Skip to main content
CVE-2026-0536 HIGH This Week

Autodesk 3ds Max is vulnerable to arbitrary code execution when processing maliciously crafted GIF files due to a stack-based buffer overflow (CVE-2026-0536, CVSS 7.8). Local attackers can exploit this vulnerability by tricking users into opening a malicious GIF file to execute code with the privileges of the 3ds Max process. No patch is currently available.

Buffer Overflow Stack Overflow 3ds Max
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-61917 HIGH PATCH This Week

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. [CVSS 7.7 HIGH]

Node.js Information Disclosure N8n
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-25157 HIGH PATCH This Week

OpenClaw AI assistant versions prior to 2026.1.29 contain two command injection vulnerabilities: unescaped user input in SSH project paths allows remote code execution on SSH hosts, and insufficient validation of SSH target parameters enables local command execution through malicious flag injection. An attacker can exploit these flaws to achieve arbitrary code execution either remotely via SSH or locally on the system running OpenClaw.

SSH Command Injection AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-20119 HIGH This Week

Unauthenticated remote attackers can crash Cisco TelePresence Collaboration Endpoint and RoomOS devices by sending specially crafted text through meeting invitations or similar channels, exploiting insufficient input validation in the text rendering subsystem. The vulnerability requires no user interaction and causes device reloads resulting in denial of service. No patch is currently available.

Cisco Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25121 HIGH PATCH This Week

Apko versions up to 1.1.1 contains a vulnerability that allows attackers to build and publish OCI container images built from apk packages (CVSS 7.5).

Golang Path Traversal Apko Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-15285 HIGH This Week

The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. [CVSS 7.5 HIGH]

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23897 HIGH PATCH This Week

Apollo Server's standalone mode (versions 2.0.0-3.13.0, 4.2.0-4.12.x, and 5.0.0-5.3.x) is vulnerable to denial of service attacks when processing GraphQL requests with non-standard character set encodings, allowing unauthenticated remote attackers to crash the service. This vulnerability only affects direct usage of startStandaloneServer and does not impact applications using Apollo Server through integration packages. No patch is currently available.

Denial Of Service Apollo Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-15268 HIGH This Week

The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24735 HIGH PATCH This Week

Answer contains a vulnerability that allows attackers to retrieve restricted or sensitive information (CVSS 7.5).

Apache Answer Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25140 HIGH PATCH This Week

Apko versions 0.14.8 through 1.1.0 are vulnerable to denial of service when processing APK packages from untrusted repositories due to missing decompression limits in the ExpandApk function. An attacker controlling a compromised APK repository can provide a malicious small, highly-compressed package that expands into a massive tar stream, exhausting disk space and CPU resources on the build host. The vulnerability affects Golang and Apko products and has been patched in version 1.1.1.

Golang Denial Of Service Apko Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21893 HIGH PATCH This Week

n8n versions 0.187.0 through 1.120.2 contain a command injection vulnerability in the community package installation feature that allows authenticated administrators to execute arbitrary system commands on the host. The vulnerability requires high privilege access and specific conditions to exploit but carries high risk due to potential complete system compromise. A patch is available in version 1.120.3.

Command Injection N8n
NVD GitHub
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-23099 HIGH PATCH This Week

The Linux kernel bonding driver fails to validate device types before enabling 802.3AD mode, allowing local privileged attackers to trigger out-of-bounds memory reads via malformed hardware address operations. This vulnerability affects systems running vulnerable Linux kernel versions and could lead to denial of service or information disclosure. No patch is currently available for this high-severity vulnerability.

Linux Buffer Overflow Information Disclosure Google
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-23076 HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's ctxfi audio mixer driver allows local attackers with user privileges to read sensitive memory or cause denial of service through improper loop index initialization in the amixer_index() and sum_index() functions. The vulnerability stems from uninitialized conf field handling that enables array bounds bypass with no user interaction required. No patch is currently available for this high-severity issue affecting all Linux distributions.

Linux Buffer Overflow Information Disclosure Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25536 HIGH PATCH This Week

MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. [CVSS 7.1 HIGH]

Race Condition Information Disclosure Mcp Typescript Sdk
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy