Published threat advisories for May 22, 2026

STER applications send data without encryption, risking sensitive information like passwords being stolen via network interception. This advisory warrants attention due to the potential exposure of critical user data.

NVD published: May 22, 2026

STER software has a weakness that allows an internal attacker to decipher stored user passwords. This could lead to unauthorized access to sensitive business data and grant the attacker administrative control over the platform.

NVD published: May 22, 2026

An internal attacker with legitimate access can exploit search filters in STER to bypass security controls and retrieve private information belonging to other users. This exposes the business to potential widespread theft of sensitive organizational and customer data.

NVD published: May 22, 2026

WordPress Ditty plugin versions prior to 3.1.66 allow anyone to view private drafts and scheduled posts, potentially exposing sensitive information from your website.

NVD published: May 22, 2026

A WordPress form plugin called Vedrixa Forms allows authenticated users to change any form's structure, potentially impacting data collection and site integrity. This warrants attention now due to the ease with which basic users can exploit it.

NVD published: May 22, 2026

The MotoPress Hotel Booking plugin for WordPress has a flaw allowing anyone to alter or delete internal booking notes without logging in, impacting business data on public-facing websites.

NVD published: May 22, 2026

The AudioIgniter WordPress plugin can expose private playlist details, like song titles and download links, to anyone on the internet. This could help attackers gather information about your site's content.

NVD published: May 22, 2026

An internal attacker with low-level access can bypass security controls within the TeamViewer DEX Platform to run restricted commands. This allows them to take full control of the management software, risking unauthorized access to sensitive company data and critical IT infrastructure.

NVD published: May 22, 2026

The FluentCRM WordPress plugin has a vulnerability allowing unauthenticated attackers to make your website request other systems, potentially exposing internal information if certain email settings are not configured.

NVD published: May 22, 2026

The Slider by Soliloquy WordPress plugin can expose draft content and unpublished media URLs to authenticated users, potentially revealing information before it's meant to be public.

NVD published: May 22, 2026

A WordPress plugin lets attackers trick administrators into changing widget settings, potentially altering your site's appearance without proper authorization. Update the Widget Context plugin now.

NVD published: May 22, 2026

An external attacker with WordPress author access can inject scripts into draft post titles, which run when others view the page, potentially stealing session cookies or redirecting users to phishing sites. This can lead to unauthorized access to user accounts.

NVD published: May 22, 2026

A flaw in the Easy Elements for Elementor WordPress plugin could let anyone with a new account become an administrator. This is critical for sites with user registration enabled and a public login widget.

NVD published: May 22, 2026

An internal attacker can inject malicious scripts into WordPress pages using the KIA Subtitle plugin, potentially hijacking user sessions or stealing credentials. This matters because it allows unauthorized script execution in users' browsers.

NVD published: May 22, 2026

The Location Weather WordPress plugin has a flaw allowing users with contributor access to disable weather features and clear cached data, impacting website content.

NVD published: May 22, 2026

A security flaw in the WordPress CBX 5 Star Rating & Review plugin could let attackers run malicious scripts in your admin's browser if they click a bad link, potentially impacting your site.

NVD published: May 22, 2026

A security flaw in the Alfie WordPress plugin allows attackers to delete your data if an administrator clicks a malicious link. This could lead to significant data loss on your website.

NVD published: May 22, 2026

An external attacker can send malicious network traffic to the 9front operating system to trigger a total system crash. This vulnerability poses a significant risk to operations by allowing the attacker to cause repeated service outages, resulting in system downtime and a loss of user access.

NVD published: May 22, 2026

A serious flaw in the WP ERP Pro plugin for WordPress could allow attackers to steal sensitive data from your website, even without a login. Update immediately to protect your information.

NVD published: May 22, 2026

A vulnerability in a cryptographic library could allow signatures from security keys to be accepted without user presence. This could impact systems relying on these keys for authentication, potentially leading to unauthorized access. Organizations should identify affected systems and apply vendor-provided fixes.

NVD published: May 22, 2026

A flaw in the Go crypto library can disrupt SSH connections by filling an internal buffer with unsolicited responses, leading to resource leaks. Affected organizations may experience a degradation in service availability. Addressing this vulnerability is recommended to maintain system stability.

NVD published: May 22, 2026

A vulnerability in UniFi OS devices could allow unauthorized access to system files, potentially exposing sensitive information. This risk matters to organizations because an attacker with low-level network access could exploit this flaw. The realistic business risk involves the compromise of confidential data.

NVD published: May 22, 2026

An internal attacker on your local network could exploit a flaw in UniFi OS devices to run unauthorized commands. This could allow them to gain full administrative control over your network hardware, potentially compromising your organization's entire network gateway.

NVD published: May 22, 2026

An internal attacker with network access could exploit a flaw in UniFi OS to read sensitive system files and gain administrative control over the device. This poses a risk to our network infrastructure by potentially exposing critical credentials and allowing unauthorized access to sensitive configurations.

NVD published: May 22, 2026

An internal attacker with access to your network can bypass security controls in UniFi OS devices to change system configurations without permission. This could allow them to alter firewall rules or user access, potentially giving them full control over your network and disrupting critical business services.

NVD published: May 22, 2026

An internal attacker with high-level access to UniFi OS devices can misuse input features to run unauthorized commands. This could allow them to gain total control over critical network infrastructure and install persistent access.

NVD published: May 22, 2026