Skip to main content
CVE-2026-23516 MEDIUM PATCH This Month

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

RCE AI / ML Computer Vision Annotation Tool
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-20080 MEDIUM This Month

SSH service disruption in Cisco IEC6400 Wireless Backhaul Edge Compute Software allows unauthenticated remote attackers to trigger denial of service through connection flooding due to missing rate limiting protections. An attacker can render the SSH service unresponsive by launching a DoS attack against the SSH port, though other device operations remain functional during the attack. No patch is currently available.

Cisco SSH Denial Of Service
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-23990 MEDIUM PATCH This Month

Flux Operator versions 0.36.0 through 0.39.x contain an authentication bypass in the Web UI that allows authenticated users to escalate privileges and execute API requests with the operator's service account permissions. The vulnerability affects deployments where OIDC providers issue incomplete token claims or custom CEL expressions evaluate to empty values, bypassing Kubernetes RBAC impersonation controls. Cluster administrators running affected Flux Operator versions should upgrade to 0.40.0 or later.

Golang Kubernetes Privilege Escalation Information Disclosure Flux Operator +1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-0663 MEDIUM This Month

M-Files Server before version 26.1.15632.3 can be crashed by authenticated administrators with vault privileges through an unsafe API endpoint, resulting in service disruption. This denial-of-service vulnerability requires high-level privileges and network access, making it a limited-scope threat to organizations running vulnerable versions. No patch is currently available.

Denial Of Service M Files Server
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-22849 MEDIUM PATCH This Month

Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]

XSS Saleor
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-20109 MEDIUM This Month

Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts by exploiting insufficient input validation. Successful exploitation enables arbitrary script execution within the management interface context or theft of sensitive browser-based information from authorized users. No patch is currently available; exploitation requires high-level privileges and user interaction.

Cisco XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-20055 MEDIUM This Month

Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts that execute in the context of other users' browsers, potentially enabling session hijacking or sensitive data theft. The vulnerability stems from inadequate input validation on specific interface pages and requires high-privilege account access and user interaction to exploit. No patch is currently available for this medium-severity issue (CVSS 4.8).

Cisco XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-68138 MEDIUM This Month

Libocpp versions up to 0.30.1 is affected by allocation of resources without limits or throttling (CVSS 4.7).

Denial Of Service Libocpp
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-68140 MEDIUM This Month

EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. [CVSS 4.3 MEDIUM]

Authentication Bypass Everest
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68139 MEDIUM This Month

EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. [CVSS 4.3 MEDIUM]

Information Disclosure Everest
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23996 LOW PATCH Monitor

FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). [CVSS 3.7 LOW]

Information Disclosure Fastapi Api Key
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-0988 LOW Monitor

A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. [CVSS 3.7 LOW]

Buffer Overflow Integer Overflow Denial Of Service
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-24048 LOW PATCH Monitor

Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive U...

SSRF Open Redirect
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-1035 LOW Monitor

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. [CVSS 3.1 LOW]

Authentication Bypass
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-14083 LOW Monitor

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. [CVSS 2.7 LOW]

Privilege Escalation Authentication Bypass
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-22598 Monitor

ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service.

Denial Of Service
NVD GitHub
EPSS
0.1%
CVE-2026-1290 Monitor

Authentication Bypass by Primary Weakness vulnerability in Jamf Jamf Pro allows unspecified impact.This issue affects Jamf Pro: from 11.20 through 11.24.

Authentication Bypass
NVD
EPSS
0.1%
CVE-2025-69209 This Week

ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large `decimalPlaces` values to the affected String constructors or concat methods, the `dtostrf` function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under speci...

Github Buffer Overflow Stack Overflow Memory Corruption Denial Of Service +1
NVD GitHub
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy