Cut the noise.
Know which vulnerabilities demand action.

Monitor and prioritize what really matters — the 1% of vulnerabilities that can cause real impact.

Analytics

EPSS Trending (30d)

Threat Indicators

829
CISA KEV
244
Exploits
493
Proof-of-Concept
10.7%
Average EPSS

EPSS Hot Zone

|
Sort by:
KEV Prediction — Top%
EPSS Percentile — Top%

Emerging Vulnerabilities

02 Jul/26
CVE-2026-5524
CRITICAL

This vulnerability is an arbitrary file upload flaw caused by improper validation of file extensions in the Divi Form Builder plugin's do_image_upload() function. The root cause lies in the direct interpolation of user-supplied input from the acceptFileTypes POST parameter into a regular expression used for file validation. This affects the file upload component responsible for restricting executable file types, allowing bypass of intended security controls.

CVSS 9.8
EPSS 0.5%
KEV Pred in 22d
Product Divi Engine Divi Form Builder divi
CVSS v3.1 CWE-434 PoC
26 Jun/26
CVE-2026-56011
HIGH

This vulnerability is an unauthenticated Cross-Site Scripting (XSS) flaw arising from improper sanitization of user-supplied input in the MapPress Maps for WordPress plugin, specifically versions up to 2.97.3. The issue resides in the plugin's handling of map-related parameters that are rendered in the frontend without adequate encoding or filtering, affecting the map display component responsible for embedding Google Maps within WordPress posts or pages.

CVSS 7.1
EPSS 0.2%
KEV Pred in 16d
Product chrisvrichardson MapPress Maps for WordPress chrisvrichardson
CVSS v3.1 CWE-79 PoC
19 Jun/26
CVE-2026-7515
CRITICAL

This vulnerability is a Local File Inclusion (LFI) flaw in the BetterDocs Pro WordPress plugin, specifically affecting versions up to 3.8.0. The root cause lies in insufficient input validation of the `doc_style` parameter, which allows an attacker to manipulate file inclusion logic. The affected component is the file inclusion mechanism within the plugin that processes the `doc_style` parameter without proper sanitization, enabling arbitrary file inclusion on the server.

CVSS 9.8
EPSS 0.9%
KEV Pred in 9d
Product BetterDocs Pro betterdocs
CVSS v3.1 CWE-98 PoC
19 Jun/26
CVE-2026-8713
CRITICAL

This vulnerability is an arbitrary file deletion flaw rooted in improper validation of file paths within the maybe_delete_files function of the Avada (Fusion) Builder plugin for WordPress. The issue arises from insufficient sanitization of user-supplied input, enabling path traversal attacks. The affected component is the Fusion_Form_DB_Privacy cleanup routine triggered during shutdown, which processes database entries related to form submissions.

CVSS 9.1
EPSS 1.2%
KEV Pred in 9d
Product themefusion Avada (Fusion) Builder themefusion
CVSS v3.1 CWE-22 PoC
11 Jun/26
CVE-2026-42647
CRITICAL

This vulnerability is a Blind SQL Injection resulting from improper neutralization of special elements in SQL commands within Beardev JoomSport. The root cause lies in insufficient input sanitization of user-supplied data that is directly incorporated into SQL queries without parameterization or escaping. The affected component is the JoomSport plugin for WordPress, specifically versions up to and including 5.7.7, where database query construction fails to properly handle malicious input.

CVSS 9.3
EPSS 1.3%
KEV Pred in 1d
Product Beardev JoomSport beardev
CVSS v3.1 CWE-89 PoC
11 Jun/26
CVE-2026-49060
CRITICAL

This vulnerability is an Incorrect Privilege Assignment flaw rooted in improper access control mechanisms within the Hippoo Mobile App for WooCommerce plugin. The issue arises because certain privileged functions or administrative features are accessible without proper authorization checks. The affected component is the privilege management system in versions up to 1.9.4, which fails to enforce restrictions on user capabilities, allowing unauthorized privilege escalation.

CVSS 9.8
EPSS 0.5%
KEV Pred in 1d
Product Hippoo Mobile App for WooCommerce hippoo
CVSS v3.1 CWE-266 PoC
10 Jun/26
CVE-2026-53435
HIGH

This vulnerability is a deserialization flaw in Jenkins core and plugins, allowing unsafe processing of attacker-controlled XML data. The root cause is insecure deserialization of arbitrary types from the `config.xml` submission, which is part of Jenkins' configuration management. The affected components include Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, specifically the configuration XML handling mechanism.

CVSS 8.8
EPSS 14.9%
KEV Pred N/A
Product Jenkins Project Jenkins jenkins
CVSS v3.1 CWE-502 PoC
05 Jun/26
CVE-2026-49777
CRITICAL

The vulnerability is an improper validation flaw related to the specified quantity input within the Product Slider Pro for WooCommerce plugin by ShapedPlugin, LLC. The root cause lies in insufficient sanitization and verification of user-supplied quantity parameters, allowing malicious data to bypass input controls. This flaw affects the input handling logic of the product quantity specification feature in versions prior to 3.5.4.

CVSS 10.0
EPSS 1.7%
KEV Pred 76%
Product ShapedPlugin, LLC Product Slider Pro for WooCommerce shapedplugin,
CVSS v3.1 CWE-1284 PoC
02 Jun/26
CVE-2026-8206
CRITICAL

This vulnerability is a privilege escalation flaw caused by improper validation in the password reset functionality of the Kirki – Freeform Page Builder plugin for WordPress. The root cause lies in the plugin accepting an arbitrary email address when a username is submitted during a password reset request. The affected component is the password reset handler within the plugin's form processing logic, which fails to verify that the email corresponds to the username provided.

CVSS 9.8
EPSS 1.3%
KEV Pred 52%
Product themeum Kirki – Freeform Page Builder, Website Builder & Customizer themeum
CVSS v3.1 CWE-269 PoC
30 May/26
CVE-2026-7465
HIGH

This vulnerability is a remote code execution flaw arising from improper handling of block registration and rendering in the Spectra Gutenberg Blocks plugin. The root cause is the ability for authenticated users with Contributor-level privileges or higher to register arbitrary block types prefixed with 'uagb-' and assign attacker-controlled render callbacks. During sequential block rendering, the plugin invokes these callbacks via call_user_func(), enabling execution of arbitrary PHP code on the server.

CVSS 8.8
EPSS 1.2%
KEV Pred 34%
Product brainstormforce Spectra Gutenberg Blocks – Website Builder for the Block Editor brainstormforce
CVSS v3.1 CWE-269 PoC
29 May/26
CVE-2026-8732
CRITICAL

This vulnerability is a privilege escalation flaw caused by improper access control in the WP Maps Pro WordPress plugin. The root cause lies in the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_, allowing unauthenticated access. The protection relies solely on a nonce embedded in the frontend JavaScript, which is publicly accessible, rendering the nonce check ineffective as an authentication barrier.

CVSS 9.8
EPSS 9.5%
KEV Pred 71%
Product flippercode WP Maps Pro flippercode
CVSS v3.1 CWE-306 PoC
19 May/26
CVE-2026-47100
HIGH

This vulnerability is a missing authorization flaw in the FunnelKit Funnel Builder for WooCommerce Checkout plugin prior to version 3.15.0.3. The root cause is the lack of access control on the public AJAX checkout endpoint, which permits unauthenticated requests to invoke internal methods. The affected component is the plugin's External Scripts global setting, which can be manipulated through this unauthorized access vector.

CVSS 7.5
EPSS 0.5%
KEV Pred 69%
Product FunnelKit Funnel Builder for WooCommerce Checkout funnelkit
CVSS v3.1 CVSS v4.0 CWE-862 PoC
08 May/26
CVE-2026-44338
HIGH

The vulnerability is an authentication bypass in the legacy Flask API server component of PraisonAI versions 2.5.6 through 4.6.33. The root cause is that the Flask API server ships with authentication disabled by default, allowing unauthenticated access to sensitive API endpoints. Specifically, the /agents endpoint and the /chat endpoint, which triggers workflows defined in agents.yaml, are exposed without requiring token-based authentication.

CVSS 7.3
EPSS 26.8%
KEV Pred 68%
Product MervinPraison PraisonAI mervinpraison
CVSS v3.1 CWE-306 PoC
05 May/26
CVE-2026-36356
CRITICAL

This vulnerability is an unauthenticated OS command injection affecting the GoAhead web server component embedded in MeiG Smart FORGE_SLT711 devices running firmware MDM9607.LE.1.0-00110-STD.PROD-1. The root cause lies in inadequate input validation on the /action/SetRemoteAccessCfg HTTP endpoint, which directly passes user-supplied data to system command execution functions without proper sanitization, allowing arbitrary commands to be injected and executed on the underlying operating system.

CVSS 9.1
EPSS 13.5%
KEV Pred 72%
Product N/A
CVSS v3.1 CWE-78 PoC
23 Apr/26
CVE-2026-3844
CRITICAL

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.

CVSS 9.8
EPSS 36.5%
KEV Pred 66%
Product cloudways Breeze Cache cloudways
CVSS v3.1 CWE-434 PoC
17 Apr/26
CVE-2026-5718
HIGH

This vulnerability is an arbitrary file upload flaw caused by improper file type validation in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin. The root cause lies in the plugin's handling of custom blacklist configurations, which overwrite the default denylist instead of merging, combined with a sanitization bypass for filenames containing non-ASCII characters in the wpcf7_antiscript_file_name() function. The affected component is the file upload handler within the plugin's codebase for versions up to 1.3.9.7.

CVSS 8.1
EPSS 4.2%
KEV Pred 69%
Product glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7 glenwpcoder
CVSS v3.1 CWE-434 PoC
16 Apr/26
CVE-2026-5426
CRITICAL

This vulnerability is a deserialization flaw caused by a hard-coded machineKey value in ASP.NET/IIS configurations within Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026. The fixed machineKey is used for ViewState validation, and its static nature allows attackers to craft malicious ViewState payloads that bypass integrity checks. The affected component is the ViewState validation mechanism in the ASP.NET application framework of KnowledgeDeliver.

CVSS 9.1
EPSS 1.0%
KEV Pred 74%
Product Digital Knowledge KnowledgeDeliver digital
CVSS v3.1 CWE-321 PoC
14 Apr/26
CVE-2026-39813
CRITICAL

This vulnerability is a path traversal flaw in Fortinet FortiSandbox versions 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. The root cause lies in improper validation of user-supplied input within HTTP request parameters, allowing directory traversal sequences such as '../filedir' to access unauthorized filesystem locations. The affected component is the HTTP interface of FortiSandbox, which fails to sanitize path inputs correctly, enabling manipulation of file paths beyond intended boundaries.

CVSS 9.8
EPSS 16.7%
KEV Pred 75%
Product Fortinet FortiSandbox fortinet
CVSS v3.1 CWE-24 PoC
31 Mar/26
CVE-2026-4020
HIGH

This vulnerability is a Sensitive Information Exposure caused by improper access control in the Gravity SMTP WordPress plugin. The root cause lies in a REST API endpoint (/wp-json/gravitysmtp/v1/tests/mock-data) that registers a permission callback which unconditionally returns true, effectively bypassing authentication checks. This flaw affects all versions of the Gravity SMTP plugin up to and including 2.1.4, specifically within the plugin's REST API implementation.

CVSS 7.5
EPSS 39.7%
KEV Pred 50%
Product RocketGenius Gravity SMTP rocketgenius
CVSS v3.1 CWE-200 PoC
20 Mar/26
CVE-2026-3584
CRITICAL

This vulnerability is a remote code execution flaw originating from unsafe dynamic function invocation in the Kali Forms WordPress plugin. The root cause lies in the 'prepare_post_data' function, which maps user-supplied input keys directly into internal placeholders without validation. Subsequently, the 'form_process' function invokes these placeholders via 'call_user_func', enabling execution of arbitrary code supplied by unauthenticated users. The affected component is the form processing mechanism within Kali Forms versions up to and including 2.4.9.

CVSS 9.8
EPSS 7.2%
KEV Pred 68%
Product wpchill Kali Forms — Contact Form & Drag-and-Drop Builder wpchill
CVSS v3.1 CWE-94 PoC
24 Feb/21
CVE-2021-21974
HIGH

This vulnerability is a heap overflow caused by improper handling of network messages within the OpenSLP service in VMware ESXi. The flaw arises from insufficient bounds checking when processing requests received on UDP port 427, leading to memory corruption in the heap. The affected component is the OpenSLP daemon responsible for service location protocol operations in ESXi versions prior to specified patches.

CVSS 8.8
EPSS 45.1%
KEV Pred 57%
Product VMware ESXi vmware
CVSS v3.1 CWE-787 PoC RANSOMWARE