The NVDwatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.
Confirm whether recent NVD activity overlaps with your environment.
Prioritize advisories by MSP-relevance score, severity, and status.
Turn the signal into an assessment, briefing, or managed-service engagement with ITECS.
At a glance
Tracked
11918
Active
382
Featured
2397
Unique CVEs
20
Most recent entry
May 8, 2026, 4:16 AM
Feed refreshes daily · 5:15 a.m. Central
Sources·NIST National Vulnerability Database feed
"Most recent entry" is the newest item the upstream feed has published — not our sync time.
Watch items
Recent NVD watch items
Showing the 20 most recent items, newest first. Each row links to the official advisory.
20 rows · sorted newest first
Operations view
Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in vulnerability (CVE-2026-7330)
HIGH
watchNVDCVE-2026-7330
The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress vulnerability (CVE-2026-5127)
HIGH
watchNVDCVE-2026-5127
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.
A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.
A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The name of the patch is e20ec58414103f781858f2951d178e19b1736664. A patch should be applied to remediate this issue.
A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
SourceCodester Comment System vulnerability (CVE-2026-8126)
MEDIUM
watchNVDCVE-2026-8126
A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.
Microsoft Partner Center vulnerability (CVE-2026-34327)
HIGH
watchNVDCVE-2026-34327
Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.
Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in vulnerability (CVE-2026-7330)
The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook.
Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in
HIGHCVE-2026-7330
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress vulnerability (CVE-2026-5127)
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system.
Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress
HIGHCVE-2026-5127
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.
CX12L
HIGHCVE-2026-8138
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
X5000R
HIGHCVE-2026-8137
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The name of the patch is e20ec58414103f781858f2951d178e19b1736664. A patch should be applied to remediate this issue.
MEDIUMCVE-2026-8133
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
MEDIUMCVE-2026-8132
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
SUP Online Shopping
MEDIUMCVE-2026-8131
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
SUP Online Shopping
MEDIUMCVE-2026-8130
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
SUP Online Shopping
MEDIUMCVE-2026-8129
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
SUP Online Shopping
MEDIUMCVE-2026-8128
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
SourceCodester Comment System vulnerability (CVE-2026-8126)
A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Comment System
MEDIUMCVE-2026-8126
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.
CRITICALCVE-2026-35428
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
Microsoft Partner Center vulnerability (CVE-2026-34327)
Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.
Partner Center
HIGHCVE-2026-34327
Elevated
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
HIGHCVE-2026-33111
Watch
Priority score blends severity, KEV, recency, source signal, and EPSS where available. No EPSS.
It is the NVD-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.
How should teams use the NVD watch page?
Use it to confirm whether current NVD issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.
Can ITECS help respond to NVD security issues?
Yes. ITECS can help map NVD advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.
