Skip to main content
CVE-2026-1978 MEDIUM This Month

NanoCMS versions up to 0.4 contain an information disclosure vulnerability in the User Information Handler component that exposes sensitive data from the /data/pagesdata.txt file through unauthenticated remote requests. Public exploit code exists for this vulnerability, which allows attackers to retrieve partial confidential information without authentication. Users should update to a patched version or implement strict access controls on the affected file until an official patch is available.

Information Disclosure Nanocms
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23623 MEDIUM This Month

Collabora Online is a collaborative online office suite based on LibreOffice technology. [CVSS 5.3 MEDIUM]

Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1769 MEDIUM This Month

Stored cross-site scripting in Xerox CentreWare Web through version 7.0.6 enables attackers to inject malicious scripts that persist on the application and execute in users' browsers. An attacker with local access and user interaction can compromise confidentiality and potentially modify data within the CentreWare environment. No patch is currently available; upgrading to version 7.2.2.25 or later is recommended as a mitigation.

Windows XSS Centreware Web
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24921 MEDIUM This Month

Address read vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. [CVSS 4.8 MEDIUM]

Buffer Overflow Information Disclosure Harmonyos
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25642 MEDIUM PATCH This Month

HedgeDoc prior to version 1.10.6 allows attackers to bypass content security policies on files served from the /uploads/ endpoint, enabling them to host malicious interactive content such as fake login forms via SVG files. This network-based attack requires user interaction but can lead to credential theft or social engineering attacks. A patch is available in version 1.10.6.

File Upload XSS Hedgedoc
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24776 MEDIUM This Month

OpenProject versions prior to 17.0.2 fail to validate meeting section ownership during drag-and-drop operations, allowing authenticated users to inject agenda items into unrelated meetings. While attackers cannot access unauthorized meeting content, they can add arbitrary agenda items to other meetings to cause confusion or disrupt meeting organization. A patch is available in version 17.0.2.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1228 MEDIUM This Month

plugin versions up to 1.3.3 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1785 MEDIUM This Month

The Code Snippets WordPress plugin through version 3.9.4 lacks nonce validation on cloud snippet operations, allowing unauthenticated attackers to conduct cross-site request forgery attacks against logged-in administrators. By tricking an admin into visiting a malicious page, attackers can force unauthorized downloads or updates of cloud snippets. No patch is currently available for this vulnerability.

WordPress CSRF
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0598 MEDIUM This Month

Insufficient authorization checks in Ansible Lightspeed API conversation endpoints allow authenticated users to access and modify conversations belonging to other users. An attacker with valid credentials can exploit this to read sensitive conversation data and manipulate AI-generated outputs from other users' sessions. No patch is currently available.

Information Disclosure
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-24914 MEDIUM This Month

Type confusion vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 4.0 MEDIUM]

Use After Free Harmonyos
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-23738 LOW Monitor

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. [CVSS 3.5 LOW]

XSS Asterisk Certified Asterisk
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-25764 LOW Monitor

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. [CVSS 3.5 LOW]

XSS Openproject
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-15320 LOW Monitor

Tanium addressed a denial of service vulnerability in Tanium Client. [CVSS 3.3 LOW]

Denial Of Service Tanium
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-25724 LOW PATCH Monitor

Claude Code versions prior to 2.1.7 allow unauthorized file access by bypassing deny rules through symbolic link traversal, enabling attackers to read restricted files that administrators explicitly blocked. An attacker with access to the system can exploit this vulnerability to access sensitive files like /etc/passwd by leveraging symlinks that point to denied resources. This vulnerability affects AI/ML tools using Claude Code and currently has no available patch.

Information Disclosure Claude Code
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-1977 LOW Monitor

Unauthenticated code injection in isaacwasserman mcp-vegalite-server's visualize_data function allows remote attackers with valid credentials to execute arbitrary code by manipulating the vegalite_specification parameter. Public exploit code exists for this vulnerability. No patch is currently available, and the project has not responded to early notification of the issue.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-25729 LOW PATCH Monitor

DeepAudit is a multi-agent system for code vulnerability discovery. [CVSS 6.5 MEDIUM]

Authentication Bypass Deepaudit
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-23739 LOW Monitor

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can ...

XXE Asterisk Certified Asterisk
NVD GitHub
CVSS 3.1
2.0
EPSS
0.1%
CVE-2026-1990 LOW Monitor

A security vulnerability has been detected in oatpp versions up to 1.3.1. is affected by improper resource shutdown or release (CVSS 3.3).

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-1727 This Week

The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Cloud SQL.

NVD
EPSS
0.1%
CVE-2026-23741 NONE Awaiting Data

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file.

Industrial
NVD GitHub
EPSS
0.0%
CVE-2026-23740 NONE Awaiting Data

Asterisk is an open source private branch exchange and telephony toolkit.

Linux
NVD GitHub
EPSS
0.0%
CVE-2026-22254 NONE PATCH Awaiting Data

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization.

PHP Laravel
NVD GitHub
EPSS
0.0%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy