Z","external_id":"CVE-2026-56351","description":"n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier values in node configuration parameters. Attackers with workflow creation permissions can supply specially crafted table or column names to execute unauthorized database commands and compromise data integrity.","affected_products":["cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*"],"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx","https://www.vulncheck.com/advisories/n8n-sql-injection-in-mysql-postgresql-and-microsoft-sql-nodes"],"sources":["nvd"],"score":65.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["PostgreSQL"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-89"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.2,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":65,"final_score":65.0},"calculated_at":"2026-06-28T02:00:28.787273Z"},{"id":"6a2f9cac-0627-4189-a920-d1bd6c098043","threat_type":"cve","title":"IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS application","summary":"IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications.","severity":"high","cvss_score":7.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-22T16:16:32.690000Z","last_modified_at":"2026-06-23T23:08:02.604517Z","external_id":"CVE-2026-10845","description":"IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to bypass authentication and gain unauthorized access to JAX-WS applications.","affected_products":["cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*","cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*","cpe:2.3:o:ibm:i:-:*:*:*:*:*:*:*","cpe:2.3:o:ibm:z\\/os:-:*:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*","cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"],"references":["https://www.ibm.com/support/pages/node/7276597"],"sources":["nvd"],"score":65.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["WebSphere"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-287"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.3,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":65,"final_score":65.0},"calculated_at":"2026-06-28T02:00:26.591421Z"},{"id":"fff50c20-991f-42ac-aac8-15e3ede2fcc3","threat_type":"cve","title":"SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, descrip","summary":"SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, description) when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is produced with JSON.stringify() (which does not escape ', <, or >), a package whose name contains a single quote breaks out of the attribute and injects arbitrary HTML. In the desktop client the main BrowserWindow runs with nodeIntegration: true, contextIsolation: false, so the injected markup escalates from DOM XSS to arbitrary OS command execution. This is the same root cause and same impact as the original advisory, reached through a sibling sink the patch did not cover.  This vulnerability is fixed in 3.7.0.","severity":"critical","cvss_score":9.0,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-24T22:16:49.260000Z","last_modified_at":"2026-06-25T15:48:23.870971Z","external_id":"CVE-2026-55570","description":"SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, description) when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is produced with JSON.stringify() (which does not escape ', <, or >), a package whose name contains a single quote breaks out of the attribute and injects arbitrary HTML. In the desktop client the main BrowserWindow runs with nodeIntegration: true, contextIsolation: false, so the injected markup escalates from DOM XSS to arbitrary OS command execution. This is the same root cause and same impact as the original advisory, reached through a sibling sink the patch did not cover.  This vulnerability is fixed in 3.7.0.","affected_products":[],"references":["https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x88j-wgpr-h22x"],"sources":["nvd"],"score":60.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["card"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":9.0,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":60,"final_score":60.0},"calculated_at":"2026-06-28T02:00:06.055527Z"},{"id":"fc4f53de-bba8-4a3f-b7ab-1f6010e86d97","threat_type":"cve","title":"Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of","summary":"Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.","severity":"high","cvss_score":8.7,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-26T22:16:33.093000Z","last_modified_at":"2026-06-26T22:18:15.274612Z","external_id":"CVE-2026-55069","description":"Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computation speed to recover the administrator password offline. In Kubernetes deployments, a successful crack further enables reading of the cluster ServiceAccount Token and all K8s Secrets, achieving vertical privilege escalation. This vulnerability is fixed in 1.3.24.","affected_products":[],"references":["https://github.com/kestra-io/kestra/security/advisories/GHSA-m727-pcjm-j28h"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["PostgreSQL"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.7,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-06-28T02:00:24.528697Z"},{"id":"1e9df907-d2a1-4e1e-99d9-fedc60f8d400","threat_type":"cve","title":"Unauthenticated Cross Site Request Forgery (CSRF) in FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3 versions.","summary":"Unauthenticated Cross Site Request Forgery (CSRF) in FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3 versions.","severity":"medium","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-26T15:16:51.030000Z","last_modified_at":"2026-06-26T16:12:26.412262Z","external_id":"CVE-2026-57635","description":"Unauthenticated Cross Site Request Forgery (CSRF) in FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3 versions.","affected_products":[],"references":["https://patchstack.com/database/wordpress/plugin/funnelkit-stripe-woo-payment-gateway/vulnerability/wordpress-funnelkit-payment-gateway-for-stripe-woocommerce-plugin-1-14-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["payment"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-352"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":6.5,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-06-28T02:00:04.300018Z"},{"id":"c8c6c727-cae2-43f0-9e29-a1c7da74c93c","threat_type":"cve","title":"Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxie","summary":"Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.","severity":"high","cvss_score":8.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-26T15:16:49.587000Z","last_modified_at":"2026-06-26T18:14:22.322608Z","external_id":"CVE-2026-57527","description":"Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.","affected_products":[],"references":["https://github.com/zaproxy/zap-extensions/commit/ac6c3f94d38505bc0facea286a4d3728044c6e5c","https://github.com/zaproxy/zap-extensions/pull/7481","https://github.com/zaproxy/zap-extensions/releases/tag/viewstate-v4","https://www.vulncheck.com/advisories/zap-viewstate-add-on-insecure-deserialization-via-jsfviewstate-decode","https://www.zaproxy.org/blog/2026-06-24-java-deserialization-vulnerability-in-zap-viewstate-addon/"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Java"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-06-28T02:00:12.682020Z"},{"id":"705e7ecb-2c47-4351-8532-2cbf8aa21ef5","threat_type":"cve","title":"A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled inpu","summary":"A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-06-24T16:16:31.857000Z","last_modified_at":"2026-06-25T14:47:42.649720Z","external_id":"CVE-2026-50711","description":"A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the Number Card component.","affected_products":[],"references":["https://fluidattacks.com/es/advisories/disturbed","https://github.com/frappe/frappe"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["card"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-06-28T02:00:00.828675Z"},{"id":"7370fe9c-a0a8-4bc7-997a-5f1f71003076","threat_type":"cve","title":"A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in th","summary":"A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-06-24T16:16:31.747000Z","last_modified_at":"2026-06-25T14:47:42.632149Z","external_id":"CVE-2026-50710","description":"A Stored Cross-Site Scripting (XSS) vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component.","affected_products":[],"references":["https://fluidattacks.com/es/advisories/sum41","https://github.com/frappe/frappe"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["card"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-06-28T02:00:01.238418Z"},{"id":"0212f95b-9b7a-48ba-9068-28b984141f6d","threat_type":"cve","title":"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, ","summary":"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.","severity":"high","cvss_score":8.1,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-23T21:17:02.203000Z","last_modified_at":"2026-06-27T21:41:17.894464Z","external_id":"CVE-2026-54512","description":"jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains <), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before <) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container — for example java.util.ArrayList when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.","affected_products":["cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*"],"references":["https://github.com/FasterXML/jackson-databind/commit/434d6c511de7fdd9872f29157aafb6162d12d8d5","https://github.com/FasterXML/jackson-databind/issues/5988","https://github.com/FasterXML/jackson-databind/security/advisories/GHSA-j3rv-43j4-c7qm"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Java"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.1,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-06-28T02:00:17.016257Z"},{"id":"10bcad48-d19d-4049-a4ca-da7efb4e35eb","threat_type":"cve","title":"Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforci","summary":"Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.\n\nAffected versions:\nSpring Statemachine 4.0.0 through 4.0.1\nSpring Statemachine 3.2.0 through 3.2.4","severity":"high","cvss_score":8.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-06-23T21:16:57.820000Z","last_modified_at":"2026-06-25T19:52:26.820116Z","external_id":"CVE-2026-41862","description":"Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.\n\nAffected versions:\nSpring Statemachine 4.0.0 through 4.0.1\nSpring Statemachine 3.2.0 through 3.2.4","affected_products":[],"references":["https://spring.io/security/cve-2026-41862"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Spring"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-06-28T02:00:13.390505Z"}],"stats":{"total_threats":80274,"critical_count":96,"high_count":5,"average_score":13.52,"sources_active":["cisa_kev","github_advisories","nvd"]}}