Skip to main content
CVE-2026-23829 MEDIUM POC PATCH This Month

Header injection in Mailpit's SMTP server prior to version 1.28.3 allows unauthenticated remote attackers to inject or modify email headers by embedding carriage return characters in sender and recipient addresses due to insufficient regex validation. Public exploit code exists for this vulnerability, which could enable attackers to manipulate email routing, spoofing, or phishing attacks against users of the email testing tool. The issue is resolved in version 1.28.3 and later.

Code Injection Mailpit Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1181 CRITICAL Act Now

Altium 365 workspace endpoints had overly permissive CORS policies that allow unauthorized cross-origin access to workspace data, potentially exposing proprietary PCB designs and engineering data.

Authentication Bypass
NVD
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-23625 HIGH This Week

Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through subproject names displayed in the Roadmap view, affecting all users who view the compromised roadmap. An attacker with project creation or modification privileges can craft a malicious project name that executes in victims' browsers when they access the Roadmap, potentially leading to session hijacking or credential theft. No patch is currently available; mitigation is only present in versions 16.6.5 and 17.0.0 through HTTP security headers.

XSS Openproject
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-21618 HIGH This Week

Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.

XSS Hexpm
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-22037 HIGH PATCH This Week

The @fastify/express plugin prior to version 4.0.3 allows authenticated attackers to bypass path-based middleware restrictions by submitting URL-encoded characters in requests, such as using /%61dmin instead of /admin. While the middleware engine fails to match the encoded path, the underlying Fastify router correctly decodes it and routes the request to handlers, enabling unauthorized access to protected endpoints. This affects Node.js applications using vulnerable versions of the plugin.

Node.js
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-22031 HIGH PATCH This Week

Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protected endpoints by using URL-encoded characters in requests, as the middleware engine fails to decode paths while the underlying router does. An attacker with valid credentials can exploit this inconsistency to circumvent middleware security controls and access restricted functionality. This vulnerability requires low privileges and network access, with no patch currently available.

Authentication Bypass Fastify Middie
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-1007 HIGH This Week

Devolutions Server versions 2025.3.1 through 2025.3.12 contain an authorization bypass in the virtual gateway component that allows authenticated attackers with high privileges to circumvent IP-based deny rules. This vulnerability could enable attackers to access restricted resources or bypass network-level security controls. No patch is currently available.

Authentication Bypass Devolutions Server
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-61684 HIGH PATCH This Week

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. [CVSS 7.5 HIGH]

Denial Of Service Quicly
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-29847 HIGH PATCH This Week

A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. [CVSS 7.5 HIGH]

Apache Linkis
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0943 HIGH PATCH This Week

HarfBuzz::Shaper for Perl versions before 0.032 contain a null pointer dereference in the bundled HarfBuzz library that allows remote attackers to cause a denial of service without authentication or user interaction. The vulnerability affects applications using vulnerable versions of the library and results in service unavailability. No patch is currently available.

Null Pointer Dereference Suse
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23833 HIGH PATCH This Week

ESPHome versions 2025.9.0 through 2025.12.6 are vulnerable to a denial-of-service attack via integer overflow in the API protobuf decoder, affecting all supported microcontroller platforms (ESP32, ESP8266, RP2040, LibreTiny). Unauthenticated attackers can crash ESPHome devices by sending specially crafted packets with large field length values to bypass bounds checking when API encryption is disabled. Upgrade to version 2025.12.7 or later to remediate.

Integer Overflow Denial Of Service Esphome Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-11043 HIGH CISA This Week

An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions up to 6.5 is affected by improper certificate validation (CVSS 7.4).

TLS
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-23880 HIGH This Week

OnboardLite's user migration feature in the admin dashboard is vulnerable to stored cross-site scripting, allowing authenticated attackers to inject malicious scripts that execute when administrators process Discord account migrations. This vulnerability affects versions prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f and could enable session hijacking or credential theft targeting privileged users. No patch is currently available.

XSS
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-23843 HIGH This Week

Insecure Direct Object Reference (IDOR) in teklifolustur_app PHP application allows authenticated users to access and view quotes belonging to other users by manipulating the offer_id parameter, due to insufficient authorization validation. An attacker with valid credentials can enumerate and read sensitive quote data from other organization members without proper access controls. No patch is currently available for this vulnerability.

PHP
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-11044 MEDIUM CISA This Month

R Automation Runtime versions up to 6.5 is affected by allocation of resources without limits or throttling (CVSS 6.8).

Race Condition
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-1150 LOW POC Monitor

Command injection in Totolik LR350 firmware through the setTracerouteCfg function allows authenticated remote attackers to execute arbitrary system commands via a malicious POST request to /cgi-bin/cstecgi.cgi. Public exploit code is available and the vulnerability remains unpatched, creating immediate risk for deployed devices. An attacker with network access and valid credentials can achieve code execution with full device compromise potential.

Command Injection Lr350 Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
2.7%
CVE-2026-1149 LOW POC Monitor

Command injection in Totolink LR350 firmware allows authenticated remote attackers to execute arbitrary commands through the ip parameter in the setDiagnosisCfg function. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users should restrict access to the affected device until a fix is released.

Command Injection Lr350 Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
2.7%
CVE-2025-69199 MEDIUM PATCH This Month

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. [CVSS 6.5 MEDIUM]

Denial Of Service Wings Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-59355 MEDIUM PATCH This Month

A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). [CVSS 6.5 MEDIUM]

Apache Linkis
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-69198 MEDIUM PATCH This Month

Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. [CVSS 6.5 MEDIUM]

Denial Of Service Panel
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23646 MEDIUM This Month

OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23878 MEDIUM PATCH This Month

HotCRP is conference review software. [CVSS 6.5 MEDIUM]

Information Disclosure Hotcrp
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23885 MEDIUM PATCH This Month

Arbitrary code execution in Alchemy CMS before versions 7.4.12 and 8.0.3 stems from unsafe use of Ruby's eval() function on the resource_handler.engine_name parameter in the ResourcesHelper class. An authenticated administrator can manipulate module configurations to inject and execute arbitrary system commands with the privileges of the Ruby process. The vulnerability requires high privileges and careful setup to exploit, but completely bypasses the Ruby sandbox once successful.

Code Injection RCE Alchemy Cms
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1144 LOW POC PATCH Monitor

Use-after-free in QuickJS up to version 0.11.0 within the Atomics Ops Handler allows remote attackers to trigger memory corruption without authentication. Public exploit code exists for this vulnerability, enabling potential information disclosure or denial of service. A patch is available and should be applied immediately.

Buffer Overflow Denial Of Service Quickjs
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1145 LOW POC PATCH Monitor

Heap-based buffer overflow in QuickJS up to version 0.11.0 within the js_typed_array_constructor_ta function allows remote attackers to corrupt memory and potentially achieve code execution with user interaction. Public exploit code exists for this vulnerability, increasing practical attack risk. A patch is available and should be applied immediately.

Buffer Overflow Quickjs
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1141 LOW POC Monitor

PHPGurukul News Portal 1.0 contains an authorization bypass in the /admin/add-subadmins.php component that allows authenticated attackers to gain unauthorized access and modify system data. Public exploit code exists for this vulnerability, making it readily exploitable by remote actors. A patch is not currently available, leaving installations vulnerable until an update is released.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1142 LOW POC Monitor

PHPGurukul News Portal 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The flaw affects the integrity of user actions but does not compromise confidentiality or availability.

CSRF News Portal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1193 LOW POC Monitor

Improper authorization in MineAdmin 1.x/2.x allows authenticated remote attackers to gain unauthorized access through the View Interface cache component. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to disclosure requests. An attacker with valid credentials can exploit this to read, modify, or disrupt system operations.

Information Disclosure Mineadmin
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1135 LOW POC Monitor

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Title parameter in /admin/activity.php. Public exploit code exists for this vulnerability, enabling potential attacks against affected deployments. A security patch is not currently available.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1134 LOW POC Monitor

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows remote attackers to inject malicious scripts through the detail parameter in /admin/expenses.php, potentially compromising administrator sessions and data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at risk of client-side attacks.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1153 LOW POC Monitor

Cross-site request forgery in Mpay up to version 1.2.4 allows unauthenticated remote attackers to perform unauthorized actions via a crafted request. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems exposed to attack.

CSRF Mpay
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1154 LOW POC Monitor

E-Learning System versions up to 1.0 contains a vulnerability that allows attackers to basic cross site scripting (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1169 LOW POC Monitor

Cross-site request forgery (CSRF) in Birkir Prime through version 0.4.0.beta.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users through malicious web requests. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch has been released as of this advisory.

CSRF Prime
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1152 LOW POC Monitor

Mpay versions up to 1.2.4 contain an unrestricted file upload vulnerability in the QR Code Image Handler component via the codeimg parameter, allowing remote attackers with high privileges to upload arbitrary files. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires administrative credentials but carries moderate risk with potential impacts to confidentiality, integrity, and availability.

File Upload Authentication Bypass Mpay
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-1151 LOW POC Monitor

A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. [CVSS 2.4 LOW]

XSS Mpay
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-1179 MEDIUM This Month

SQL injection in Yonyou KSOA 9.0's /kmf/user_popedom.jsp endpoint allows unauthenticated remote attackers to manipulate the folderid parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires no user interaction and can result in unauthorized data access, modification, or system disruption.

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1178 MEDIUM This Month

SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/select.jsp allows unauthenticated remote attackers to manipulate database queries and potentially extract or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1177 MEDIUM This Month

SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/save_folder.jsp allows unauthenticated remote attackers to manipulate database queries and potentially access, modify, or delete sensitive data. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available from the vendor.

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1133 MEDIUM This Month

SQL injection in Yonyou KSOA 9.0 allows unauthenticated remote attackers to manipulate the folderid parameter in /kmf/folder.jsp HTTP requests, potentially leading to unauthorized data access or modification. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response despite early notification.

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1132 MEDIUM This Month

SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/edit_folder.jsp allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification.

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1131 MEDIUM This Month

SQL injection in Yonyou KSOA 9.0's /kmc/save_catalog.jsp endpoint allows unauthenticated remote attackers to manipulate the catalogid parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires only network access with no user interaction, enabling potential data exfiltration and unauthorized database modification.

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1130 MEDIUM This Month

Unauthenticated SQL injection in Yonyou KSOA 9.0 via the ID parameter in the /worksheet/worksadd_plan.jsp endpoint allows remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires no authentication or user interaction and can be exploited over the network.

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1129 MEDIUM This Month

SQL injection in Yonyou KSOA 9.0's /worksheet/worksadd.jsp endpoint allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification. The attack requires no user interaction and could enable unauthorized data access, modification, or deletion.

SQLi Ksoa
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-23886 MEDIUM This Month

Swift W3C TraceContext and Swift OTel improperly validate malformed HTTP headers, enabling remote attackers to crash affected services through denial-of-service attacks. This vulnerability affects applications using these libraries for distributed tracing and telemetry, particularly HTTP servers processing untrusted network input. No patch is currently available, though versions 1.0.0-beta.5 of Swift W3C TraceContext and 1.0.4 of Swift OTel are expected to address the issue.

Denial Of Service
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23877 MEDIUM PATCH This Month

Swing Music is a self-hosted music player for local audio files. versions up to 2.1.4 contains a security vulnerability.

Path Traversal Swing Music
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-23721 MEDIUM This Month

OpenProject versions prior to 17.0.1 and 16.6.5 fail to properly validate permissions when displaying group membership information, allowing authenticated users with View Members permission in any project to enumerate all groups and identify their members across the entire system. This breaks the intended access control where group membership visibility should be restricted to users with appropriate permissions in projects where the group is active. The vulnerability requires authenticated access and has no available patch or workaround at this time.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23844 MEDIUM PATCH This Month

Whisper Money versions before 0.1.5 contain an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. An attacker with valid credentials can exploit this to manipulate financial data across multiple accounts without authorization. A patch is available in version 0.1.5 and should be applied immediately.

Information Disclosure Whisper Money
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1148 MEDIUM This Month

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF Patients Waiting Area Queue Management System
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23522 LOW Monitor

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID...

Authentication Bypass
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-55249 LOW Monitor

HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks. [CVSS 3.5 LOW]

Information Disclosure Aion
NVD
CVSS 3.1
3.5
EPSS
0.1%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy