CVE-2026-20979 - Samsung Settings Privilege Escalation Vulnerability
CVE ID : CVE-2026-20979
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper privilege management in Settings prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Settings privilege.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-20979
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper privilege management in Settings prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Settings privilege.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-20980 - PACM Command Injection Vulnerability
CVE ID : CVE-2026-20980
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper input validation in PACM prior to SMR Feb-2026 Release 1 allows physical attacker to execute arbitrary commands.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-20980
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper input validation in PACM prior to SMR Feb-2026 Release 1 allows physical attacker to execute arbitrary commands.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-20981 - "FacAtFunction Privileged Physical Command Execution Vulnerability"
CVE ID : CVE-2026-20981
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-20981
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-20982 - Adobe ShortcutService File Traversal Vulnerability
CVE ID : CVE-2026-20982
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Path traversal in ShortcutService prior to SMR Feb-2026 Release 1 allows privileged local attacker to create file with system privilege.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-20982
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Path traversal in ShortcutService prior to SMR Feb-2026 Release 1 allows privileged local attacker to create file with system privilege.
Severity: 6.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-20983 - Samsung Dialer Component Privilege Escalation Vulnerability
CVE ID : CVE-2026-20983
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-20983
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-20984 - Galaxy Wearable Permission Denial-of-Service
CVE ID : CVE-2026-20984
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-20984
Published : 2026年2月4日 06:14 | 32 分钟 ago
Description : Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-20985 - Samsung Members URL Injection Vulnerability
CVE ID : CVE-2026-20985
Published : 2026年2月4日 06:14 | 31 分钟 ago
Description : Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-20985
Published : 2026年2月4日 06:14 | 31 分钟 ago
Description : Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-20986 - Samsung Members Path Traversal Vulnerability
CVE ID : CVE-2026-20986
Published : 2026年2月4日 06:14 | 31 分钟 ago
Description : Path traversal in Samsung Members prior to Chinese version 15.5.05.4 allows local attackers to overwrite data within Samsung Members.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-20986
Published : 2026年2月4日 06:14 | 31 分钟 ago
Description : Path traversal in Samsung Members prior to Chinese version 15.5.05.4 allows local attackers to overwrite data within Samsung Members.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-20987 - GalaxyDiagnostics Privilege Escalation Vulnerability
CVE ID : CVE-2026-20987
Published : 2026年2月4日 06:14 | 31 分钟 ago
Description : Improper input validation in GalaxyDiagnostics prior to version 3.5.050 allows local privileged attackers to execute privileged commands.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-20987
Published : 2026年2月4日 06:14 | 31 分钟 ago
Description : Improper input validation in GalaxyDiagnostics prior to version 3.5.050 allows local privileged attackers to execute privileged commands.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21393 - Movable Type Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2026-21393
Published : Feb. 4, 2026, 7:16 a.m. | 3 hours, 31 minutes ago
Description : Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21393
Published : Feb. 4, 2026, 7:16 a.m. | 3 hours, 31 minutes ago
Description : Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22875 - Movable Type Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2026-22875
Published : Feb. 4, 2026, 7:16 a.m. | 3 hours, 31 minutes ago
Description : Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22875
Published : Feb. 4, 2026, 7:16 a.m. | 3 hours, 31 minutes ago
Description : Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-23704 - Movable Type Cross-Site Scripting (XSS) Vulnerability
CVE ID : CVE-2026-23704
Published : Feb. 4, 2026, 7:16 a.m. | 3 hours, 31 minutes ago
Description : A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-23704
Published : Feb. 4, 2026, 7:16 a.m. | 3 hours, 31 minutes ago
Description : A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-24447 - Six Apart Movable Type Remote Code Execution Vulnerability
CVE ID : CVE-2026-24447
Published : Feb. 4, 2026, 7:16 a.m. | 3 hours, 30 minutes ago
Description : If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-24447
Published : Feb. 4, 2026, 7:16 a.m. | 3 hours, 30 minutes ago
Description : If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1819 - Stored XSS in Karel Electronics' ViPort
CVE ID : CVE-2026-1819
Published : Feb. 4, 2026, 8:16 a.m. | 2 hours, 30 minutes ago
Description : Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1819
Published : Feb. 4, 2026, 8:16 a.m. | 2 hours, 30 minutes ago
Description : Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS.This issue affects ViPort: through 23012026.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14461 - Xendit Payment <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid
CVE ID : CVE-2025-14461
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14461
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of 'PAID' or 'SETTLED', granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15260 - MyRewards – Loyalty Points and Rewards for WooCommerce <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Loyalty Rule Modification
CVE ID : CVE-2025-15260
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15260
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15268 - Infility Global <= 2.14.46 - Unauthenticated SQL Injection via Predictable API Key and IP Whitelist Bypass
CVE ID : CVE-2025-15268
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15268
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15285 - SEO Flow by LupsOnline <= 2.2.1 - Unauthenticated Arbitrary Post/Category Modification
CVE ID : CVE-2025-15285
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15285
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15482 - Chapa Payment Gateway Plugin for WooCommerce <= 1.0.3 - Unauthenticated Sensitive Information Exposure
CVE ID : CVE-2025-15482
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15482
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15487 - Code Explorer <= 1.4.6 - Authenticated (Administrator+) Arbitrary File Read via 'file' Parameter
CVE ID : CVE-2025-15487
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15487
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15507 - Magic Import Document Extractor <= 1.0.4 - Missing Authorization to Unauthenticated Plugin License Status Modification
CVE ID : CVE-2025-15507
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15507
Published : Feb. 4, 2026, 9:15 a.m. | 1 hour, 31 minutes ago
Description : The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...