Skip to main content
CVE-2026-23949 HIGH POC PATCH This Week

Jaraco.context versions 5.2.0 through 6.0.x contain a path traversal vulnerability in the tarball() function that allows attackers to extract files outside the intended directory when processing malicious tar archives, with public exploit code available. The vulnerability exploits insufficient path validation that fails to properly filter directory traversal sequences like `../`, potentially enabling unauthorized file extraction and nested tarball attacks. This affects all users processing untrusted tar archives with the vulnerable versions.

Path Traversal Jaraco.Context Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-22219 HIGH POC PATCH This Week

Server-side request forgery in Chainlit before 2.9.4 lets an authenticated user coerce the server into fetching an attacker-supplied URL, exposing internal network services and cloud metadata endpoints. The flaw lives in the /project/element update flow specifically when Chainlit is deployed with the SQLAlchemy data layer backend, whose element-creation logic issues an outbound HTTP GET against a user-controlled url field and persists the response through the configured storage provider. Publicly available exploit code exists (documented in Zafran's 'ChainLeak' research), though the flaw is not listed in CISA KEV and its EPSS probability is low at 0.04%.

SSRF Chainlit
NVD GitHub
CVSS 4.0
8.3
EPSS
0.0%
CVE-2025-57156 HIGH POC PATCH This Week

NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). [CVSS 7.5 HIGH]

Null Pointer Dereference Denial Of Service Owntone Server Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-66692 HIGH POC PATCH This Week

A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]

Buffer Overflow Denial Of Service Trust Wallet Core
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-56353 HIGH POC This Week

In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. [CVSS 7.5 HIGH]

Denial Of Service Tinymqtt
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66902 HIGH POC This Week

An input validation issue in in Pithikos websocket-server v.0.6.4 allows a remote attacker to obtain sensitive information or cause unexpected server behavior via the websocket_server/websocket_server.py, WebSocketServer._message_received components. [CVSS 7.5 HIGH]

Code Injection Websocket Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-63647 HIGH POC PATCH This Week

A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. [CVSS 7.5 HIGH]

Null Pointer Dereference Denial Of Service Owntone Server Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22218 HIGH POC PATCH This Week

Arbitrary file read in Chainlit versions prior to 2.9.4 lets an authenticated user disclose any file readable by the Chainlit service process by abusing the /project/element update flow with a user-controlled path. The server copies the referenced file into the attacker's session and returns a chainlitKey usable at /project/file/<chainlitKey> to exfiltrate contents. Publicly available exploit code exists (documented as part of the 'ChainLeak' research by Zafran), though EPSS is very low (0.03%) and it is not on CISA KEV.

Path Traversal Chainlit
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-21945 HIGH PATCH CISA Act Now

Remote denial of service in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated attackers to trigger application hangs or crashes via network-accessible protocols. Multiple Java versions including JDK 8u471, 11.0.29, 17.0.17, 21.0.9, and 25.0.1 are affected through a flaw in the Security component. No patch is currently available for this high-severity vulnerability.

Oracle Java Denial Of Service Graalvm Graalvm For Jdk +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21932 HIGH PATCH CISA Act Now

Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 7.4).

Oracle Java Authentication Bypass Graalvm Graalvm For Jdk +2
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-0908 HIGH PATCH This Week

Heap corruption in Google Chrome's ANGLE graphics library prior to version 144.0.7559.59 can be triggered through a crafted HTML page, enabling remote attackers to execute arbitrary code without user interaction beyond visiting a malicious website. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, though no patch is currently available. With a CVSS score of 8.8 and minimal exploit complexity, this presents a significant risk to the browser's security model.

Use After Free Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0902 HIGH PATCH This Week

Out-of-bounds memory read in Chrome's V8 JavaScript engine prior to version 144.0.7559.59 enables remote attackers to leak sensitive information through maliciously crafted web pages requiring only user interaction. The vulnerability affects all Chrome users and exposes high-impact confidentiality and integrity risks with no available patch at this time.

Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0900 HIGH PATCH This Week

Object corruption in Google Chrome's V8 engine prior to version 144.0.7559.59 can be triggered by remote attackers through malicious HTML pages, potentially leading to complete system compromise including unauthorized access, data modification, and denial of service. The vulnerability requires user interaction to exploit but does not require authentication or special privileges. No patch is currently available for affected users.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0899 HIGH PATCH This Week

Out-of-bounds memory access in Chrome's V8 engine (versions prior to 144.0.7559.59) enables remote attackers to corrupt objects and potentially achieve code execution by delivering a malicious HTML page to users. The vulnerability requires user interaction but poses significant risk due to its high CVSS score (8.8) and impact on confidentiality, integrity, and availability. No patch is currently available.

Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-33015 HIGH This Week

Concert versions up to 2.1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

IBM Concert
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15347 HIGH This Week

The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-21967 HIGH This Week

Hospitality Opera 5 versions up to 5.6.19.23 contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle Hospitalit (CVSS 8.6).

Oracle Denial Of Service Hospitality Opera 5
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-12985 HIGH This Week

IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image. [CVSS 8.4 HIGH]

IBM
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-14115 HIGH This Week

Direct for UNIX Container 6.3.0.0 versions up to 6.3.0.6 is affected by use of hard-coded credentials (CVSS 8.4).

IBM
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-21956 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 8.2 HIGH]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-21955 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 8.2 HIGH]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-21990 HIGH This Week

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to takeover of Oracle VM VirtualBox (CVSS 8.2).

Oracle Virtualbox Vm Virtualbox
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-21988 HIGH This Week

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to takeover of Oracle VM VirtualBox (CVSS 8.2).

Oracle Virtualbox Vm Virtualbox
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-21987 HIGH This Week

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to takeover of Oracle VM VirtualBox (CVSS 8.2).

Oracle Virtualbox Vm Virtualbox
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-0726 HIGH This Week

PHP object injection in the Nexter Extension plugin for WordPress (versions up to 4.4.6) allows unauthenticated remote attackers to deserialize untrusted data, potentially enabling arbitrary code execution, file deletion, or data theft if a compatible POP chain exists in other installed plugins or themes. The vulnerability has a high CVSS score of 8.1 but currently lacks a public exploit chain in the vulnerable software itself. No patch is currently available.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-21973 HIGH This Week

Flexcube Investor Servicing versions up to 14.5.0.15.0 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 8.1).

Oracle Flexcube Investor Servicing
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-14977 HIGH This Week

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. [CVSS 8.1 HIGH]

WordPress PHP
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-21989 HIGH This Week

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 8.1).

Oracle Virtualbox Denial Of Service Vm Virtualbox
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-33233 HIGH This Week

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure AI / ML
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-57155 HIGH PATCH This Week

NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. [CVSS 7.5 HIGH]

Null Pointer Dereference Denial Of Service Owntone Server Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-9466 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9465 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9283 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9282 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9281 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots [CVSS 7.5 HIGH]

Denial Of Service Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9279 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59465 HIGH PATCH This Week

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. [CVSS 7.5 HIGH]

Node.js Denial Of Service Node Js
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21982 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 7.5 HIGH]

Oracle Virtualbox Vm Virtualbox
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59464 HIGH PATCH This Week

A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. [CVSS 7.5 HIGH]

Node.js OpenSSL TLS Denial Of Service Node.Js +2
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21940 HIGH This Week

Unauthenticated attackers can access sensitive data in Oracle Agile PLM 9.3.6 through an HTTP network request targeting the User and User Group component, potentially exposing all accessible information within the application. This easily exploitable vulnerability requires no user interaction and affects Oracle Supply Chain Products Suite deployments. No patch is currently available.

Oracle Supply Chain Products Suite
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-15281 HIGH PATCH This Week

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. [CVSS 7.5 HIGH]

Information Disclosure Glibc Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21926 HIGH This Week

Siebel Customer Relationship Management Deployment contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 7.5).

Oracle TLS Denial Of Service Siebel Customer Relationship Management Deployment
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-63648 HIGH PATCH This Week

A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. [CVSS 7.5 HIGH]

Null Pointer Dereference Denial Of Service Owntone Server Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21637 HIGH PATCH This Week

Node.js TLS servers using PSK or ALPN callbacks are vulnerable to denial of service when these callbacks throw unhandled synchronous exceptions during the TLS handshake. Remote attackers can exploit this by sending specially crafted TLS handshake requests to trigger resource exhaustion or process crashes, either through immediate termination or silent file descriptor leaks. No patch is currently available for this vulnerability.

Node.js TLS Denial Of Service Node.Js Red Hat +1
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-58741 HIGH This Week

Imagedirector Capture versions up to 7.6.3.25808. is affected by insufficiently protected credentials (CVSS 7.5).

Authentication Bypass Imagedirector Capture
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-9464 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive. [CVSS 7.5 HIGH]

Denial Of Service Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-9280 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot. [CVSS 7.5 HIGH]

Industrial Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-9278 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible. [CVSS 7.5 HIGH]

Denial Of Service Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21984 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 7.5 HIGH]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21983 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 7.5 HIGH]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy