Skip to main content
CVE-2026-22200 HIGH POC PATCH THREAT Act Now

Arbitrary local file read in Enhancesoft osTicket 1.18.x (before 1.18.3) and 1.17.x (before 1.17.7) lets a remote unauthenticated attacker embed the contents of server-side files into an exported ticket PDF. By submitting a ticket whose rich-text HTML carries crafted PHP filter expressions, the attacker abuses the mPDF export path to render attacker-chosen files as bitmap images, disclosing sensitive data such as configuration files and credentials. Publicly available exploit code exists (Horizon3 'Ticket to Shell' research) and the EPSS score of 13.58% (94th percentile) reflects elevated near-term exploitation likelihood; there is no public exploit identified as active in CISA KEV.

PHP Osticket Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
13.6%
CVE-2026-22812 HIGH POC PATCH This Week

Opencode versions up to 1.0.216 is affected by missing authentication for critical function (CVSS 8.8).

Authentication Bypass RCE AI / ML Opencode
NVD GitHub
CVSS 3.1
8.8
EPSS
2.6%
CVE-2026-22799 HIGH POC PATCH This Week

Remote code execution in Emlog v2.6.1 and earlier allows authenticated attackers to upload arbitrary files through an insufficiently validated REST API endpoint (/index.php?rest-api=upload), enabling malicious PHP execution on the server. Attackers can exploit this by obtaining valid API credentials through administrator access or information disclosure flaws, then uploading executable scripts to achieve full system compromise. Public exploit code exists for this vulnerability, and affected administrators should apply available patches immediately.

PHP RCE Information Disclosure Emlog
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-22771 HIGH POC PATCH This Week

Credential theft via Lua script execution in Envoy Gateway versions before 1.5.7 and 1.6.2 allows authenticated attackers to extract proxy credentials and subsequently access the control plane and all associated secrets including TLS private keys. Public exploit code exists for this vulnerability. Affected organizations running vulnerable Envoy Gateway instances should immediately upgrade as no patch is currently available for intermediate versions.

Kubernetes Gateway Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2024-58339 HIGH POC PATCH This Week

Denial-of-service in LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 lets remote unauthenticated attackers exhaust CPU and memory through the VannaPack VannaQueryEngine. The engine's custom_query() converts a user-supplied natural-language prompt into SQL and runs it via vn.run_sql() with no execution limits, so a crafted prompt can produce an unbounded or extremely expensive query. Publicly available exploit code exists (Huntr bounty report), though EPSS is low at 0.12% (30th percentile) and it is not listed in CISA KEV.

Denial Of Service Llamaindex
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-15514 HIGH POC This Week

Denial of service in Ollama's multi-modal image processing (versions 0.11.5-rc0 through 0.13.5) lets remote attackers crash the model runner by POSTing crafted base64 image data to the /api/chat endpoint. The decoded data is passed to mtmd_helper_bitmap_init_from_buf without validating that it is valid media; the function returns NULL on malformed input and the unchecked pointer is dereferenced, triggering a segmentation fault that takes the model offline for all users until restart. Rated CVSS 4.0 8.7 (availability-only impact); publicly available exploit code exists via a Huntr bounty, but EPSS is low (0.09%, 25th percentile) and it is not on CISA KEV.

Denial Of Service Ollama
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-58340 HIGH POC PATCH This Week

Denial-of-service in LangChain versions up to and including 0.3.1 lets remote attackers exhaust CPU by feeding a crafted string into the MRKLOutputParser.parse() method, whose backtracking-prone regular expression exhibits catastrophic backtracking (ReDoS). Because MRKL agents parse LLM output to extract tool actions, an attacker who can influence that text - typically via prompt injection in downstream applications - can stall or hang the parsing thread. Publicly available exploit code exists (huntr bounty), though EPSS is low at 0.08% and it is not on the CISA KEV list.

Denial Of Service Langchain
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-14021 HIGH POC PATCH This Week

Arbitrary code execution in LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 occurs when BGEM3Index.load_from_disk() calls pickle.load() on a multi_embed_store.pkl file read from an attacker-controlled persist_dir. A victim who loads a maliciously crafted index directory executes attacker-supplied code in their own process. Publicly available exploit code exists (huntr bounty submission), though EPSS is low (0.08%) and it is not listed in CISA KEV, so there is no public exploit identified as actively exploited.

Deserialization Llamaindex RCE
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-22788 HIGH POC PATCH This Week

WebErpMesV2 versions prior to 1.19 expose unauthenticated API endpoints that allow remote attackers to read sensitive manufacturing and business data including orders, quotes, and tasks without credentials. Public exploit code exists for this vulnerability, and attackers can additionally create company records and manipulate collaboration whiteboards. A patch is available in version 1.19 and should be applied immediately to restrict API access.

Authentication Bypass Wem
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2023-36331 HIGH POC This Week

Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. [CVSS 8.2 HIGH]

Authentication Bypass Xmall
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-68472 HIGH POC PATCH GHSA This Week

MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. [CVSS 8.1 HIGH]

Path Traversal AI / ML Mindsdb
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-22804 HIGH POC This Week

Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary JavaScript by uploading malicious SVG files that bypass content sanitization. When a Termix user previews the crafted file, the payload executes within the application context with full access to sensitive operations. Public exploit code exists and no patch is currently available.

SSH XSS Termix
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-22776 HIGH POC PATCH This Week

cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decompressed HTTP request body sizes. An unauthenticated remote attacker can send a malicious gzip or brotli-compressed request that decompresses to an arbitrarily large payload in memory, exhausting server resources. Public exploit code exists for this vulnerability, and a patch is available in version 0.30.1 and later.

Denial Of Service Cpp Httplib Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22786 HIGH POC PATCH This Week

Gin-vue-admin versions 2.8.7 and earlier contain a path traversal vulnerability in the breakpoint resume upload API that allows authenticated attackers to write arbitrary files to any directory on the system. Public exploit code exists for this vulnerability, which affects administrators and users with file upload privileges. An attacker can bypass directory restrictions by injecting traversal sequences (../) into the fileName parameter to escape the intended fileDir location.

Golang Path Traversal Gin Vue Admin Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-0854 HIGH This Week

Merit LILIN DVR/NVR devices allow authenticated remote attackers to execute arbitrary operating system commands through command injection, enabling complete system compromise. An attacker with valid credentials can bypass application controls and gain full control over the affected device without user interaction. No patch is currently available for this vulnerability, leaving deployed systems at significant risk.

Command Injection
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-46068 HIGH This Week

Director versions up to 25.2.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

File Upload RCE Director
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-69276 HIGH This Week

Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. [CVSS 8.8 HIGH]

Broadcom Linux Windows Deserialization Dx Netops Spectrum
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0855 HIGH This Week

Merit LILIN IP Camera models contain an OS command injection vulnerability that allows authenticated attackers to execute arbitrary commands on affected devices with high privileges. The vulnerability requires valid credentials but no user interaction, enabling complete compromise of device confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Command Injection
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69274 HIGH This Week

Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. [CVSS 8.8 HIGH]

Broadcom Linux Windows Privilege Escalation Dx Netops Spectrum
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-46067 HIGH This Week

An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file [CVSS 8.2 HIGH]

Authentication Bypass Director
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-71063 HIGH PATCH This Week

Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. [CVSS 8.2 HIGH]

TLS Errands
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-41078 HIGH This Week

Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents. [CVSS 8.1 HIGH]

Authentication Bypass Documents Documents Compose
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-41077 HIGH This Week

IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. [CVSS 8.1 HIGH]

Authentication Bypass Inbox
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-14279 HIGH PATCH This Week

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. [CVSS 8.1 HIGH]

Authentication Bypass Mlflow
NVD GitHub
CVSS 3.0
8.1
EPSS
0.0%
CVE-2025-69273 HIGH This Week

Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. [CVSS 7.5 HIGH]

Broadcom Linux Windows Authentication Bypass Dx Netops Spectrum
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69271 HIGH This Week

Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. [CVSS 7.5 HIGH]

Broadcom Linux Windows Dx Netops Spectrum
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69272 HIGH This Week

Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier. [CVSS 7.5 HIGH]

Broadcom Linux Windows Dx Netops Spectrum
NVD
CVSS 3.1
7.5
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy