CVE-2026-14480OpenPLC Runtime v3 contains an authenticated arbitrary file write
vulnerability in the legacy web UI program‑upload workflow. The
application stores an attacker‑supplied filename (prog_file) directly
into the Programs.File database field and later uses this value as the
destination path for an uploaded file without validating or restricting
the path. Because Python os.path.join() honors attacker‑controlled
absolute paths, an authenticated user can write arbitrary files anywhere
writable by the OpenPLC webserver process. In the default build
pipeline, all C++ source files within the OpenPLC runtime core directory
are automatically compiled into the executable runtime binary. By
writing a malicious .cpp file into this directory, an authenticated
attacker can escalate the arbitrary file write into arbitrary native
code execution when the operator triggers a normal program compilation
and runtime start.
2026-07-10 · score 9.9
CVE-2026-57807Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security Software Pvt Ltd. OAuth Single Sign On - SSO (OAuth Client) allows Password Recovery Exploitation.
This issue affects OAuth Single Sign On - SSO (OAuth Client): from n/a through 38.5.8.
2026-07-10 · score 9.8
CVE-2026-55879OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the OpenReplay tracking SDK accepts custom event names and captured page URLs from any visitor using a public project key, stores them in ClickHouse without output encoding, and later renders them in the authenticated dashboard through TextEllipsis and the event-details modal, allowing an unauthenticated attacker to store script that executes in the dashboard origin, reads the session JWT from localStorage, and takes over a dashboard account. This issue is fixed in version 1.25.0.
2026-07-10 · score 9.3
CVE-2026-12761The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the 'email_field' POST parameter without verifying that the email belongs to the identity returned by the OAuth provider, combined with send_otp_token() returning the SHA-512(customer_key || otp) transaction hash to the client where the OTP space is only 99,000 values (wp_rand(1000, 99999)) and the customer_key is a static option (empty on unregistered installs). This makes it possible for unauthenticated attackers to trigger an OTP email to an arbitrary admin's address, crack the OTP offline from the leaked hash in under a second, and submit the cracked OTP to mo_openid_social_login_validate_otp(), which logs the attacker in as the user whose email was supplied — granting full administrator access.
2026-07-10 · score 9.8
CVE-2026-61459MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured tools (kubectl_get, kubectl_describe, kubectl_delete) that allows attackers to bypass the assertNoDangerousFlags security check by supplying resourceType and name parameters with leading dashes. Attackers can inject the --server flag to redirect kubectl commands to an attacker-controlled API server, causing the operator's bearer token to be transmitted externally and enabling full cluster compromise.
2026-07-10 · score 9.8