{"sector":{"id":"saas","name":"SaaS / B2B Cloud","sector":"software","description":"Multi-tenant SaaS providers and cloud-native B2B platforms. Threats relevant\nto public-facing web apps, identity, multi-tenancy and supply chain.","visibility":"public"},"top_24h":[{"id":"7dfec3c4-23f4-4403-bf5c-d95cd65a1f93","threat_type":"cve","title":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking","summary":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.","severity":"high","cvss_score":7.2,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T08:16:04.090000Z","last_modified_at":"2026-05-06T14:04:51.574691Z","external_id":"CVE-2026-7332","description":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833ca61455?source=cve"],"sources":["nvd"],"score":65.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Stripe"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.2,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":65,"final_score":65.0},"calculated_at":"2026-05-06T14:04:56.025564Z"},{"id":"850ae48c-4b0d-4f80-8c52-993d83c56268","threat_type":"cve","title":"Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to c","summary":"Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-05T22:16:00.663000Z","last_modified_at":"2026-05-05T22:49:38.083470Z","external_id":"CVE-2026-40110","description":"Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.","affected_products":[],"references":["https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea","https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8","https://github.com/jupyter-server/jupyter_server/pull/603","https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p"],"sources":["nvd"],"score":55.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Python"],"points":30},"keyword_match":{"hit":true,"matched":["api"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":55,"final_score":55.0},"calculated_at":"2026-05-06T02:00:16.331264Z"},{"id":"006bc809-89ee-468b-b6ba-83509f9f3da1","threat_type":"cve","title":"Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientServi","summary":"Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-05T20:16:36.777000Z","last_modified_at":"2026-05-05T20:47:40.417450Z","external_id":"CVE-2026-33975","description":"Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys.","affected_products":[],"references":["https://github.com/twentyhq/twenty/security/advisories/GHSA-vrcj-hv2q-c58m"],"sources":["nvd"],"score":50.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Node.js"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-918"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":50,"final_score":50.0},"calculated_at":"2026-05-06T02:00:16.085123Z"},{"id":"8747cd08-0545-4a69-960d-e0bafb485278","threat_type":"cve","title":"SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vuln","summary":"SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-05T20:16:36.317000Z","last_modified_at":"2026-05-05T20:47:40.316371Z","external_id":"CVE-2026-33324","description":"SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1.","affected_products":[],"references":["https://github.com/dataease/SQLBot/security/advisories/GHSA-q2q6-gqqh-4xrx"],"sources":["nvd"],"score":50.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["PostgreSQL"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-89"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":50,"final_score":50.0},"calculated_at":"2026-05-06T02:00:16.039787Z"},{"id":"3a5480a2-77bb-4b5a-ad0b-3974316b4ddd","threat_type":"cve","title":"An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-pr","summary":"An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.","severity":"medium","cvss_score":5.0,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T03:15:59.440000Z","last_modified_at":"2026-05-06T03:54:37.967919Z","external_id":"CVE-2026-7573","description":"An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request.","affected_products":[],"references":["https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["api"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-639"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":5.0,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-05-06T03:54:38.058614Z"},{"id":"6f9cadff-78a0-4166-934f-8ed84a1b76cf","threat_type":"cve","title":"Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded ","summary":"Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.","severity":"medium","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T21:16:23.233000Z","last_modified_at":"2026-05-06T14:04:51.387985Z","external_id":"CVE-2026-41950","description":"Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.","affected_products":[],"references":["https://github.com/langgenius/dify/releases/tag/1.14.0","https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d","https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-uuid"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["tenant"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-639"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":6.5,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-05-06T14:04:56.016727Z"},{"id":"4d451624-49ff-489d-91c7-e42e287bab1f","threat_type":"cve","title":"Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make ou","summary":"Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. \n\nThis is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe.\n\nThis issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-05T21:16:22.397000Z","last_modified_at":"2026-05-05T21:48:38.594383Z","external_id":"CVE-2026-39383","description":"Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. \n\nThis is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe.\n\nThis issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges.","affected_products":[],"references":["https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5vh4-rgv7-p9g4"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["api","webhook"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-918"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-05-06T02:00:16.266104Z"},{"id":"f9822397-a661-402b-8d3d-c400dfef5ac3","threat_type":"cve","title":"Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.","summary":"Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens.\n\nThis issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-05T20:16:39.113000Z","last_modified_at":"2026-05-05T20:47:40.751718Z","external_id":"CVE-2026-40331","description":"Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens.\n\nThis issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required.","affected_products":[],"references":["https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-jphh-r686-6w7j"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["api"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-89"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-05-06T02:00:16.101643Z"},{"id":"31596f3e-a668-4d57-9aba-08c524552083","threat_type":"cve","title":"Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and ","summary":"Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. \n\nThis bypasses the same security control that was patched in CVE-2026-27018.\n\nThis issue has been fixed in version 8.31.0.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-05T20:16:38.633000Z","last_modified_at":"2026-05-05T20:47:40.686439Z","external_id":"CVE-2026-40280","description":"Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. \n\nThis bypasses the same security control that was patched in CVE-2026-27018.\n\nThis issue has been fixed in version 8.31.0.","affected_products":[],"references":["https://github.com/advisories/GHSA-jjwv-57xh-xr6r","https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47","https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["api","webhook"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-918"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-05-06T02:00:16.055617Z"},{"id":"27276106-8d9b-43a9-af83-4ac655fb5e30","threat_type":"cve","title":"Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `proc","summary":"Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.","severity":"high","cvss_score":8.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T17:17:02.577000Z","last_modified_at":"2026-05-06T16:06:39.411885Z","external_id":"CVE-2026-23479","description":"Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.","affected_products":["cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*"],"references":["https://github.com/redis/redis/releases/tag/8.6.3","https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Redis"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-05-06T16:06:39.953197Z"}],"top_7d":[{"id":"0da69b0c-abe3-484a-af6c-cc3bd2432dc7","threat_type":"cve","title":"cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to g","summary":"cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.","severity":"critical","cvss_score":9.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd","kev","actively-exploited","ransomware"],"published_at":"2026-04-29T22:17:34.339369Z","last_modified_at":"2026-05-06T15:23:37.677810Z","external_id":"CVE-2026-41940","description":"cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.","affected_products":["cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*","cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*","cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:*"],"references":["https://docs.cpanel.net/release-notes/release-notes","https://docs.wpsquared.com/changelogs/versions/changelog/#13617","https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026","https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026","https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow","https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/","https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/","https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940"],"sources":["nvd","cisa_kev"],"score":75.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":9.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":true,"points":25},"actively_exploited":{"hit":true,"points":15},"ransomware":{"hit":true,"points":15},"multi_source":{"hit":true,"source_count":2,"points":5},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":75,"final_score":75.0},"calculated_at":"2026-05-06T15:24:16.023863Z"},{"id":"240b7d40-bcee-4a15-8267-4a658ba5c08a","threat_type":"cve","title":"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that","summary":"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui — typically root in Docker deployments. This issue has been patched in version 2.3.8.","severity":"critical","cvss_score":9.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-04T21:16:32.707000Z","last_modified_at":"2026-05-06T15:05:39.062489Z","external_id":"CVE-2026-42238","description":"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui — typically root in Docker deployments. This issue has been patched in version 2.3.8.","affected_products":["cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*"],"references":["https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8","https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr"],"sources":["nvd"],"score":70.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Docker"],"points":30},"keyword_match":{"hit":true,"matched":["api"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":9.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":70,"final_score":70.0},"calculated_at":"2026-05-06T15:05:39.307206Z"},{"id":"2885632a-6946-44c2-9f27-4958c1f0aedb","threat_type":"cve","title":"Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD r","summary":"Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.","severity":"high","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-04T19:16:04.220000Z","last_modified_at":"2026-05-04T19:22:39.242285Z","external_id":"CVE-2026-42151","description":"Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.","affected_products":[],"references":["https://github.com/prometheus/prometheus/pull/18587","https://github.com/prometheus/prometheus/pull/18590","https://github.com/prometheus/prometheus/releases/tag/v3.11.3","https://github.com/prometheus/prometheus/releases/tag/v3.5.3","https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj"],"sources":["nvd"],"score":70.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Azure"],"points":30},"keyword_match":{"hit":true,"matched":["api","oauth"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.5,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":70,"final_score":70.0},"calculated_at":"2026-05-06T02:00:14.361738Z"},{"id":"7fae1896-3865-4e91-a52f-7cc06e6e36c2","threat_type":"cve","title":"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, th","summary":"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.","severity":"critical","cvss_score":9.6,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-04T18:16:31.007000Z","last_modified_at":"2026-05-04T20:23:38.419960Z","external_id":"CVE-2026-42088","description":"OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3.","affected_products":[],"references":["https://github.com/OpenC3/cosmos/releases/tag/v7.0.0","https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3","https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr"],"sources":["nvd"],"score":70.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Python","Redis","Docker"],"points":30},"keyword_match":{"hit":true,"matched":["api"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":9.6,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":70,"final_score":70.0},"calculated_at":"2026-05-06T02:00:14.145613Z"},{"id":"174ddf52-ba07-47aa-9ccc-c042b6a7f014","threat_type":"cve","title":"The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all version","summary":"The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site's Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.","severity":"high","cvss_score":7.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-02T12:16:16.477000Z","last_modified_at":"2026-05-05T19:46:39.988762Z","external_id":"CVE-2026-4100","description":"The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site's Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.","affected_products":[],"references":["https://github.com/strangerstudios/paid-memberships-pro/pull/3615","https://www.wordfence.com/threat-intel/vulnerabilities/id/5b333a3d-e416-42aa-9722-5406df0a64b3?source=cve"],"sources":["nvd"],"score":70.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Stripe"],"points":30},"keyword_match":{"hit":true,"matched":["webhook"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.1,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":70,"final_score":70.0},"calculated_at":"2026-05-06T02:00:10.333160Z"},{"id":"43eee7ae-9bfb-43f7-962d-065a77028801","threat_type":"cve","title":"The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'g","summary":"The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.","severity":"high","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-04-30T14:16:29.760000Z","last_modified_at":"2026-04-30T20:52:00.050131Z","external_id":"CVE-2026-2892","description":"The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/otter-blocks/trunk/inc/plugins/class-block-conditions.php#L274","https://plugins.trac.wordpress.org/browser/otter-blocks/trunk/inc/plugins/class-stripe-api.php#L260","https://plugins.trac.wordpress.org/browser/otter-blocks/trunk/inc/plugins/class-stripe-api.php#L284","https://plugins.trac.wordpress.org/changeset/3471326/","https://www.wordfence.com/threat-intel/vulnerabilities/id/3443950f-1f94-4e0b-8906-1a9b9602a746?source=cve"],"sources":["nvd"],"score":70.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Stripe"],"points":30},"keyword_match":{"hit":true,"matched":["api"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.5,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":70,"final_score":70.0},"calculated_at":"2026-05-06T02:00:08.564734Z"},{"id":"96184186-25c6-4380-b827-b028e7d4d661","threat_type":"cve","title":"AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controll","summary":"AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.","severity":"high","cvss_score":8.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-04-29T22:17:34.339369Z","last_modified_at":"2026-04-30T20:51:56.615684Z","external_id":"CVE-2026-7466","description":"AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.","affected_products":[],"references":["https://github.com/berabuddies/agentflow/pull/18","https://github.com/berabuddies/agentflow/pull/18/changes/7e61b6ce846b3d700456e4874394dc868905a9f2","https://www.vulncheck.com/advisories/agentflow-arbitrary-python-pipeline-execution-via-pipeline-path"],"sources":["nvd"],"score":70.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Python"],"points":30},"keyword_match":{"hit":true,"matched":["api"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":70,"final_score":70.0},"calculated_at":"2026-05-06T02:00:20.355581Z"},{"id":"7dfec3c4-23f4-4403-bf5c-d95cd65a1f93","threat_type":"cve","title":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking","summary":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.","severity":"high","cvss_score":7.2,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T08:16:04.090000Z","last_modified_at":"2026-05-06T14:04:51.574691Z","external_id":"CVE-2026-7332","description":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833ca61455?source=cve"],"sources":["nvd"],"score":65.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Stripe"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.2,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":65,"final_score":65.0},"calculated_at":"2026-05-06T14:04:56.025564Z"},{"id":"beadc32e-6d54-4c78-96ed-51e4d564cb10","threat_type":"cve","title":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:g","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","severity":"high","cvss_score":8.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-04T19:16:05.060000Z","last_modified_at":"2026-05-06T15:05:38.972724Z","external_id":"CVE-2026-42229","description":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","affected_products":["cpe:2.3:a:n8n:n8n:*:*:*:*:enterprise:node.js:*:*","cpe:2.3:a:n8n:n8n:2.18.0:*:*:*:enterprise:node.js:*:*"],"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp"],"sources":["nvd"],"score":65.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["Node.js"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-89"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":65,"final_score":65.0},"calculated_at":"2026-05-06T15:05:39.289221Z"},{"id":"2247635e-d5b3-4590-a52f-3bf6ee95bc7e","threat_type":"cve","title":"The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.1","summary":"The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.","severity":"high","cvss_score":7.2,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-02T09:16:22.477000Z","last_modified_at":"2026-05-05T19:46:39.740863Z","external_id":"CVE-2026-5324","description":"The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/admin/form-entries.php#L79","https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/admin/views/form-data.php#L11","https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/editor/forms/api.php#L198","https://plugins.trac.wordpress.org/browser/brizy/tags/2.7.24/editor/forms/api.php#L295","https://plugins.trac.wordpress.org/browser/brizy/trunk/admin/views/form-data.php#L11","https://plugins.trac.wordpress.org/changeset/3502206/brizy/trunk/admin/views/form-data.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Fbrizy/tags/2.8.11&new_path=%2Fbrizy/tags/2.8.12","https://www.wordfence.com/threat-intel/vulnerabilities/id/78ec499e-5edd-4f11-9090-f79868864fee?source=cve"],"sources":["nvd"],"score":60.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["api"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.2,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":60,"final_score":60.0},"calculated_at":"2026-05-06T02:00:09.644483Z"}],"stats":{"total_threats":28771,"critical_count":31,"high_count":10,"average_score":13.83,"sources_active":["nvd","cisa_kev"]}}