17 vulnerabilities across 15 products scored HIGH or above on June 15, 2026.
- HIGH: 17
[HIGH] spring/spring_cloud_gateway
1 CVE | CVSS 3.1: 8.6 | AAS 11.4
cpe:2.3:a:spring:spring_cloud_gateway:*:*:*:*:*:*:*:*(>= 3.1.0, < 3.1.13)cpe:2.3:a:spring:spring_cloud_gateway:*:*:*:*:*:*:*:*(>= 4.1.0, < 4.1.13)cpe:2.3:a:spring:spring_cloud_gateway:*:*:*:*:*:*:*:*(>= 4.2.0, < 4.2.9)cpe:2.3:a:spring:spring_cloud_gateway:*:*:*:*:*:*:*:*(>= 4.3.0, < 4.3.5)cpe:2.3:a:spring:spring_cloud_gateway:*:*:*:*:*:*:*:*(>= 5.0.0, < 5.0.2)
Spring Cloud Gateway versions 3.1.x through 5.0.x are vulnerable to header spoofing attacks (CVE-2026-47825, CVSS 8.6) in both WebMVC and WebFlux implementations when certain proxy configurations forward untrusted headers. Attackers can manipulate X-Forwarded-For and Forwarded headers to bypass authentication or redirect traffic in affected deployments. Organizations should upgrade to patched versions 3.1.13, 4.1.13, 4.2.9, 4.3.5, or 5.0.2 immediately, or disable untrusted proxy header forwarding in their configuration.
- CVE-2026-47825 (CVSS 3.1: 8.6)
[HIGH] npm/electron
1 CVE | CVSS 3.1: 9.5 | AAS 11.3
cpe:2.3:a:npm:electron:*:*:*:*:*:*:*:*(< 42.3.3)
Electron versions prior to 42.3.3 contain a buffer handling vulnerability (CVE-2026-54257, CVSS 9.5) in the Node.js Buffer API that causes application crashes and incorrect memory allocations. The exploitable flaw can result in unexpected buffer truncation or allocation failures affecting all Electron-based applications and their users. Organizations should immediately upgrade to Electron 42.3.3 or later, as no workarounds are available.
- CVE-2026-54257 (CVSS 3.1: 9.5)
[HIGH] videowhisper.com/broadcast_live_video
1 CVE | CVSS 3.1: 9.8 | AAS 11.1
cpe:2.3:a:videowhisper.com:broadcast_live_video:*:*:*:*:*:*:*:*
The Broadcast Live Video WordPress plugin versions prior to 7.1.3 contain an unauthenticated PHP object injection vulnerability (CVE-2026-27053, CVSS 9.8) allowing remote code execution without authentication. All WordPress sites using vulnerable versions of this plugin are at risk of complete compromise. Site administrators should update to version 7.1.3 immediately.
- CVE-2026-27053 (CVSS 3.1: 9.8)
[HIGH] @vitest/browser
1 CVE | CVSS 3.1: 9.8 | AAS 11.1
cpe:2.3:a:vitest:browser:*:*:*:*:*:*:*:*
Vitest Browser Mode contains a vulnerability (CVE-2026-53633, CVSS 9.8) where the exposed cdp() API bypasses configured security restrictions like allowWrite and allowExec, allowing attackers to perform write or execution operations regardless of settings. This exploitable flaw affects all Vitest Browser Mode deployments that expose the browser API to untrusted sources. Development teams should check the vendor advisory for patches and restrict browser API access to trusted clients only.
- CVE-2026-53633 (CVSS 3.1: 9.8)
[HIGH] tomdever/wpforo_forum
2 CVEs | CVSS 3.1: 9.8 | AAS 11.1
cpe:2.3:a:tomdever:wpforo_forum:*:*:*:*:*:*:*:*
The wpForo Forum WordPress plugin versions 3.1.0 and earlier contain multiple unauthenticated PHP object injection vulnerabilities (CVE-2026-49769, CVE-2026-40798, CVSS 9.8) enabling remote code execution without authentication. All WordPress sites running vulnerable versions are at risk of complete compromise. Site administrators should update immediately to a patched version.
- CVE-2026-49769 (CVSS 3.1: 9.8)
- CVE-2026-40798 (CVSS 3.1: 9.3)
[HIGH] dwbooster/booking_calendar_contact_form
2 CVEs | CVSS 4.0: 8.8 | AAS 10.7
cpe:2.3:a:dwbooster:booking_calendar_contact_form:*:*:*:*:*:*:*:*
The Booking Calendar Contact Form WordPress plugin version 1.0.23 contains multiple unauthenticated SQL injection vulnerabilities (CVE-2016-20068, CVE-2016-20069, CVSS 8.8) allowing attackers to extract sensitive database information without authentication. The flaws are exploitable through the admin-ajax.php endpoint with crafted SQL commands in the id parameter. Site administrators should immediately update to a patched version or disable the plugin until a fix is released.
- CVE-2016-20068 (CVSS 4.0: 8.8)
- CVE-2016-20069 (CVSS 4.0: 8.8)
[HIGH] 404-redirection-manager/404_redirection_manager
1 CVE | CVSS 4.0: 8.8 | AAS 10.7
cpe:2.3:a:404-redirection-manager:404_redirection_manager:*:*:*:*:*:*:*:*
The 404 Redirection Manager WordPress plugin version 1.0 contains an unauthenticated SQL injection vulnerability (CVE-2016-20071, CVSS 8.8) allowing remote attackers to execute arbitrary SQL queries and extract sensitive database information. The flaw is exploitable through unsanitized user input via crafted GET requests with SQL injection payloads. Site administrators should immediately update to a patched version or disable the plugin until a fix is available.
- CVE-2016-20071 (CVSS 4.0: 8.8)
[HIGH] bbsetheme/bbs_e-franchise
1 CVE | CVSS 4.0: 8.8 | AAS 10.7
cpe:2.3:a:bbsetheme:bbs_e-franchise:*:*:*:*:*:*:*:*
The BBS e-Franchise WordPress plugin version 1.1.1 contains an unauthenticated SQL injection vulnerability (CVE-2016-20072, CVSS 8.8) allowing remote attackers to execute arbitrary SQL queries and extract sensitive data including user information and taxonomy terms. The flaw is exploitable through UNION-based SQL injection in the uid parameter of pages using the plugin’s shortcode. Site administrators should immediately update to a patched version or disable the plugin until a fix is available.
- CVE-2016-20072 (CVSS 4.0: 8.8)
[HIGH] mattkaye/answer_my_question
1 CVE | CVSS 4.0: 8.8 | AAS 10.7
cpe:2.3:a:mattkaye:answer_my_question:*:*:*:*:*:*:*:*
The Answer My Question WordPress plugin version 1.3 contains an unauthenticated SQL injection vulnerability (CVE-2016-20073, CVSS 8.8) allowing remote attackers to execute arbitrary SQL queries and extract sensitive database information including WordPress terms and configuration data. The flaw is exploitable through crafted SQL statements submitted to the modal.php endpoint via the id POST parameter. Site administrators should immediately update to a patched version or disable the plugin until a fix is available.
- CVE-2016-20073 (CVSS 4.0: 8.8)
[HIGH] paolo/geodirectory
1 CVE | CVSS 3.1: 9.3 | AAS 10.6
cpe:2.3:a:paolo:geodirectory:*:*:*:*:*:*:*:*
The GeoDirectory WordPress plugin versions 2.8.152 and earlier contain an unauthenticated SQL injection vulnerability (CVE-2026-39512, CVSS 9.3) allowing remote attackers to execute arbitrary SQL queries and extract sensitive database information. This exploitable flaw affects all WordPress sites running vulnerable versions of the plugin. Site administrators should immediately update to a patched version to prevent potential database compromise.
- CVE-2026-39512 (CVSS 3.1: 9.3)
[HIGH] cherryframework/cherry_framework_themes
1 CVE | CVSS 4.0: 8.7 | AAS 10.6
cpe:2.3:a:cherryframework:cherry_framework_themes:*:*:*:*:*:*:*:*
WordPress CherryFramework Themes version 3.1.4 contain an information disclosure vulnerability (CVE-2018-25437, CVSS 8.7) allowing unauthenticated attackers to download sensitive backup files containing the entire theme directory. Attackers can directly access the download_backup.php endpoint in the admin/data_management directory to obtain ZIP archives of wp-content/themes, potentially exposing source code and configuration details. Site administrators should immediately update to a patched version or remove the download_backup.php file if a patch is unavailable.
- CVE-2018-25437 (CVSS 4.0: 8.7)
[HIGH] chrishurst/simple_backup
1 CVE | CVSS 4.0: 8.7 | AAS 10.6
cpe:2.3:a:chrishurst:simple_backup:*:*:*:*:*:*:*:*
WordPress Simple-Backup plugin version 2.7.11 contains vulnerabilities (CVE-2016-20076, CVSS 8.7) allowing unauthenticated attackers to delete arbitrary files and download sensitive files through directory traversal in the tools.php endpoint. Attackers can manipulate the delete_backup_file and download_backup_file parameters to access wp-config.php, database dumps, and other sensitive files, or delete critical files like .htaccess to expose backup directories. Site administrators should immediately update to a patched version or disable the plugin until a fix is available.
- CVE-2016-20076 (CVSS 4.0: 8.7)
[HIGH] husain/hb_audio_gallery_lite
1 CVE | CVSS 4.0: 8.7 | AAS 10.6
cpe:2.3:a:husain:hb_audio_gallery_lite:*:*:*:*:*:*:*:*
WordPress HB Audio Gallery Lite plugin version 1.0.0 contains a path traversal vulnerability (CVE-2016-20081, CVSS 8.7) allowing unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Attackers can send requests to the audio-download.php endpoint with directory traversal sequences to access sensitive files like wp-config.php outside the intended gallery directory. Site administrators should immediately update to a patched version or disable the plugin until a fix is available.
- CVE-2016-20081 (CVSS 4.0: 8.7)
[HIGH] mantrabrain/easy_invoice
1 CVE | CVSS 3.1: 10.0 | AAS 10.3
cpe:2.3:a:mantrabrain:easy_invoice:*:*:*:*:*:*:*:*(< 2.1.20)
The Easy Invoice WordPress plugin versions 2.1.19 and earlier contain an unauthenticated remote code execution vulnerability (CVE-2026-48836, CVSS 10.0) allowing attackers to execute arbitrary code and fully compromise affected sites. This exploitable flaw poses an immediate and critical risk to all WordPress installations running vulnerable versions. Site administrators must immediately update to a patched version or disable the plugin to prevent complete system compromise.
- CVE-2026-48836 (CVSS 3.1: 10.0)
[HIGH] red_hat/red_hat_enterprise_linux_10
1 CVE | CVSS 3.1: 8.8 | AAS 10.1
cpe:2.3:a:redhat:enterprise_linux:*:*:*:*:*:*:*:*
Red Hat Enterprise Linux 10 contains a heap buffer overflow vulnerability in GStreamer’s librfb RFB/VNC client (CVE-2026-52720, CVSS 8.8) that allows remote attackers to trigger out-of-bounds heap writes by connecting to a malicious VNC server. The flaw results from improper rectangle bounds validation that checks total area instead of individual dimensions, potentially leading to code execution or denial of service. Users should immediately apply available patches from Red Hat or avoid connecting to untrusted VNC servers.
- CVE-2026-52720 (CVSS 3.1: 8.8)