CVE•Published 2026-05-04•Modified 2026-05-05•0 articles on news•5 live references•NVD data

CVE-2026-25863

Vulnerability data via NVD (ingested)

CVSS v3.1

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS percentile

Exploit Prediction Scoring System · top 78% of all CVEs

Weaknesses (CWE)

CWE-1284Improper Validation of Specified Quantity in Input

Description

Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.

Timeline

Published 2026-05-04

Modified 2026-05-05

External references

NVD MITRE Exploit-DB Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-25863

Hosts Shodan has explicitly fingerprinted as vulnerable.

More intel sources (5)

Shodan report

vuln:CVE-2026-25863

Country / ASN / product breakdown for the vuln query.

Censys

vulnerabilities.cve_id: CVE-2026-25863

Censys host search filtered to this CVE id.

grep.app

CVE-2026-25863