ZeroPath Blog & Research
Explore our team's latest research and stay up to date with ZeroPath's capabilities.
CVE Analysis
•2026-04-07
•7 min read
Everest Forms CVE-2026-3296: Brief Summary of Unauthenticated PHP Object Injection via Form Entry Metadata
A brief summary of CVE-2026-3296, a critical (CVSS 9.8) unauthenticated PHP object injection vulnerability in the Everest Forms WordPress plugin through version 3.4.3, where serialized payloads submitted through public forms are unsafely deserialized when an administrator views entries.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-07
•8 min read
Brief Summary: CVE-2026-3535 Unauthenticated Arbitrary File Upload in DSGVO Google Web Fonts GDPR Plugin for WordPress
A short review of CVE-2026-3535, a critical unauthenticated arbitrary file upload vulnerability in the DSGVO Google Web Fonts GDPR WordPress plugin (versions through 1.1) that can lead to remote code execution. Includes detection strategies and affected configurations.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-07
•5 min read
Quick Look: CVE-2026-4003 — Unauthenticated Privilege Escalation in WordPress Users Manager PN Plugin
A brief summary of CVE-2026-4003, a critical unauthenticated privilege escalation vulnerability in the Users Manager PN plugin for WordPress that allows arbitrary user metadata updates and account takeover via a flawed authorization check and publicly exposed nonce.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-07
•6 min read
Cockpit Web Service CVE-2026-4631: Overview of Unauthenticated Remote Code Execution via SSH Option Injection
A brief summary of CVE-2026-4631, a critical unauthenticated command injection vulnerability in Cockpit's remote login feature that allows code execution on the host before credential verification occurs.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-07
•6 min read
Open Cluster Management CVE-2026-4740: Brief Summary of Cross Cluster Privilege Escalation via Certificate Renewal Flaw
A brief summary of CVE-2026-4740, a high severity certificate validation flaw in Open Cluster Management that enables cross cluster privilege escalation from one managed Kubernetes cluster to others, including the hub cluster.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-06
•9 min read
Ninja Forms File Uploads CVE-2026-0740: Overview of a Critical Unauthenticated Arbitrary File Upload Leading to RCE
A brief summary of CVE-2026-0740, a CVSS 9.8 unauthenticated arbitrary file upload vulnerability in the Ninja Forms File Uploads WordPress plugin affecting 50,000 installations, including patch details, detection methods, and affected version ranges.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-06
•8 min read
Brief Summary: Amelia WordPress Plugin CVE-2026-5465 IDOR Privilege Escalation via externalId Parameter
A short review of CVE-2026-5465, an Insecure Direct Object Reference in the Amelia WordPress booking plugin that allows Employee-level users to take over any account, including Administrator. Includes patch analysis and affected version details.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-04
•5 min read
Brief Summary: wpForo Forum CVE-2026-3666 Arbitrary File Deletion via Path Traversal
A short review of CVE-2026-3666, a high severity path traversal vulnerability in the wpForo Forum plugin for WordPress that allows authenticated users with subscriber privileges to delete arbitrary files on the server.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-04
•8 min read
WCFM Frontend Manager for WooCommerce CVE-2026-4896: Brief Summary of an IDOR Vulnerability Enabling Cross Vendor Data Manipulation
A short review of CVE-2026-4896, a high severity Insecure Direct Object Reference vulnerability in the WCFM Frontend Manager plugin for WooCommerce that allows authenticated vendors to modify orders and delete products belonging to other users. Includes patch analysis and affected version details.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-03
•8 min read
MLflow CVE-2026-0545: Critical Authentication Bypass in FastAPI Job Endpoints with PoC Analysis
A brief summary of CVE-2026-0545, a critical authentication bypass in MLflow's FastAPI job endpoints that allows unauthenticated remote code execution. Includes proof of concept details and mitigation guidance.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-03
•6 min read
Budibase CVE-2026-31818: Brief Summary of a Critical SSRF via Insecure Default Configuration
A short review of CVE-2026-31818, a critical SSRF vulnerability in Budibase's REST datasource connector caused by an unset IP blacklist environment variable, scoring 9.6 CVSS and affecting all versions prior to 3.33.4.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-03
•6 min read
Brief Summary: Kestra CVE-2026-34612 SQL Injection to Remote Code Execution via PostgreSQL COPY TO PROGRAM
A brief summary of CVE-2026-34612, a critical SQL injection vulnerability in Kestra's flow search endpoint that escalates to remote code execution through PostgreSQL's COPY TO PROGRAM functionality. Affects default docker compose deployments prior to version 1.3.7.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-03
•8 min read
Electron CVE-2026-34769: Brief Summary of Renderer Command Line Switch Injection via Hidden webPreference
A brief summary of CVE-2026-34769, a high severity argument injection vulnerability in Electron caused by an undocumented commandLineSwitches webPreference. Includes patch details across four release lines and technical analysis of the fix.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-03
•8 min read
Electron CVE-2026-34771: Brief Summary of the Async Permission Handler Use After Free
A short review of CVE-2026-34771, a high severity use after free in Electron's asynchronous permission request handler affecting fullscreen, pointer lock, and keyboard lock callbacks, along with patch details and mitigation strategies.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-03
•8 min read
Electron CVE-2026-34774: Brief Summary of a Use-After-Free in Offscreen Rendering Child Windows
A brief summary of CVE-2026-34774, a high severity use-after-free in Electron's offscreen rendering path that affects applications permitting child windows. Includes patch analysis and affected version details.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-03
•5 min read
Budibase CVE-2026-35216: Overview of Unauthenticated RCE via Webhook and Bash Automation
A brief summary of CVE-2026-35216, a critical unauthenticated remote code execution vulnerability in self-hosted Budibase instances that chains a public webhook endpoint with the Bash automation step to achieve root-level command execution inside the container.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-03
•7 min read
Perfmatters WordPress Plugin CVE-2026-4350: Brief Summary of Arbitrary File Deletion via Path Traversal
A brief summary of CVE-2026-4350, a high severity arbitrary file deletion vulnerability in the Perfmatters WordPress plugin affecting 200,000 sites, including patch details and technical analysis of the path traversal flaw.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-02
•8 min read
Quick Look: CVE-2026-5334 SQL Injection in itsourcecode Online Enrollment System with Public PoC and Detection Guidance
A brief summary of CVE-2026-5334, a time-based blind SQL injection in the itsourcecode Online Enrollment System 1.0 requiring no authentication. Includes public PoC details, WAF rules, and practical detection methods for defenders.
ZeroPath CVE Analysis
CVE Analysis
•2026-04-02
•6 min read
Brief Summary: CVE-2026-5429 in Kiro IDE — XSS to Arbitrary Code Execution via Crafted Theme Names
A short review of CVE-2026-5429, a high severity input sanitization flaw in the Kiro IDE Agent webview that allows arbitrary code execution through malicious color theme names. Includes patch details and affected version information.
ZeroPath CVE Analysis
CVE Analysis
•2025-12-02
•8 min read
SureMail WordPress Plugin CVE-2025-13516: Brief Summary of Unrestricted File Upload Vulnerability
This post provides a brief summary of CVE-2025-13516, an unrestricted file upload vulnerability in the SureMail SMTP and Email Logs WordPress plugin up to version 1.9.0. The summary covers technical details, affected versions, and vendor security history based on public sources.
ZeroPath CVE Analysis
Detect & fix
what others miss
