Skip to main content
CVE-2025-15503 MEDIUM POC This Month

Operation And Maintenance Security Management System versions up to 3.0.8. is affected by improper access control (CVSS 7.3).

File Upload Authentication Bypass Operation And Maintenance Security Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
5.5%
CVE-2026-22773 MEDIUM POC PATCH This Month

Vllm versions up to 0.12.0 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Denial Of Service AI / ML Vllm Red Hat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22689 MEDIUM POC PATCH This Month

Mailpit versions up to 1.28.2 contains a vulnerability that allows attackers to intercept sensitive data such as email contents, headers, and server statistics (CVSS 6.5).

Industrial Mailpit Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22027 MEDIUM POC PATCH This Month

Heap buffer overflow in CryptoLib versions prior to 1.4.3 allows a high-privileged local attacker to corrupt adjacent memory by supplying oversized hex strings in MariaDB SA fields without capacity validation. Public exploit code exists for this vulnerability affecting spacecraft communication security implementations. The flaw enables denial of service and potential code execution through heap memory manipulation.

MariaDB Cryptolib
NVD GitHub
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-21900 MEDIUM POC PATCH This Month

CryptoLib versions prior to 1.4.3 suffer from an out-of-bounds heap read in the cryptography_encrypt() function when processing malformed JSON metadata from KMC servers, allowing remote attackers to trigger a denial of service condition. The vulnerability stems from improper buffer boundary checking during string parsing in spacecraft-ground station communications secured by the SDLS-EP protocol. Public exploit code exists for this medium-severity flaw, though a patch is available.

Buffer Overflow Information Disclosure Cryptolib
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-22687 MEDIUM POC PATCH This Month

WeKnora versions before 0.2.5 allow unauthenticated attackers to bypass database query restrictions through prompt injection techniques when the Agent service is enabled, enabling unauthorized access to sensitive data. Public exploit code exists for this vulnerability, which affects the framework's document understanding and semantic retrieval capabilities. A patch is available in version 0.2.5 and later.

SQLi AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
5.6
EPSS
0.1%
CVE-2025-15502 MEDIUM POC This Month

Operation And Maintenance Security Management System versions up to 3.0.8. is affected by command injection (CVSS 7.3).

Command Injection Operation And Maintenance Security Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-0821 MEDIUM POC PATCH This Month

Heap-based buffer overflow in QuickJS up to version 0.11.0 within the js_typed_array_constructor function allows unauthenticated remote attackers to corrupt memory and potentially execute arbitrary code. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. Affected users should apply patch c5d80831e51e48a83eab16ea867be87f091783c5 immediately.

Buffer Overflow Quickjs
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-22703 MEDIUM POC PATCH This Month

Cosign's bundle verification mechanism fails to properly validate that embedded Rekor entries reference the correct artifact digest, signature, and public key, allowing an attacker with a compromised signing identity to forge valid bundles and bypass transparency log verification. A malicious actor could exploit this to create counterfeit signatures that pass validation checks, affecting users relying on Cosign for container and binary code signing verification. Public exploit code exists for this vulnerability; patches are available in versions 2.6.2 and 3.0.4.

Authentication Bypass Cosign Red Hat Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-22693 MEDIUM POC PATCH This Month

HarfBuzz text shaping engine versions prior to 12.3.0 crash when the SubtableUnicodesCache::create function attempts to dereference a null pointer returned by failed memory allocation, enabling denial of service in applications processing untrusted font data. Public exploit code exists for this vulnerability. A patch is available in version 12.3.0 and later.

Null Pointer Dereference Harfbuzz Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-22024 MEDIUM POC PATCH This Month

CryptoLib versions prior to 1.4.3 leak approximately 400 bytes of memory with each call to the cryptography_encrypt() function due to unfreed buffers, allowing remote attackers to conduct denial-of-service attacks against spacecraft-to-ground communications by exhausting available memory through sustained traffic. Public exploit code exists for this vulnerability. The issue is resolved in version 1.4.3 and later.

Denial Of Service Cryptolib
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-21899 MEDIUM POC This Month

CryptoLib versions prior to 1.4.3 contain an out-of-bounds read vulnerability in the base64urlDecode function that dereferences memory before validating input parameters, potentially causing a denial of service in spacecraft communications secured by SDLS-EP. Affected systems running cFS with vulnerable CryptoLib versions could crash when processing malformed base64 input. Public exploit code exists for this vulnerability, though no patch is currently available.

Denial Of Service Cryptolib
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-22596 MEDIUM PATCH This Month

SQL injection in Ghost's Admin API members/events endpoint enables authenticated administrators to execute arbitrary database queries, affecting versions 5.90.0-5.130.5 and 6.0.0-6.10.3. An attacker with valid Admin API credentials could exploit this to extract, modify, or delete sensitive data stored in the Ghost database. Patches are available in versions 5.130.6 and 6.11.0.

Node.js Ghost
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-22603 MEDIUM PATCH This Month

OpenProject versions prior to 16.6.2 fail to implement rate-limiting on the unauthenticated password-change endpoint, allowing attackers to conduct brute-force attacks against known user accounts without triggering lockout mechanisms. An attacker can systematically guess passwords using common wordlists and achieve full account compromise, potentially escalating privileges depending on the victim's role within the application. A patch is available in version 16.6.2.

Privilege Escalation Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68470 MEDIUM PATCH This Month

React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).

React React Router Red Hat
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22030 MEDIUM PATCH This Month

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]

React CSRF React Router Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14555 MEDIUM This Month

The Countdown Timer - Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14506 MEDIUM This Month

The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12379 MEDIUM This Month

Shortcodes and extra features for Phlox theme (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-22705 MEDIUM PATCH This Month

which provide authentication of data using public-key cryptography. versions up to 0.1.0 contains a security vulnerability (CVSS 6.4).

Information Disclosure
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-61676 MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. [CVSS 6.1 MEDIUM]

XSS October
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-61674 MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. [CVSS 6.1 MEDIUM]

XSS October
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22029 MEDIUM PATCH This Month

React Router is a router for React. In @remix-run/router version prior to 1.23.2. [CVSS 8.0 HIGH]

Open Redirect XSS Remix Run React React Router
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-14976 MEDIUM This Month

The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. [CVSS 5.4 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14948 MEDIUM This Month

miniOrange OTP Verification and SMS Notification for WooCommerce (WordPress plugin) is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-0831 MEDIUM This Month

Templately (WordPress plugin) versions up to 3.4.8. is affected by incorrect authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-22604 MEDIUM PATCH This Month

OpenProject is an open-source, web-based project management software. [CVSS 5.3 MEDIUM]

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-65090 MEDIUM PATCH This Month

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. [CVSS 5.3 MEDIUM]

Information Disclosure Full Calendar Macro
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22691 MEDIUM PATCH This Month

pypdf versions prior to 6.6.0 are vulnerable to denial of service through CPU exhaustion when processing malformed PDF files with crafted startxref entries in non-strict reading mode. An attacker can create a specially crafted PDF containing excessive whitespace that causes the library to consume significant processing resources during cross-reference table reconstruction. A patch is available in version 6.6.0 and later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22690 MEDIUM PATCH This Month

Denial of service via resource exhaustion in pypdf prior to version 6.6.0 allows remote attackers to trigger excessive processing times by submitting specially crafted PDF files with missing /Root objects and inflated /Size values. The vulnerability only affects non-strict parsing mode and causes the library to consume significant CPU resources when processing otherwise invalid documents. A patch is available in version 6.6.0 and later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22701 MEDIUM PATCH This Month

Python's filelock SoftFileLock implementation prior to version 3.20.3 contains a TOCTOU race condition that allows local attackers with symlink creation privileges to interfere with lock file operations between permission validation and file creation. An attacker can exploit this window to create a symlink at the target lock path, causing lock operations to fail or redirect to unintended files, resulting in denial of service or unexpected behavior. Upgrade to filelock version 3.20.3 or later to remediate this vulnerability.

Python Denial Of Service Race Condition Filelock Red Hat +1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22597 MEDIUM PATCH This Month

Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. [CVSS 2.7 LOW]

Node.js SSRF
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-22702 MEDIUM PATCH This Month

Virtualenv versions up to 20.36.1 is affected by improper link resolution before file access (CVSS 4.5).

Python Race Condition Virtualenv Red Hat Suse
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-22605 MEDIUM PATCH This Month

OpenProject versions before 16.6.3 allow authenticated users with View Meetings permission to bypass access controls and view meeting details from projects they lack authorization to access. This permission-based access control flaw enables information disclosure across project boundaries for low-privileged users. A patch is available in version 16.6.3 and later.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14943 MEDIUM This Month

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. [CVSS 4.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13393 MEDIUM This Month

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. [CVSS 4.3 MEDIUM]

WordPress SSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy