Ping7 Site Map
All Ping7 pages for search and human browsing
A crawl-friendly map of the main Ping7 routes, free tools, CVE self-check pages, and recovery guides. The XML sitemap remains at /sitemap.xml.
Main pages
- Home - Ping7 homepage and main security tools.
- Am I Affected? - Start a free affected-version check from a domain or URL.
- Free Site Scan - Quick public checks for security and availability signals.
- CVE Dashboard - Tracked CVEs sorted by date, severity, product, and exploitation signal.
- CVE Lookup - Search Ping7's tracked CVE coverage by CVE ID.
- CVE Repair - Patch, cleanup, and compromise review help for owned systems.
- Guides - CVE self-checks, recovery guides, and network troubleshooting articles.
- All Tools - Free network, website, and developer tools.
- GitHub Tools - Open-source and GitHub-focused utility entry point.
- Contact - Send repair details, CVE IDs, and incident context.
Free tools
- cPanel CVE Checker - Detect cPanel/WHM fingerprints and .sorry ransomware indicators from the public web. Links to CVE-2026-41940 self-check.
- NGINX CVE Checker - Check public Server headers for NGINX Rift (CVE-2026-42945) vulnerable versions ≤ 1.30.0.
- WordPress CVE Checker - Enter a WordPress URL to detect tracked plugin CVEs from public readme versions. Passive external check against Ping7's watchlist.
- Website Security Scorecard - Audit any website in 10 seconds. Get an A-F grade across SSL, security headers, HTTPS redirects, and response health.
- Website Speed Test - Test any website's page speed with Google Lighthouse. Get Core Web Vitals (LCP, CLS, TBT) and an overall performance score for mobile and desktop.
- Free Ping Test - Run a free online HTTP ping test to measure website response time, average latency, and reachability.
- Free IP Leak Test - Run a free IP leak test to check whether your public IP, browser language, and network hints match your VPN or proxy.
- Is Website Down Checker - Check if a website is down or reachable and see HTTP status, response time, redirects, and final URL.
- What Is My IP Address - Find your public IP address, visible country or region, ASN, browser language, user agent, and network metadata.
- IP Address Lookup - Look up IP location, country or region, ASN, network owner, and organization details for a public IP address.
- IP Blacklist Check - Check whether a public IPv4 address appears on common DNSBL blacklist providers for spam or abuse signals.
- HTTP Status Code Checker - Check HTTP status codes, response time, redirect path, and final destination for any public URL.
- Security Headers Generator - Generate ready-to-paste HTTP security headers for Nginx, Apache, Cloudflare, Express, or IIS. Pick a hardening level (basic/strict/maximum) and copy.
- Robots.txt Generator - Generate a robots.txt file for any site type (blog, store, SaaS, docs). Choose which crawlers to allow, which paths to disallow, and add your sitemap URL.
- HTTP Header Checker - Check HTTP response headers, security headers, cache headers, server headers, redirects, and final URL.
- URL Redirect Checker - Check URL redirects, 301 and 302 responses, redirect chains, and final destination URLs.
- Free SSL Checker - Check SSL certificate details, issuer, expiration date, grade, alternative names, and TLS information for a domain.
- Domain Value Estimator - Estimate any domain's market value. Algorithm scores TLD, length, keywords, character mix, and brand-ability into a $ price range.
- Whois Lookup - Look up domain registration dates, expiration date, nameservers, status, and public RDAP registry details.
- Reverse DNS Lookup - Look up PTR records and reverse DNS hostnames for a public IPv4 or IPv6 address.
- User Agent Checker - Check your browser user agent, platform, language, screen size, and basic client hints.
- DNS Checker - Check DNS records online, including A, AAAA, MX, TXT, and NS records through DNS over HTTPS.
- JSON Validator - Validate, format, and minify JSON directly in your browser.
- Timestamp Converter - Convert Unix timestamps to readable dates and back.
- Aspect Ratio Calculator - Calculate image and video ratios, dimensions, and common presets.
- Case Converter - Convert text into lower, upper, title, sentence, camel, kebab, and snake case.
- Markdown Table Generator - Generate clean Markdown tables with custom rows and columns.
- Word Counter - Count words, characters, sentences, paragraphs, and reading time in real time.
- Password Generator - Generate strong random passwords with custom length, character types, and entropy estimate.
- Base64 Encoder / Decoder - Encode text to Base64 or decode Base64 back to text. UTF-8 safe, runs in your browser.
- URL Encoder / Decoder - Encode special characters for URLs or decode percent-encoded strings back to readable text.
- AI Token Counter - Estimate GPT, Claude, and Gemini token usage and API cost for prompts and completions.
CVE self-check guides
- Page Builder CK: CVE-2026-56290 / CVE-2026-49048 / CVE-2026-49049 - CVSS 10.0. CVE-2026-56290 affects the Page Builder CK Joomla extension. Joomla owners should patch the extension, restrict administrative access, preserve logs, and review uploaded files and extension state.
- Paid Videochat Turnkey Site: CVE-2026-57331 / CVE-2026-57320 / CVE-2026-57332 / CVE-2026-57333 / CVE-2026-57336 / CVE-2026-57337 / CVE-2026-57338 / CVE-2026-57346 / CVE-2026-57340 / CVE-2026-57341 - CVSS 9.9. CVE-2026-57331 affects Paid Videochat Turnkey Site <= 7.4.8. Site owners should patch the component, preserve logs, and review files and performer accounts before closing the issue.
- FrontAccounting: CVE-2026-40521 / CVE-2026-40523 / CVE-2026-40522 / CVE-2026-56124 / CVE-2026-13559 - CVSS 8.8. CVE-2026-40521 affects FrontAccounting before 2.4.20. Owners should patch supported deployments, remove unsupported public exposure, preserve logs, and review attachment uploads and web-root file changes.
- yashpokharna2555 restaurent-management-system: CVE-2026-13498 / CVE-2026-13529 - CVSS 7.5. CVE-2026-13498 affects the yashpokharna2555 restaurent-management-system project, which does not publish fixed version metadata. Owners should remove public exposure, review forgot-password activity, preserve database logs, and migrate away from the unsupported code path.
- Eclipse tinydtls: CVE-2026-9267 / CVE-2026-13601 - CVSS 7.1. CVE-2026-9267 affects Eclipse tinydtls. Operators should patch affected packages, avoid exposing vulnerable components, and review DTLS service logs and embedded device stability.
- CVE-2026-58053: Gitea act_runner - Docker backend container hardening bypass - CVSS 9.9. CVE-2026-58053 affects Gitea act_runner deployments that use the Docker backend through act 0.262.0. Owners should restrict who can run workflows, review Docker runner configuration, isolate runners from production hosts, and apply vendor hardening guidance.
- Invoice Generator: CVE-2026-12415 / CVE-2026-8095 / CVE-2026-11783 - CVSS 9.8. CVE-2026-12415 affects the Invoice Generator plugin for WordPress through 1.0.0. Site owners should patch or disable the plugin, review administrator email changes, password reset events, and new sessions before closing the incident.
- Kestra: CVE-2026-53576 / CVE-2026-54350 / CVE-2026-46386 / CVE-2026-45405 / CVE-2026-45406 / CVE-2026-45408 / CVE-2026-54636 / CVE-2026-55069 / CVE-2026-52783 / CVE-2026-49486 / CVE-2026-55413 / CVE-2026-55477 - CVSS 10.0. CVE-2026-53576 affects Kestra. Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API (@Filter("/api/v1/**")) treats any request whose path ends in /configs as the public i... Patch the affected deployment and review workflow and admin logs.
- Booster for WooCommerce: CVE-2026-56027 / CVE-2026-56058 / CVE-2026-56059 / CVE-2026-56028 / CVE-2026-56030 / CVE-2026-56032 / CVE-2026-56033 / CVE-2026-56057 / CVE-2026-54820 / CVE-2026-54825 / CVE-2026-54827 / CVE-2026-54831 / CVE-2026-56034 / CVE-2026-56036 / CVE-2026-56062 / CVE-2026-56067 / CVE-2026-56068 / CVE-2026-56070 / CVE-2026-57658 / CVE-2025-68052 / CVE-2026-56008 / CVE-2026-56010 / CVE-2026-56038 / CVE-2026-56055 / CVE-2026-57659 / CVE-2026-56035 / CVE-2026-56064 / CVE-2026-57315 / CVE-2026-57636 / CVE-2026-57642 / CVE-2026-57643 / CVE-2026-57644 / CVE-2026-57653 / CVE-2026-57662 / CVE-2026-57663 / CVE-2026-57667 / CVE-2026-56063 / CVE-2026-57655 / CVE-2026-56031 / CVE-2026-57645 / CVE-2026-57700 / CVE-2026-54823 / CVE-2026-54836 / CVE-2026-54843 / CVE-2026-54849 / CVE-2026-56053 / CVE-2026-54822 / CVE-2026-54838 / CVE-2026-56049 / CVE-2026-54848 / CVE-2026-54842 / CVE-2026-54845 - CVSS 10.0. CVE-2026-56027 affects Booster for WooCommerce <= 8.0.1. Site owners should patch the component, preserve logs, and review files and uploads before closing the issue.
- ExpressUpdate Agent: CVE-2026-8797 / CVE-2026-46752 / CVE-2026-41566 / CVE-2026-56091 / CVE-2026-38637 / CVE-2026-38640 - CVSS 10.0. CVE-2026-8797 affects ExpressUpdate Agent. An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges. Patch the affected deployment and review component presence.
- Genshi Template Engine: CVE-2026-0685 / CVE-2026-57878 / CVE-2026-57879 / CVE-2026-57880 / CVE-2026-57881 / CVE-2026-57518 / CVE-2026-57877 / CVE-2026-57872 / CVE-2026-57873 / CVE-2026-57874 / CVE-2026-57875 / CVE-2026-57876 / CVE-2026-45233 / CVE-2026-37149 / CVE-2026-40083 / CVE-2026-40084 / CVE-2026-40080 / CVE-2026-39900 - CVSS 9.8. CVE-2026-0685 affects Genshi Template Engine. Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions. Patch the affected deployment and review web and app logs.
- Node.js: CVE-2026-48930 / CVE-2026-48618 / CVE-2026-48615 / CVE-2026-48619 / CVE-2026-48933 - CVSS 9.8. CVE-2026-48930 affects Node.js. A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. Patch the affected deployment and review runtime logs.
- Apache IoTDB: CVE-2025-55017 / CVE-2025-64152 / CVE-2026-57915 / CVE-2026-11310 / CVE-2026-11999 / CVE-2026-55961 / CVE-2026-55964 - CVSS 9.1. CVE-2025-55017 affects Apache IoTDB. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache IoTDB. Patch the affected deployment and review trust and service logs.
- SupportCandy: CVE-2026-54826 / CVE-2026-57628 / CVE-2026-57631 / CVE-2025-68063 / CVE-2025-68064 / CVE-2026-54824 / CVE-2026-54832 / CVE-2026-54834 / CVE-2026-54835 / CVE-2026-54837 / CVE-2026-54839 / CVE-2026-54846 / CVE-2026-54847 / CVE-2026-56025 / CVE-2026-56029 / CVE-2026-56060 / CVE-2026-56061 / CVE-2026-56069 / CVE-2026-57647 / CVE-2026-54833 / CVE-2026-54840 / CVE-2026-56011 / CVE-2026-56039 / CVE-2026-56040 / CVE-2026-56041 / CVE-2026-56043 / CVE-2026-56044 / CVE-2026-56045 / CVE-2026-56047 / CVE-2026-56072 / CVE-2026-57312 / CVE-2026-57314 / CVE-2026-57317 / CVE-2026-57319 / CVE-2026-57321 / CVE-2026-57322 / CVE-2026-57325 / CVE-2026-1869 / CVE-2026-52701 / CVE-2026-56048 / CVE-2026-57635 / CVE-2026-56054 / CVE-2026-12937 / CVE-2026-27366 / CVE-2026-54828 / CVE-2026-54829 / CVE-2026-54830 / CVE-2026-54841 / CVE-2026-54844 / CVE-2026-9702 / CVE-2026-54821 / CVE-2026-56005 / CVE-2026-56006 / CVE-2026-56014 / CVE-2026-56042 / CVE-2026-56051 / CVE-2026-56071 / CVE-2026-56013 / CVE-2026-56050 - CVSS 7.7. CVE-2026-54826 affects SupportCandy <= 3.4.6. Site owners should patch the component, preserve logs, and review users and access before closing the issue.
- Rapid7 InsightConnect Sed Plugin: CVE-2026-9155 / CVE-2026-9154 / CVE-2026-8592 / CVE-2026-8665 - CVSS 8.8. CVE-2026-9155 affects the Rapid7 InsightConnect Sed Plugin on Linux. Review workflow runs, connector permissions, input sources, generated artifacts, and runner logs before re-enabling affected automation.
- CVE-2026-13311: shell-quote - parse() event-loop denial of service risk - CVSS 8.7. CVE-2026-13311 affects shell-quote before 1.8.5. Node.js services that pass untrusted text into parse() should update dependency locks and review request timeout or event-loop stall evidence.
- GitLab: CVE-2026-10712 / CVE-2026-12053 / CVE-2026-10086 - CVSS 8.7. CVE-2026-10712 is covered by GitLab's 2026-06-25 patch release. Check the deployed branch, apply the fixed release, and review project activity, user sessions, and sensitive output exposure where relevant.
- CVE-2026-12077: Dokan Pro - unauthenticated SQL injection data exposure risk - CVSS 7.5. CVE-2026-12077 affects Dokan Pro for WordPress through 5.0.4. Marketplace owners should patch, review vendor/store pages, database errors, and unusual requests around location-based filtering.
- GeoVision GV-I/O Box 4E: CVE-2026-12485 / CVE-2026-12846 / CVE-2026-12847 / CVE-2026-12848 / CVE-2026-12486 / CVE-2026-12849 / CVE-2026-12850 / CVE-2026-12851 - CVSS 10.0. CVE-2026-12485 affects GeoVision GV-I/O Box 4E devices covered by the June 2026 Talos advisories. Device owners should isolate management access, apply vendor firmware guidance, and review network or relay configuration changes.
- Appsmith: CVE-2026-55454 / CVE-2026-50189 / CVE-2026-33235 / CVE-2026-52794 - CVSS 9.9. CVE-2026-55454 affects Appsmith before 2.1. Review Caddy configuration changes, SSRF exposure, and low-privilege user activity after upgrading.
- Cacti: CVE-2026-39955 / CVE-2026-39948 / CVE-2026-40079 / CVE-2026-39899 - CVSS 9.8. CVE-2026-39955 affects Cacti 1.2.30 and earlier. Upgrade to 1.2.31, review guest graph viewing exposure, database errors, and graph_view.php access logs.
- Crawl4AI: CVE-2026-56262 / CVE-2026-53753 / CVE-2026-53754 / CVE-2026-56265 - CVSS 9.8. CVE-2026-56262 affects Crawl4AI before 0.8.7. Operators should patch, require authentication, review monitor endpoint access, and preserve crawl service logs.
- Invoice Generator: CVE-2026-12416 / CVE-2026-12417 / CVE-2026-4297 / CVE-2026-7761 - CVSS 9.8. CVE-2026-12416 affects the WordPress Invoice Generator plugin through 1.0.0. Site owners should patch or remove the plugin, review administrator password reset activity, and rotate credentials if account changes look suspicious.
- Ghost CMS: CVE-2026-53943 / CVE-2026-53949 / CVE-2026-53947 - CVSS 9.6. CVE-2026-53943 affects Ghost before 6.37.0 in shared-cache deployments. Review cache rules, preview headers, staff sessions, and frontend/admin domain separation.
- FOSSBilling: CVE-2026-33543 / CVE-2026-28496 / CVE-2026-45135 / CVE-2026-52845 - CVSS 9.4. CVE-2026-33543 affects FOSSBilling 0.7.2 and earlier. Upgrade to 0.8.0, review staff accounts, API logs, billing templates, and payment integrations.
- Rocket.Chat: CVE-2026-45688 / CVE-2026-45689 / CVE-2026-45687 - CVSS 9.1. CVE-2026-45688 affects Rocket.Chat before 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11. Review SSO login events and active sessions after patching.
- n8n: CVE-2026-56351 / CVE-2026-44792 / CVE-2026-54313 / CVE-2026-54018 / CVE-2026-54019 - CVSS 8.9. CVE-2026-56351 affects n8n before 2.4.0 in MySQL, PostgreSQL, and Microsoft SQL nodes. Review workflow editors, SQL node configuration, database logs, and connected credentials.
- Unraid: CVE-2026-9772 / CVE-2026-9773 - CVSS 8.8. CVE-2026-9772 affects Unraid web administration paths where authenticated access can reach command execution risk. Restrict admin access, patch, and review plugin, upload, and process activity.
- Jenkins: CVE-2026-57280 / CVE-2026-57281 / CVE-2026-57296 / CVE-2026-57301 / CVE-2026-57303 - CVSS 8.8. CVE-2026-57280 affects a Jenkins plugin covered by the 2026-06-24 advisory. Patch the plugin, review permissions, and preserve controller logs before cleanup.
- AdRotate Banner Manager: CVE-2026-12242 / CVE-2026-9710 / CVE-2026-10735 / CVE-2026-10749 - CVSS 8.8. CVE-2026-12242 affects AdRotate Banner Manager through 5.17.7 when certain cache support settings are enabled. Review shortcode content, cache settings, and contributor activity.
- CVE-2026-2050: GIMP / GEGL - HDR file parsing heap overflow risk - CVSS 7.8. CVE-2026-2050 affects GIMP HDR file parsing through the GEGL image processing path. Desktop fleets should update packages and review workflows that open untrusted HDR files.
- CVE-2026-11998: AngularJS - SCE resource URL bypass risk - CVSS 7.6. CVE-2026-11998 affects AngularJS 1.2.0-rc.3 and later in Strict Contextual Escaping resource URL policy handling. Review legacy AngularJS apps, trusted resource URL rules, and migration plans.
- ClearSale Total: CVE-2026-8705 / CVE-2026-56052 / CVE-2026-9178 / CVE-2026-9179 / CVE-2026-9612 - CVSS 7.6. CVE-2026-8705 affects ClearSale Total through 3.4.2. Stores should patch or remove the plugin, confirm the PHP runtime state, and review WooCommerce payment and plugin logs.
- Email JavaScript Cloak: CVE-2026-10091 / CVE-2026-10092 / CVE-2026-12095 / CVE-2026-12100 / CVE-2026-9643 / CVE-2026-3652 - CVSS 7.2. CVE-2026-10091 affects Email JavaScript Cloak through 1.03. Review contributor posts, shortcode usage, administrator visits, and changed pages after patching.
- CVE-2026-47110: Tiptap for PHP - malformed link attribute denial of service - CVSS 7.1. CVE-2026-47110 affects Tiptap for PHP before 2.1.1. Review stored editor JSON records, rendering errors, and authenticated editor activity after upgrading.
- CVE-2026-56274: Flowise - Custom MCP Server command injection risk - CVSS 9.9. CVE-2026-56274 affects Flowise before 3.1.2 through Custom MCP Server validation bypasses. Patch, restrict Flowise accounts and API keys, and review chatflow and MCP tool changes.
- Electron: CVE-2026-54257 / CVE-2026-44726 / CVE-2026-56762 / CVE-2026-12866 / CVE-2026-54281 / CVE-2026-55603 - CVSS 9.8. CVE-2026-54257 affects Electron 42.3.1 and 42.3.2 through incorrect Node Buffer byte length calculations. Patch Electron and rebuild distributed desktop packages.
- Revive Adserver: CVE-2026-34914 / CVE-2026-34915 / CVE-2026-34916 / CVE-2026-44959 - CVSS 8.8. CVE-2026-34914 affects Revive Adserver 6.0.6 and earlier. Patch to 6.0.7 or newer, restrict low-privilege account access during review, and check zone-include.php clientid, database errors, delivery logs.
- CVE-2026-41862: Spring Statemachine - Kryo persisted context deserialization - CVSS 8.8. CVE-2026-41862 affects Spring Statemachine Kryo persistence backends when persisted contexts deserialize without an allowlist. Patch and plan the persisted-state migration before restart.
- Capgo: CVE-2026-56248 / CVE-2026-56221 / CVE-2026-56382 / CVE-2026-56396 / CVE-2026-12775 / CVE-2026-56282 - CVSS 8.8. CVE-2026-56248 affects Capgo backend before 12.128.12 through costly audit_logs RLS behavior exposed via Supabase PostgREST. Patch and review database timeouts and public anon-key access.
- MISP: CVE-2026-56422 / CVE-2026-56425 / CVE-2026-56446 - CVSS 9.4. CVE-2026-56422 affects MISP through 2.5.41. Authenticated users may be able to cause saves against objects outside the row checked by authorization. Patch and review ownership, sharing scope, event, proposal, and organisation changes.
- PhpSpreadsheet: CVE-2026-45034 / CVE-2026-55409 / CVE-2026-48505 / CVE-2026-48500 / CVE-2026-48166 / CVE-2026-55599 - CVSS 9.2. CVE-2026-45034 affects PhpSpreadsheet before 1.30.5 when unsafe file paths can bypass wrapper blocking. Review spreadsheet import features, uploaded files, and PHP 7.x exposure.
- CVE-2026-54232: vLLM Dockerfile - dependency confusion build risk - CVSS 8.8. CVE-2026-54232 affects vLLM Docker builds before 0.22.1 through a dependency-confusion risk in a Dockerfile package install path. Rebuild images with fixed vLLM, verify package sources, and rotate secrets if affected images reached production.
- Angular Language Service: CVE-2026-49241 / CVE-2026-54268 / CVE-2026-55388 / CVE-2026-55602 - CVSS 8.7. CVE-2026-49241 affects Angular Language Service VS Code extension versions before 21.2.4. Developer workstations should update the extension, review Workspace Trust settings, and inspect recent untrusted repository opens.
- Apache Doris MCP Server: CVE-2025-66336 / CVE-2026-6653 - CVSS 8.1. CVE-2025-66336 affects Apache Doris MCP Server metadata queries when database names reach SQL construction without the intended authorization context. Patch to 0.6.1 or newer and review MCP and Doris audit logs.
- CVE-2026-44914: Apache NiFi - restricted component authorization gap - CVSS 7.5. CVE-2026-44914 affects Apache NiFi 1.12.0 through 2.9.0 when replacing process groups that include components requiring restricted permissions. Review users with write access, restricted component policy, and flow replacement activity.
- CVE-2026-4259: Ultimate WooCommerce Auction Pro - reflected XSS against admins - CVSS 7.1. CVE-2026-4259 affects Ultimate WooCommerce Auction Pro through 2.4.5. Store owners should patch or disable the plugin, review auction pages, and preserve admin activity logs if suspicious links were opened.
- Branda: CVE-2026-11551 / CVE-2026-9843 / CVE-2026-11911 / CVE-2026-11912 / CVE-2026-12238 / CVE-2022-50972 - CVSS 9.8. CVE-2026-11551 affects Branda through 3.4.29. Confirm the installed version, patch or disable the component, and review password reset events, administrators, and login sessions before closing the issue.
- AVideo: CVE-2026-56345 / CVE-2026-56341 / CVE-2026-56346 / CVE-2026-56342 - CVSS 9.2. CVE-2026-56345 affects AVideo through 29.0. Check the installed version, restrict exposed plugins during patching, and review Meet plugin settings, recorded-video uploads, user sessions, and admin logins.
- ProxySQL: CVE-2026-48772 / CVE-2026-48773 / CVE-2026-48774 - CVSS 10.0. CVE-2026-48772 affects ProxySQL 2.0.0 through 3.0.8. Patch to 3.0.9 or newer, restrict exposed listeners, and review ProxySQL listeners, crashes, restarts, and frontend access.
- Joomla SP Page Builder: CVE-2026-48908 / CVE-2026-48939 / CVE-2017-20252 / CVE-2017-20253 / CVE-2017-20254 / CVE-2017-20255 / CVE-2017-20256 / CVE-2017-20257 / CVE-2017-20258 / CVE-2017-20259 / CVE-2017-20260 / CVE-2017-20261 / CVE-2017-20262 / CVE-2017-20263 / CVE-2017-20264 / CVE-2017-20265 / CVE-2017-20266 / CVE-2017-20267 / CVE-2017-20268 / CVE-2017-20269 / CVE-2017-20270 / CVE-2017-20271 / CVE-2017-20272 / CVE-2017-20273 / CVE-2017-20274 / CVE-2017-20275 / CVE-2017-20276 / CVE-2017-20277 / CVE-2017-20278 / CVE-2017-20279 / CVE-2017-20280 / CVE-2017-20281 / CVE-2017-20282 / CVE-2019-25748 / CVE-2019-25749 / CVE-2019-25750 / CVE-2019-25751 / CVE-2019-25752 / CVE-2019-25753 / CVE-2019-25754 / CVE-2019-25755 / CVE-2019-25756 / CVE-2019-25757 / CVE-2019-25758 / CVE-2019-25759 / CVE-2019-25760 / CVE-2019-25761 / CVE-2019-25762 / CVE-2023-54357 - CVSS 10.0. CVE-2026-48908 affects Joomla SP Page Builder vendor advisory. Check whether the extension is installed, remove abandoned copies, and review uploads, executable files, and public builder routes.
- mcp-pinot: CVE-2026-49257 / CVE-2026-45617 / CVE-2026-44645 / CVE-2026-48716 / CVE-2026-44688 / CVE-2026-44691 / CVE-2026-46580 / CVE-2026-11576 / CVE-2026-12565 - CVSS 10.0. CVE-2026-49257 affects mcp-pinot through 3.0.1. Review Pinot credentials, MCP access logs, and table/config changes, then apply the vendor fix or remove the risky exposure until patched.
- BetterDocs Pro: CVE-2026-7515 / CVE-2026-8713 / CVE-2026-56012 / CVE-2026-11395 / CVE-2026-11989 / CVE-2026-4328 / CVE-2026-12137 / CVE-2026-12093 / CVE-2026-3640 / CVE-2024-32949 / CVE-2025-58924 / CVE-2025-58952 / CVE-2025-58953 / CVE-2025-58954 / CVE-2025-60085 / CVE-2025-69105 / CVE-2025-69107 / CVE-2025-69109 / CVE-2025-69110 / CVE-2025-69112 / CVE-2026-40726 / CVE-2026-49081 / CVE-2026-54184 / CVE-2026-54813 / CVE-2026-54818 - CVSS 9.8. CVE-2026-7515 affects BetterDocs Pro through 3.8.0. Confirm the installed version, patch or disable the component, and review PHP files and uploads before closing the issue.
- FileRise: CVE-2026-54414 / CVE-2026-54419 / CVE-2026-40455 / CVE-2026-54222 / CVE-2026-55746 / CVE-2026-55741 / CVE-2026-55742 / CVE-2026-55744 / CVE-2026-48788 / CVE-2026-49205 - CVSS 9.8. CVE-2026-54414 affects FileRise before 3.16.0. Patch or remove public exposure, preserve logs, and review shared links, users.txt, upload folders, and new admin users.
- pgAdmin 4: CVE-2026-12045 / CVE-2026-12048 / CVE-2026-12044 - CVSS 9.4. CVE-2026-12045 affects pgAdmin 4 9.13 before 9.16. Upgrade to pgAdmin 4 9.16 or newer, then review AI Assistant use, database role privileges, and pgAdmin logs.
- Comodo Chromodo Browser: CVE-2016-20088 / CVE-2016-20090 / CVE-2026-39999 / CVE-2026-49290 / CVE-2026-49345 - CVSS 8.5. CVE-2016-20088 affects Comodo Chromodo Browser through 52.15.25.664. Confirm exposure, apply the vendor fix or remove the component, and review Windows services, old browser installs, and updater paths.
- pontedilana/php-weasyprint: CVE-2026-49260 / CVE-2026-49286 - CVSS 8.2. CVE-2026-49260 affects pontedilana/php-weasyprint before 2.5.1. Patch the Composer dependency, check which routes generate PDFs, and review composer.lock, PDF generation jobs, and web-server logs.
- JimuReport: CVE-2026-36418 / CVE-2026-47103 / CVE-2026-48616 / CVE-2026-48768 / CVE-2026-48814 / CVE-2026-28587 / CVE-2026-20266 - CVSS 10.0. CVE-2026-36418 affects JimuReport 2.3.4 and below through unsafe expression handling. Patch, restrict report execution APIs, and review report templates and server logs.
- bus-ticket: CVE-2026-55740 / CVE-2026-54415 / CVE-2026-11407 / CVE-2026-46870 - CVSS 9.8. CVE-2026-55740 affects the Nur-Alam39 bus-ticket PHP application. Public deployments should be taken out of exposure until SQL handling and database credentials are fixed, then database access and records should be reviewed.
- Apache Airflow: CVE-2026-50203 / CVE-2026-32966 / CVE-2026-32967 - CVSS 9.8. CVE-2026-50203 affects Apache Airflow SFTP provider workflows where a malicious or compromised SFTP server can influence retrieved paths. Patch the provider and review DAG output directories.
- Webmin: CVE-2026-56020 / CVE-2026-56021 / CVE-2026-56022 - CVSS 9.2. CVE-2026-56020 affects Webmin before 2.641. Patch to 2.641 or newer, restrict the Webmin listener, and review login history, miniserv configuration, and certificate-auth users.
- JobCareer: CVE-2025-69128 / CVE-2025-69130 / CVE-2025-69135 / CVE-2025-69139 / CVE-2026-12407 / CVE-2026-22335 / CVE-2026-22343 / CVE-2026-27400 / CVE-2026-48967 / CVE-2026-49073 / CVE-2026-49113 / CVE-2026-54185 / CVE-2026-9860 - CVSS 8.8. CVE-2025-69128 affects JobCareer through 7.3. Confirm the installed version, patch or disable the component, and review file access logs and unexpected downloads before closing the incident.
- SigmaForms Pro - AI Generated Forms: CVE-2026-52705 / CVE-2024-52488 / CVE-2025-60218 / CVE-2025-69129 / CVE-2026-22327 / CVE-2026-25446 / CVE-2026-25470 / CVE-2026-27041 / CVE-2026-39589 / CVE-2026-40746 / CVE-2026-40747 / CVE-2026-40748 / CVE-2026-40749 / CVE-2026-40783 - CVSS 10.0. CVE-2026-52705 affects SigmaForms Pro - AI Generated Forms through 1.4.5. Confirm the installed version, patch or disable the component, and review upload directories, new PHP files, and web access logs before closing the incident.
- MySQL Shell for VS Code: CVE-2026-46850 / CVE-2026-46860 / CVE-2026-46861 - CVSS 9.9. CVE-2026-46850 affects MySQL Shell for VS Code 2026.2.0+9.6.1. Database teams should patch developer tooling and review saved connection profiles and extension access.
- Sonaar: CVE-2025-59563 / CVE-2025-69138 / CVE-2026-12165 / CVE-2026-22342 / CVE-2026-24611 / CVE-2026-42629 / CVE-2026-54805 / CVE-2026-27395 / CVE-2026-49058 / CVE-2026-49767 / CVE-2026-54803 / CVE-2026-54807 / CVE-2025-69179 - CVSS 9.8. CVE-2025-59563 affects Sonaar through 4.27.4. Confirm the installed version, patch or disable the component, and review new users, role changes, and administrator sessions before closing the incident.
- Avada: CVE-2026-12256 / CVE-2025-69127 / CVE-2026-49108 / CVE-2025-60229 / CVE-2025-60230 / CVE-2025-60231 / CVE-2025-60236 / CVE-2025-69111 / CVE-2026-27429 / CVE-2026-39529 / CVE-2026-40725 / CVE-2026-42380 / CVE-2026-49075 / CVE-2026-49107 / CVE-2026-52706 / CVE-2026-54194 / CVE-2026-54806 / CVE-2025-60205 / CVE-2025-69108 / CVE-2025-69122 - CVSS 9.8. CVE-2026-12256 affects Avada through 3.15.3. Confirm the installed version, patch or disable the component, and review PHP errors, changed files, and unexpected plugin settings before closing the incident.
- Motors: CVE-2026-54812 / CVE-2026-54815 / CVE-2026-54819 / CVE-2025-59554 / CVE-2026-22332 / CVE-2026-22340 / CVE-2026-39438 / CVE-2026-39596 / CVE-2026-48875 / CVE-2026-49076 / CVE-2026-49079 / CVE-2026-49080 / CVE-2026-49084 / CVE-2026-54186 / CVE-2026-54187 / CVE-2026-54808 / CVE-2026-54809 / CVE-2026-54811 - CVSS 9.3. CVE-2026-54812 affects Motors through 1.4.109. Confirm the installed version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
- NGINX: CVE-2026-42055 / CVE-2026-42530 - CVSS 9.2. CVE-2026-42055 affects NGINX proxy and gRPC module configurations in the June 2026 F5 advisory. Review HTTP/2 proxying, gRPC exposure, and edge logs before closing.
- CVE-2026-49268: Apache Shiro - DefaultLdapRealm DN construction issue - CVSS 8.8. CVE-2026-49268 affects Apache Shiro through 2.2.0 and 3.0.0-alpha-1 when DefaultLdapRealm builds LDAP Distinguished Names from user input. Upgrade and review LDAP realm templates, authentication logs, and account mappings.
- NGINX Gateway Fabric: CVE-2026-11311 / CVE-2026-50107 - CVSS 8.6. CVE-2026-11311 affects NGINX Gateway Fabric configuration generation when NGINX Plus is used as the data plane. Review who can create or modify NginxProxy and AuthenticationFilter resources, patch, and audit recent CRD changes.
- CVE-2026-40750: WordPress Kids Online Store theme - dangerous file upload - CVSS 9.9. CVE-2026-40750 affects the WordPress Kids Online Store theme through 0.8.9. Site owners should patch or replace the theme, block script execution from uploads, and review recent files and admin users.
- Premmerce Dev Tools: CVE-2026-6933 / CVE-2026-8443 / CVE-2026-8444 / CVE-2026-27333 / CVE-2026-40762 / CVE-2026-39574 / CVE-2026-39581 / CVE-2026-49772 / CVE-2026-49774 / CVE-2026-52715 / CVE-2026-52712 - CVSS 9.9. CVE-2026-6933 affects Premmerce Dev Tools through 2.0. Confirm the installed version, patch or disable the plugin, and review changed files, cron jobs, users, and web server logs before closing the incident.
- Hippoo Mobile App for WooCommerce: CVE-2026-49065 / CVE-2026-42411 / CVE-2026-48970 / CVE-2025-59133 / CVE-2026-25425 / CVE-2026-27089 / CVE-2026-34886 / CVE-2026-34891 / CVE-2026-34898 / CVE-2026-39480 / CVE-2026-39503 / CVE-2026-39513 / CVE-2026-39524 / CVE-2026-39533 / CVE-2026-39534 / CVE-2026-40741 / CVE-2026-40767 / CVE-2026-40774 / CVE-2026-40776 / CVE-2026-40781 / CVE-2026-40789 / CVE-2026-42384 / CVE-2026-42666 / CVE-2026-42667 / CVE-2026-42668 / CVE-2026-45441 / CVE-2026-48835 / CVE-2026-48868 / CVE-2026-48872 / CVE-2026-48873 / CVE-2026-48883 / CVE-2026-49056 / CVE-2026-49066 / CVE-2026-49068 / CVE-2026-49070 / CVE-2026-49078 / CVE-2026-49110 / CVE-2026-52692 / CVE-2026-52694 / CVE-2026-52695 / CVE-2026-52699 / CVE-2026-40775 / CVE-2026-49082 / CVE-2026-39450 / CVE-2026-39518 / CVE-2026-40785 / CVE-2026-40788 / CVE-2026-49775 / CVE-2025-68045 / CVE-2026-39490 / CVE-2026-52711 / CVE-2026-2381 / CVE-2026-40809 - CVSS 8.2. CVE-2026-49065 affects Hippoo Mobile App for WooCommerce through 1.9.5. Confirm the installed version, patch or disable the plugin, and review new sessions, booking records, order changes, and account history before closing the incident.
- CVE-2026-53864: OpenClaw - Node.js control variable sanitizer bypass - CVSS 8.1. CVE-2026-53864 affects OpenClaw before 2026.5.26. Review workspace .env files, tool environment overrides, and skill environment blocks for unexpected Node.js control variables before re-enabling shared workspaces.
- WP BASE Booking: CVE-2026-39587 / CVE-2026-42687 / CVE-2026-49061 / CVE-2026-49112 / CVE-2026-49063 / CVE-2026-39434 / CVE-2026-39470 / CVE-2026-39472 / CVE-2026-39499 / CVE-2026-49083 / CVE-2026-27407 / CVE-2026-40727 / CVE-2026-40779 / CVE-2026-39471 / CVE-2026-39481 / CVE-2026-39498 / CVE-2026-9187 / CVE-2026-8442 - CVSS 8.1. CVE-2026-39587 affects WP BASE Booking through 5.9.0. Confirm the installed version, patch or disable the plugin, and review new users, role changes, and administrator sessions before closing the incident.
- AutomatorWP: CVE-2026-42650 / CVE-2025-68840 / CVE-2025-68851 / CVE-2025-68872 / CVE-2026-23970 / CVE-2026-34900 / CVE-2026-34902 / CVE-2026-39435 / CVE-2026-39447 / CVE-2026-39449 / CVE-2026-39463 / CVE-2026-39507 / CVE-2026-39514 / CVE-2026-40732 / CVE-2026-40770 / CVE-2026-40787 / CVE-2026-40791 / CVE-2026-42649 / CVE-2026-42658 / CVE-2026-42775 / CVE-2026-45437 / CVE-2026-48838 / CVE-2026-48867 / CVE-2026-48871 / CVE-2026-48876 / CVE-2026-48885 / CVE-2026-48966 / CVE-2026-49055 / CVE-2026-52702 / CVE-2026-42686 / CVE-2026-39437 / CVE-2026-54191 / CVE-2026-54198 - CVSS 7.2. CVE-2026-42650 affects AutomatorWP through 5.6.7. Confirm the installed version, patch or disable the plugin, and review stored content, redirects, admin sessions, and suspicious script injections before closing the incident.
- Feed KuantoKusta for WooCommerce Free: CVE-2026-39441 / CVE-2026-39492 / CVE-2026-39493 / CVE-2026-39502 / CVE-2026-39511 / CVE-2026-39512 / CVE-2026-39519 / CVE-2026-39530 / CVE-2026-40771 / CVE-2026-40798 / CVE-2026-42381 / CVE-2026-42386 / CVE-2026-42639 / CVE-2026-42665 / CVE-2026-45439 / CVE-2026-48886 / CVE-2026-49067 / CVE-2026-49776 / CVE-2026-52693 / CVE-2026-52703 / CVE-2026-27053 / CVE-2026-34901 / CVE-2026-39583 / CVE-2026-39591 / CVE-2026-40772 / CVE-2026-48836 / CVE-2026-49085 / CVE-2026-49104 / CVE-2026-49105 / CVE-2026-49106 / CVE-2026-49109 / CVE-2026-49763 / CVE-2026-49764 / CVE-2026-49765 / CVE-2026-49766 / CVE-2026-49768 / CVE-2026-49769 / CVE-2026-49770 / CVE-2026-49781 / CVE-2026-9691 - CVSS 10.0. CVE-2026-39441 affects Feed KuantoKusta for WooCommerce Free through 5.3. WordPress sites should patch or disable the component, then review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
- WooCommerce PDF Invoice Builder: CVE-2026-52704 / CVE-2016-20071 / CVE-2026-49062 / CVE-2026-49111 / CVE-2016-20076 / CVE-2016-20081 / CVE-2018-25437 / CVE-2026-49064 / CVE-2016-20078 / CVE-2016-20080 - CVSS 10.0. CVE-2026-52704 affects WooCommerce PDF Invoice Builder through 2.0.8. Stores should disable or patch the plugin, review generated invoice files and templates, and check administrator activity before reopening payments.
- Bludit CMS: CVE-2026-38329 / CVE-2026-50869 - CVSS 9.8. CVE-2026-38329 affects Bludit before 3.18.4 when API plugin file handling is exposed. Review API token use, plugin access, uploaded files, and web-server logs before closing the issue.
- CVE-2026-48114: Metacat 2.x - unauthenticated SQL injection - CVSS 9.8. CVE-2026-48114 affects Metacat 2.x through 2.19.1 in the harvester registration path. Operators should upgrade to Metacat 3.x, restrict legacy servlet exposure, and review PostgreSQL and repository logs.
- Discuz! X5.0: CVE-2026-49952 / CVE-2026-49954 - CVSS 9.3. CVE-2026-49952 affects Discuz! X5.0 releases 20260320 through 20260501. Forum operators should upgrade to 20260510 or newer, restrict administrative paths, and review database backup and restore activity.
- CVE-2026-5482: Responsive FileManager - unrestricted file upload to RCE risk - CVSS 9.3. CVE-2026-5482 affects Tecrail Responsive FileManager through 9.14.0. The project was reported as unmaintained at assignment time, so exposed deployments should be removed or isolated and upload directories reviewed.
- CVE-2026-48714: i18next-http-middleware - remote prototype pollution risk in missing-key handling - CVSS 9.1. CVE-2026-48714 affects i18next-http-middleware before 3.9.7 when missing-key write handling is exposed with vulnerable backend behavior. Upgrade, restrict the handler, and review translation persistence logs for unexpected writes.
- PowerPress Podcasting: CVE-2026-24637 / CVE-2026-39465 / CVE-2026-39474 / CVE-2026-39478 / CVE-2026-39532 / CVE-2026-39579 / CVE-2026-40766 / CVE-2026-40769 / CVE-2026-42661 / CVE-2026-42664 / CVE-2026-48874 / CVE-2026-48881 / CVE-2026-48882 / CVE-2026-48889 / CVE-2026-48964 / CVE-2026-49780 / CVE-2026-52697 / CVE-2026-52700 - CVSS 9.1. CVE-2026-24637 affects PowerPress Podcasting through 11.15.10. WordPress owners should confirm the plugin version, patch or disable the component, and review database errors, unusual request patterns, and exposed customer or order data before closing the incident.
- CVE-2026-36670: OpenSIPS Control Panel - alias management SQL injection - CVSS 8.8. CVE-2026-36670 affects OpenSIPS Control Panel before 9.3.3. Authenticated users with access to the alias management module can trigger SQL injection behavior, so exposed panels should be upgraded and logs reviewed.
- CVE-2026-48017: DbGate - authenticated server-side code execution risk - CVSS 8.8. CVE-2026-48017 affects DbGate 7.1.8 and earlier when authenticated users can reach vulnerable server-side runner behavior. Upgrade, limit access to trusted admins, review runner activity, and rotate stored credentials if suspicious use cannot be ruled out.
- GStreamer gst-plugins-bad: CVE-2026-52719 / CVE-2026-52720 / CVE-2026-52722 - CVSS 8.8. CVE-2026-52719 affects the VA JPEG decoder in GStreamer gst-plugins-bad before 1.28.4. Systems that parse untrusted media should update packages and review crashes from media thumbnailing or ingestion jobs.
- CVE-2026-12204: ShopXO - unauthenticated scheduled task endpoint authorization bypass - CVSS 7.5. CVE-2026-12204 affects ShopXO up to 6.7.1 in app/api/controller/Crontab.php. Stores should restrict scheduled task endpoints, review order/payment state changes, and preserve logs before cleanup.
- CVE-2026-5079: multer - denial of service via deeply nested field names - CVSS 7.5. CVE-2026-5079 affects multer upload parsing when deeply nested multipart field names are accepted. Node.js services should update from the affected multer line, enforce upload limits, and monitor upload endpoints for memory pressure.
- CVE-2026-20262: Cisco Catalyst SD-WAN Manager - authenticated arbitrary file write - CVSS 6.5. CVE-2026-20262 affects Cisco Catalyst SD-WAN Manager web UI upload handling. The reported path requires valid low-privilege credentials but can create or overwrite files, so exposed management planes need patching and account review.
- CVE-2026-54420: LiteSpeed cPanel Plugin - shared hosting privilege escalation risk - CVSS 8.5. CVE-2026-54420 affects LiteSpeed cPanel user-end plugin deployments before 2.4.8, including bundled WHM Plugin deployments before the fixed 5.3.2.1 line. Shared hosts using CloudLinux/CageFS should patch and review cPanel logs because the vendor reported active exploitation.
- MariaDB Server: CVE-2026-44168 / CVE-2026-44170 / CVE-2026-44172 / CVE-2026-48163 / CVE-2026-48165 / CVE-2026-44249 / CVE-2026-44893 / CVE-2026-44894 / CVE-2026-45416 / CVE-2026-45673 / CVE-2026-45674 / CVE-2026-46340 / CVE-2026-47691 / CVE-2026-48006 / CVE-2026-48043 / CVE-2026-48059 / CVE-2026-48748 / CVE-2026-50010 / CVE-2026-50011 / CVE-2026-50560 / CVE-2026-47244 / CVE-2026-6428 / CVE-2026-44892 / CVE-2026-11933 / CVE-2026-49261 / CVE-2026-44250 / CVE-2026-44890 - CVSS 10.0. CVE-2026-44168 affects supported MariaDB branches including 10.6, 10.11, 11.4, and 11.8 lines. Confirm the exact server branch, patch to the fixed release, and review database errors or restarts.
- BUK TS-G Gas Station Automation System: CVE-2026-12183 / CVE-2026-45060 / CVE-2026-45418 / CVE-2026-47238 / CVE-2026-12131 / CVE-2026-8406 / CVE-2026-38581 - CVSS 9.8. CVE-2026-12183 affects BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux. Treat exposed panels as high risk, restrict access to trusted networks, patch, and review system configuration or administrative changes.
- Quest Bot: CVE-2026-47172 / CVE-2026-47174 / CVE-2026-46703 / CVE-2026-53474 / CVE-2026-46519 / CVE-2026-32193 / CVE-2026-11769 / CVE-2026-49818 / CVE-2026-11529 / CVE-2026-48546 / CVE-2026-11816 / CVE-2026-52860 / CVE-2026-46679 / CVE-2026-2049 - CVSS 9.6. CVE-2026-47172 affects Quest Bot before 1.0.3. Review GitHub Actions workflows that promote pull-request builds into privileged Docker deployment jobs.
- MDJM Event Management: CVE-2026-7537 / CVE-2026-9851 / CVE-2026-8438 / CVE-2026-8901 / CVE-2026-9829 / CVE-2026-9280 / CVE-2026-7792 / CVE-2026-11603 / CVE-2026-8599 / CVE-2026-9016 / CVE-2026-9848 / CVE-2026-9109 / CVE-2026-5513 - CVSS 7.5. CVE-2026-7537 affects MDJM Event Management for WordPress through 1.7.8.3. Review administrator activity, plugin email attachments, and upload locations for unexpected executable files.
- vm2: CVE-2026-47131 / CVE-2026-47135 / CVE-2026-47137 / CVE-2026-47139 / CVE-2026-47140 / CVE-2026-47141 / CVE-2026-47208 / CVE-2026-47209 / CVE-2026-47210 - CVSS 10.0. CVE-2026-47131 affects vm2 before 3.11.4. Services that run untrusted JavaScript should upgrade, isolate sandbox workers, and review logs for unexpected outbound access or worker failures.
- CVE-2026-47365: cPanel WP Toolkit - cross-tenant command authorization bypass - CVSS 9.9. CVE-2026-47365 affects WP Toolkit before 6.11.0 as used in cPanel & WHM. Hosting providers should update WP Toolkit, review account boundaries, and check recent wp-toolkit CLI activity.
- Apache CXF: CVE-2026-50623 / CVE-2026-50629 / CVE-2026-50631 / CVE-2026-50632 / CVE-2026-50633 / CVE-2026-50634 / CVE-2026-50645 - CVSS 9.8. CVE-2026-50623 affects Apache CXF deployments in the June 2026 advisory batch. Check OAuth2, JMS/JCA, JWS JSON, or attachment handling depending on the module in use, then upgrade to 4.2.2 or 4.1.7.
- CVE-2026-53787: Magento Amasty Order Attributes - unauthenticated arbitrary file upload - CVSS 9.8. CVE-2026-53787 affects Amasty Order Attributes for Magento 2 before 4.0.0. Magento stores should patch, review upload directories, and block script execution from media paths.
- jmespath.php: CVE-2026-54133 / CVE-2026-54360 - CVSS 9.8. CVE-2026-54133 affects jmespath.php before 2.9.1 when untrusted expressions reach the compiler runtime. Patch and use the non-compiler runtime for user-controlled expressions.
- ApostropheCMS: CVE-2026-44990 / CVE-2026-45011 / CVE-2026-45012 / CVE-2026-45013 / CVE-2026-53607 / CVE-2026-53609 / CVE-2026-53608 - CVSS 9.3. CVE-2026-44990 affects ApostropheCMS or a common dependency path in June 2026. Check package versions, trusted base URL, editor content, outbound fetch behavior, and password reset events.
- CVE-2026-9067: Schema & Structured Data for WP & AMP - arbitrary media upload - CVSS 9.1. CVE-2026-9067 affects Schema & Structured Data for WP & AMP before 1.60. WordPress sites should update the plugin, review media uploads, and check for unexpected files under wp-content/uploads.
- Apache OFBiz: CVE-2026-47342 / CVE-2026-50223 / CVE-2026-25700 / CVE-2026-49498 / CVE-2026-52758 / CVE-2026-9758 - CVSS 8.8. CVE-2026-47342 affects Apache OFBiz versions before 24.09.07. Upgrade to the fixed release and review low-privilege users, role changes, and recent administrative actions.
- Parse Server: CVE-2026-47138 / CVE-2026-47248 / CVE-2026-50008 / CVE-2026-53726 - CVSS 8.7. CVE-2026-47138 affects Parse Server deployments in the June 2026 batch. Check version state, public API routes, GraphQL exposure, and server logs before closing the issue.
- Spring Security: CVE-2026-41003 / CVE-2026-41695 / CVE-2026-41856 - CVSS 7.6. CVE-2026-41003 affects Spring Security applications that render attacker-influenced SAML relying-party registration values. Review SAML configuration sources and move to fixed Spring Security releases.
- CVE-2026-42306: Moby Docker Engine - container networking and firewall exposure - CVSS 7.2. CVE-2026-42306 affects Docker Engine and Moby daemon versions before fixed releases. Review daemon version, published container ports, and host firewall state after upgrade.
- CVE-2026-12066: PbootCMS - password recovery exposure - CVSS 5.5. CVE-2026-12066 affects PbootCMS up to 3.2.12 in the member password recovery flow. Review exposed member recovery pages, account changes, admin logins, and vendor patch status.
- Ivanti Sentry: CVE-2026-10520 / CVE-2026-10523 - CVSS 10.0. CVE-2026-10520 affects Ivanti Sentry and was added to CISA KEV on 2026-06-11. Confirm version state, restrict management access, patch, and review appliance logs and unexpected accounts.
- CVE-2026-11561: Apinizer - expression language injection code injection - CVSS 9.8. CVE-2026-11561 affects Apinizer 2026.04.0 before 2026.04.6. API gateway owners should identify exposed Apinizer nodes, upgrade to a fixed release, and review gateway logs, admin activity, and policy changes.
- Hippoo Mobile App for WooCommerce: CVE-2026-10580 / CVE-2026-49060 / CVE-2026-39494 / CVE-2026-42647 / CVE-2026-42653 - CVSS 9.8. CVE-2026-10580 affects Hippoo Mobile App for WooCommerce through 1.9.4. Public stores should update to 1.9.5 or newer, review administrator accounts, WooCommerce API activity, password resets, and payment settings.
- UpdraftPlus: CVE-2026-10795 / CVE-2025-6254 / CVE-2026-3018 / CVE-2026-49069 / CVE-2023-33999 - CVSS 9.8. CVE-2026-10795 affects UpdraftPlus through 1.26.4 when the site has been connected to UpdraftCentral. Review remote communication logs, backup activity, plugin changes, and administrator accounts before treating the site as clean.
- image-size: CVE-2025-71319 / CVE-2025-71329 / CVE-2025-71330 / CVE-2026-44494 / CVE-2026-44492 / CVE-2026-44487 / CVE-2026-44486 / CVE-2026-44488 / CVE-2026-44496 / CVE-2026-44495 / CVE-2026-44705 / CVE-2026-49982 - CVSS 8.7. CVE-2025-71319 affects image-size through 2.0.2. Node.js apps that inspect untrusted JXL or HEIF uploads should patch or isolate image parsing workers.
- GitLab EE: CVE-2026-6552 / CVE-2026-10087 / CVE-2026-7250 / CVE-2026-8589 - CVSS 8.7. CVE-2026-6552 affects GitLab EE Group SAML identity management. Self-managed GitLab owners should upgrade and review group Owner activity, SAML mappings, and recent identity changes.
- CVE-2026-40998: Spring Web Services - Jaxp13XPathTemplate XXE via StreamSource and SAXSource - CVSS 8.2. CVE-2026-40998 affects Spring Web Services applications that evaluate XPath over untrusted XML through Jaxp13XPathTemplate with StreamSource or SAXSource. Upgrade and review XML entry points.
- Roxy-WI: CVE-2026-45552 / CVE-2026-45556 / CVE-2026-45558 / CVE-2026-45550 / CVE-2026-45564 / CVE-2026-45549 / CVE-2026-45567 / CVE-2026-45565 / CVE-2026-45569 - CVSS 9.9. CVE-2026-45552 affects Roxy-WI install and exporter workflows. Review panel exposure, guest or low-privilege users, stored SSH credentials, and recent infrastructure changes.
- Fission: CVE-2026-46614 / CVE-2026-46618 / CVE-2026-50545 / CVE-2026-50563 / CVE-2026-50564 / CVE-2026-50566 / CVE-2026-46612 / CVE-2026-46617 / CVE-2026-49824 / CVE-2026-50570 / CVE-2026-49821 / CVE-2026-49822 / CVE-2026-49823 / CVE-2026-50567 - CVSS 9.9. CVE-2026-46614 affects Fission before 1.23.0 where internal function routes may be exposed through the public router listener. Review ingress, router services, and NetworkPolicy.
- Splunk Secure Gateway: CVE-2026-20251 / CVE-2026-53435 / CVE-2026-20253 - CVSS 9.8. CVE-2026-20251 affects Splunk Secure Gateway through unsafe deserialization. Confirm Splunk Enterprise and Secure Gateway versions, patch fixed releases, and review app activity and admin logs.
- Concrete CMS: CVE-2026-10721 / CVE-2026-38615 / CVE-2026-45062 / CVE-2026-46643 / CVE-2026-46683 - CVSS 9.8. CVE-2026-10721 affects Concrete CMS before 9.5.2 through unsafe serialized data paths. Check the running CMS version, recent cache or permission errors, and patch the site.
- OpenSSL: CVE-2026-34183 / CVE-2026-45447 / CVE-2026-7383 / CVE-2026-34180 / CVE-2026-45445 / CVE-2026-9076 / CVE-2026-42764 / CVE-2026-42765 - CVSS 9.8. CVE-2026-34183 affects OpenSSL QUIC stacks where repeated PATH_CHALLENGE handling can exhaust memory. Review custom QUIC clients or servers and update affected OpenSSL branches.
- CVE-2026-49948: Mem0 self-hosted server - missing authorization on configuration changes - CVSS 8.6. CVE-2026-49948 affects Mem0 self-hosted server versions through 0.2.8. Check exposed server instances, admin/API-key usage, LLM provider settings, embedder settings, and unexpected configuration changes.
- CVE-2026-46491: SimpleSAMLphp CAS Server - FileSystemTicketStore path traversal - CVSS 8.6. CVE-2026-46491 affects simplesamlphp-module-casserver before 7.0.3 when the file-based ticket store is used and public CAS validation or proxy endpoints are reachable. Check whether FileSystemTicketStore is enabled, upgrade to 7.0.3, and review PHP filesystem permissions.
- BuddyPress: CVE-2026-53673 / CVE-2026-53674 - CVSS 8.6. CVE-2026-53673 affects BuddyPress 14.4.0 private messaging REST API permission checks. Community and membership sites should disable private messaging if needed, review message API access, and update when a fixed release is available.
- Spring Data MongoDB: CVE-2026-41717 / CVE-2026-41729 / CVE-2026-41731 / CVE-2026-41732 - CVSS 8.1. CVE-2026-41717 affects Spring Data MongoDB applications that expose annotated repository methods with capture-all placeholders to untrusted input. Upgrade affected branches and search for risky @Query or @Aggregation patterns.
- CVE-2026-48108: Russh - SSH identification pre-authentication resource handling - CVSS 5.3. CVE-2026-48108 affects Rust services built on russh 0.34.0-beta.1 before 0.61.0. Check embedded SSH services, patch russh, and review connection limits around the pre-authentication phase.
- Apache HTTP Server: CVE-2026-44631 / CVE-2026-34355 / CVE-2026-34356 / CVE-2026-42536 / CVE-2026-44185 / CVE-2026-48913 / CVE-2026-29167 / CVE-2026-44186 / CVE-2026-42535 - CVSS 9.8. CVE-2026-44631 affects Apache HTTP Server 2.4.0 through 2.4.67 through crafted regular expressions in configuration. Operators should upgrade to 2.4.68 and review regex-heavy vhost, rewrite, and match directives.
- CVE-2026-50636: LimeSurvey - RemoteControl invite/remind SQL injection - CVSS 8.8. CVE-2026-50636 affects LimeSurvey RemoteControl invite_participants and remind_participants flows when the RPC interface is enabled and a caller has token update permission. Disable RemoteControl if unused, reduce permissions, and apply the vendor fix.
- CVE-2026-11616: The Events Calendar for GeoDirectory - Subscriber privilege escalation - CVSS 8.8. The Events Calendar for GeoDirectory CVE-2026-11616 can let a low-privilege WordPress account alter role-related user metadata through the event interest flow. Update to 2.3.29 or newer, then review admin users, role changes, and AJAX logs.
- MongoDB Server: CVE-2026-9740 / CVE-2026-9742 / CVE-2026-9741 / CVE-2026-9743 / CVE-2026-9746 / CVE-2026-9747 / CVE-2026-9748 / CVE-2026-9749 / CVE-2026-9750 / CVE-2026-9752 / CVE-2026-9753 / CVE-2026-9754 - CVSS 8.7. CVE-2026-9740 affects MongoDB Server BSON validation logic and can crash mongod before authentication. Public or partner-exposed MongoDB listeners should be patched and checked for unexplained restarts.
- CVE-2026-9662: Recover Exit for WooCommerce - Unauthenticated LFI via tpf include path - CVSS 8.1. Recover Exit for WooCommerce exposes a reported local file inclusion path through a POST value that reaches include(). Stores should remove or disable the plugin, check the affected PHP files, and review logs before reopening checkout flows.
- Spring Framework: CVE-2026-41851 / CVE-2026-41849 / CVE-2026-41850 - CVSS 7.5. CVE-2026-41851 affects Spring Framework applications that accept user-controlled SpEL expressions and cache parsed expressions. Check rule/formula features, upgrade Spring, and review memory alerts.
- CVE-2026-9185: 6Storage Rentals - Unauthenticated tenant profile exposure - CVSS 7.5. 6Storage Rentals may expose tenant profile read or update paths without login. Site owners should disable the plugin, preserve access logs, inspect tenant records, and notify affected users if data changed.
- CVE-2026-7556: FV Flowplayer Video Player - Stored XSS review for WordPress sites - CVSS 7.2. FV Flowplayer CVE-2026-7556 should be treated as a stored XSS cleanup and permission review, not as a confirmed unauthenticated RCE. Check plugin version, recent video embeds, editor accounts, and cached pages.
- CVE-2016-20063: Simple Personal Message - Authenticated SQL injection in legacy WordPress plugin - CVSS 7.1. CVE-2016-20063 is a legacy Simple Personal Message WordPress plugin SQL injection issue. Check whether the plugin still exists, confirm the installed version, update to 2.0.0 or remove it, and review admin activity and database access if it was exposed.
- CVE-2026-52778: YesWiki - Bazar CalcField unsafe formula handling - CVSS 9.8. CVE-2026-52778 affects YesWiki before 4.6.6 through the Bazar CalcField formula calculator. Public YesWiki sites should upgrade, review Bazar forms, and check logs for repeated form submissions or PHP file changes.
- CVE-2023-54352: WordPress Seotheme - Unauthenticated Remote Code Execution - CVSS 9.8. WordPress Seotheme unauthenticated RCE with a public technical signal. Site owners should check for the known shell IOC, related seoplugins paths, unexpected admins, modified theme files, and web-log hits before cleanup.
- CVE-2026-47430: Cordova Plugin InAppBrowser iOS - callback boundary weakness - CVSS 9.5. CVE-2026-47430 affects cordova-plugin-inappbrowser 3.1.0 through 6.0.0 on iOS. Apps that open OAuth, payment, deep-link, or marketing pages in InAppBrowser should upgrade to 6.0.1 and review plugin callback trust boundaries.
- CVE-2026-50751: Check Point - deprecated IKEv1 VPN authentication bypass - CVSS 9.3. CVE-2026-50751 affects Check Point Remote Access VPN and Mobile Access deployments that still accept deprecated IKEv1. Check Point reported exploitation in the wild; operators should patch, disable or restrict IKEv1, and review VPN logs from 2026-05-07 onward.
- CVE-2026-46490: samlify - SAML AttributeValue XML injection privilege escalation - CVSS 8.7. CVE-2026-46490 affects samlify before 2.13.0. Node.js SAML SSO services should upgrade, review IdP attribute templates, SP role/group mapping, and recent login events where SAML attributes drive authorization.
- CVE-2026-40519: Nginx Proxy Manager - certificate plugin command injection - CVSS 7.7. CVE-2026-40519 affects Nginx Proxy Manager certificate plugin setup when an account can manage certificates. Review admin exposure, certificate permissions, DNS challenge credentials, and update to a build containing the upstream fix.
- CVE-2026-46440: Flowise - Basic Auth credential brute-force exposure - CVSS 7.5. CVE-2026-46440 affects Flowise before 3.1.2 when exposed Basic Auth can be repeatedly tested without adequate rate limiting. Operators should upgrade, add a real access layer, rotate credentials, and review Flowise flows and stored secrets.
- SourceCodester Timetabling: CVE-2026-11471 / CVE-2026-11472 / CVE-2026-11482 / CVE-2026-11483 / CVE-2026-11484 / CVE-2026-11485 / CVE-2026-11486 - CVSS 7.5. SourceCodester Class and Exam Timetabling System 1.0 SQL injection in login handling. Public school portals should restrict access, inspect SQL handling, and review logs.
- CVE-2026-11488: Simple Flight Ticket Booking - checkUser.php SQL Injection - CVSS 7.5. code-projects Simple Flight Ticket Booking System 1.0 SQL injection in login handling. Check stale booking demos, login SQL handling, web logs, and database privileges.
- code-projects Online Music Site: CVE-2026-11489 / CVE-2026-11490 - CVSS 7.5. code-projects Online Music Site 1.0 SQL injection in an admin album action. Check admin path exposure, album changes, logs, and SQL handling.
- CVE-2026-11474: Student Management System - Unrestricted Upload via stimg - CVSS 7.5. Kushan2k student-management-system may allow dangerous file uploads through the stimg registration image field. Check public/profiles for PHP-like files, block script execution in upload directories, and preserve logs.
- CVE-2026-11462: BeikeShop Stripe Plugin - Missing Webhook Signature Verification - CVSS 7.5. BeikeShop Stripe plugin callback may process webhook data without verifying the Stripe-Signature header. Store owners should patch, configure the webhook secret, review /callback/stripe logs, and match paid orders against Stripe.
- CVE-2026-11456: Chanjet CRM - SQL Injection in system table handling - CVSS 7.3. Chanjet CRM 1.0 SQL injection in a system table endpoint. Exposed CRM systems should restrict the endpoint, review web logs, and preserve evidence.
- CVE-2026-46389: UDS Identity Config - Keycloak client authentication bypass - CVSS 10.0. CVE-2026-46389 affects UDS Identity Config 0.11.0 through 0.26.0. Deployments using the client-kubernetes-secret Keycloak authenticator should update to 0.26.1 and review service-account token activity.
- HAX CMS: CVE-2026-46395 / CVE-2026-46399 / CVE-2026-46396 / CVE-2026-46496 / CVE-2026-46398 / CVE-2026-46400 / CVE-2026-46391 / CVE-2026-46392 / CVE-2026-46394 / CVE-2026-46393 / CVE-2026-46493 / CVE-2026-46511 / CVE-2026-46390 - CVSS 9.4. CVE-2026-46395 affects the HAX CMS Node.js backend through 25.0.0. Public HAX CMS operators should upgrade, rotate JWT signing material and site tokens, then review admin activity that may not have normal login events.
- CVE-2026-45777: Open XDMoD - unauthenticated remote code execution - CVSS 9.3. CVE-2026-45777 affects Open XDMoD 9.5.0 through 11.0.2. HPC portals should upgrade to 11.0.3 or newer, restrict web access, and review web-server process activity and application logs.
- WordPress: CVE-2026-7654 / CVE-2026-5411 / CVE-2026-5415 - CVSS 8.8. CVE-2026-7654 affects the Admin Columns WordPress plugin through 7.0.18. Sites with Contributor or higher accounts should patch to 7.0.19 or newer, then review recent custom-field and account activity.
- Lyrion Music Server: CVE-2026-50234 / CVE-2026-50233 / CVE-2026-50232 / CVE-2026-50231 - CVSS 8.7. CVE-2026-50234 affects Lyrion Music Server 9.2.0 / through 9.2.0. Public web UI or CLI exposure should be closed, logs reviewed, and the server moved back to a stable or fixed build.
- AWS Aurora PostgreSQL Wrapper: CVE-2026-11400 / CVE-2026-11401 - CVSS 8.6. CVE-2026-11400 affects AWS Advanced JDBC Wrapper for Aurora PostgreSQL versions 3.0.0 through before 4.0.1. Review wrapper dependency versions, database search_path, and low-privilege function creation.
- CVE-2026-8206: Kirki Page Builder — Unauthenticated Admin Account Takeover via Password Reset - CVSS 9.8. Kirki 6.0.0–6.0.6 password reset endpoint sends reset link to attacker-supplied email instead of account owner. One unauthenticated request hijacks any admin. 500K+ installs, Wordfence blocking 222+ attacks/day.
- CVE-2026-7465: Spectra / Ultimate Addons for Gutenberg — Contributor-level RCE in block rendering - CVSS 8.8. Authenticated (Contributor+) remote code execution in Spectra Gutenberg Blocks ≤ 2.19.25. Review Contributor accounts, block rendering behavior, and plugin version before reopening publishing access.
- CVE-2026-9757: GEO my WP — Unauthenticated SQL Injection via map boundary parameters - CVSS 7.5. SQL injection in GEO my WP (≤ 4.5.5) through map boundary query handling. Public Posts Locator pages should be patched and checked for unusual database access.
- CVE-2026-7459: Simple History — Subscriber+ account takeover via REST event context leak - CVSS 7.5. Simple History ≤ 5.26.0: react_to_event REST endpoints only verify login, not per-logger capabilities. Subscribers read password-reset email bodies and complete admin takeover.
- FreePBX-Cluster-2026-05: FreePBX May 2026 Cluster — 4 CVEs in one day (UCP takeover · CDR SQLi · OAuth bypass · path traversal) - CVSS 9.3. Four FreePBX CVEs published the same day. CVE-2026-46376 (9.3) is a pre-auth UCP takeover via hard-coded initial template credentials. CVE-2026-44238 (8.5) is SQL injection in the CDR Reports module via order/sort parameters. CVE-2026-44237 (7.6) — the OAuth2 validateClient() method unconditionally returns true. CVE-2026-44239 (7.6) is PHP path traversal in the Dashboard module's getcontent handler. Patch lines: 16.0.50 / 17.0.11.
- CVE-2026-4290: WP Travel Pro — Unauthenticated Arbitrary User Deletion - CVSS 9.1. Unauthenticated user deletion in WP Travel Pro (≤ 10.6.0). The affected REST permission path can allow destructive user deletion without a valid admin session. Patch to 10.6.1 and audit recent user changes.
- CVE-2026-6455: WP Contact Form 7 DB Handler — CSRF → SQLi → Deserialization → Arbitrary File Deletion - CVSS 8.1. The WP Contact Form 7 DB Handler plugin chains four flaws: CSRF bypass (nonce check skipped when field is absent), UNION-based SQL injection, PHP object injection, and arbitrary file deletion via path traversal. One admin click on a crafted link can delete wp-config.php and take down the entire site.
- CVE-2026-44329: BentoML Docker Build — Dockerfile Injection → Full Host RCE - CVSS 10.0. BentoML's Dockerfile template can mishandle docker.base_image from bento.yaml. Malicious build configuration may alter generated Dockerfile behavior during image builds. Patch BentoML and review build inputs before rebuilding.
- CVE-2026-42748: WordPress Triple-9.9: Unrestricted Upload & Path Traversal (3 plugins) - CVSS 9.9. Three separate WordPress plugins with CVSS 9.9 each published on the same day. CVE-2026-42748 is unrestricted file upload; CVE-2026-42756 and CVE-2026-42757 are path traversal vulnerabilities with changed scope (S:C), meaning a compromise can reach beyond WordPress to the wider server.
- CVE-2026-48027: Nx Console VS Code Extension — Supply Chain Attack (Actively Exploited) - CVSS 9.3. Malicious Nx Console version 18.95.0 was published to VS Code Marketplace for ~18 minutes and OpenVSX for ~36 minutes on May 19, 2026. The compromised extension contained embedded malicious code (CWE-506) that executed at activation. Auto-update users may have installed it. CISA has added this to the Known Exploited Vulnerabilities catalog.
- CVE-2026-48172: cPanel/WHM Redis Socket — Unauthenticated Privilege Escalation to Root - CVSS 10.0. Unauthenticated privilege escalation via Redis Unix socket in cPanel & WHM. Overly permissive socket access can let a local user or compromised PHP process write root-owned files through Redis. Third critical cPanel CVE in 2026.
- CVE-2026-4885: Piotnet Addons for Elementor Pro — Unauthenticated File Upload → RCE - CVSS 9.8. Unauthenticated arbitrary file upload in Piotnet Addons for Elementor Pro (≤ 7.1.70). Dangerous PHP-like uploads may execute on common hosting stacks, so owners should patch and inspect upload directories.
- CVE-2026-8719: AI Engine Plugin — Subscriber-to-Admin Privilege Escalation - CVSS 8.8. Privilege escalation in the AI Engine WordPress plugin (50,000+ active installs). Missing capability check in MCP OAuth bearer-token path lets any logged-in user, even Subscriber, escalate to Administrator. Patched in v3.4.10. Public registration sites are most exposed.
- CVE-2026-42945: NGINX Rift — 18-Year-Old RCE in ngx_http_rewrite_module - CVSS 9.2. Heap buffer overflow in ngx_http_rewrite_module. Risk rises on systems using the affected rewrite configuration pattern. In the codebase since 2008. Affects ~1/3 of all websites.
- CVE-2026-41940: cPanel/WHM Pre-Auth CRLF Injection → Root Access - CVSS 9.8. Pre-authentication CRLF injection in cPanel & WHM session handling leading to root access. 44,000 IPs compromised, 7,135 hit by .sorry ransomware. Persistent Mr_Rot13 Filemanager backdoor survives the patch. Second emergency TSR on May 8.
- CVE-2026-1492: WordPress User Registration & Membership — Auth Bypass → Admin Takeover - CVSS 9.8. Authentication bypass in the User Registration & Membership plugin (60,000+ active installs). An unauthenticated attacker can take over any account, including admin. Patched in 4.2.4 — older versions are wide open.
Recovery and search guides
- Find Hidden Backdoors After a Server Hack
- Hacked cPanel Server Recovery Playbook
- WordPress Site Hacked Recovery Guide
- .sorry Ransomware Extension Files Explained
- Mr_Rot13 Filemanager Backdoor Detection
- How to Use Google Search Console for SEO
- How to Check If a Website Is Down
- How to Check DNS Records Online
- How to Check If an SSL Certificate Is Valid
- How to Run a Ping Test Online
- How to Look Up an IP Address Location
- How to Use WHOIS to Look Up Domain Information