richardpaimu34

6 exploits Active since Feb 2026
CVE-2026-1306 GITHUB CRITICAL python SUSPICIOUS
Midi-Synth <1.1.0 - Unauthenticated RCE
The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.
10 stars
CVSS 9.8
CVE-2025-8572 NOMISEC CRITICAL SUSPICIOUS
Truelysell Core <1.8.7 - Privilege Escalation
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevated privileges, including administrator access.
2 stars
CVSS 9.8
CVE-2026-1306 NOMISEC CRITICAL SUSPICIOUS
Midi-Synth <1.1.0 - Unauthenticated RCE
The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.
2 stars
CVSS 9.8
CVE-2026-2848 NOMISEC HIGH SUSPICIOUS
SourceCodester Tourism Website 1.0 - SQL Injection
A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Master.php?f=register of the component Registration. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
CVSS 7.3
CVE-2026-1731 NOMISEC CRITICAL SUSPICIOUS
BeyondTrust Privileged Remote Access < 25.1 and Remote Support < 25.3.2 - Unauthenticated Remote Code Execution
BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.
CVSS 9.8
CVE-2026-21533 NOMISEC HIGH SUSPICIOUS
Windows 10/11 Remote Desktop Authenticated Privilege Escalation
Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.
CVSS 7.8