Skip to main content
CVE-2026-24777 MEDIUM This Month

Insufficient permission validation in OpenProject prior to 17.0.2 allows users with the Manage Users permission to lock and unlock application administrators, a capability that should be restricted to administrators only. An authenticated attacker with user management privileges can exploit this to lock out admin accounts and potentially disrupt system administration capabilities. No patch is currently available for affected versions.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-15316 MEDIUM This Month

Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]

Privilege Escalation Server Module Server
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-15315 MEDIUM This Month

Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. [CVSS 6.7 MEDIUM]

Privilege Escalation Server Module Server
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-24466 MEDIUM This Month

Windows services registered by Oki Electric Industry, Ricoh, and Murata Machinery products use unquoted file paths, allowing a local user with write access to the system drive root to achieve arbitrary code execution with SYSTEM privileges. This vulnerability requires elevated permissions and local access to exploit, making it primarily a privilege escalation risk in multi-user environments. No patch is currently available for affected products.

Windows
NVD
CVSS 3.0
6.7
EPSS
0.0%
CVE-2026-21419 MEDIUM This Month

Dell Display and Peripheral Manager before version 2.2 on Windows contains an insecure link resolution flaw that allows local attackers with low privileges to escalate their access through the installer or service. An authenticated user can exploit improper symlink handling to gain elevated permissions on the system. No patch is currently available for this vulnerability.

Windows
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-25806 MEDIUM This Month

PlaciPy is a placement management system designed for educational institutions. [CVSS 6.5 MEDIUM]

Authentication Bypass Placipy
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2235 MEDIUM This Month

C&Cm@il by HGiga contains a SQL injection flaw (CWE-89) that allows authenticated users to execute arbitrary database queries and extract sensitive information. The vulnerability requires valid credentials but no user interaction, making it exploitable by compromised or malicious internal accounts. No patch is currently available for this medium-severity issue.

SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22922 MEDIUM PATCH This Month

Airflow versions up to 3.1.6 contains a vulnerability that allows attackers to an authenticated user with custom permissions limited to task access to view tas (CVSS 6.5).

Apache Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24098 MEDIUM PATCH This Month

Apache Airflow 3.0.0 through 3.1.6 allows authenticated users with access to specific DAGs to view import error messages from other DAGs they lack permission to access, resulting in unintended information disclosure. An authenticated attacker can leverage this privilege escalation to gather sensitive information about other workflows and their configurations. Apache recommends upgrading to version 3.1.7 or later to remediate this vulnerability.

Apache Airflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24900 MEDIUM PATCH This Month

Markus versions up to 2.9.1 is affected by authorization bypass through user-controlled key (CVSS 6.5).

Authentication Bypass Markus
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15317 MEDIUM This Month

Tanium addressed an uncontrolled resource consumption vulnerability in Tanium Server. [CVSS 6.5 MEDIUM]

Denial Of Service Server
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25957 MEDIUM PATCH This Month

Cube.js versions 1.1.17 through 1.5.12 and 1.4.x before 1.4.2 are vulnerable to denial of service attacks where an authenticated attacker can craft a malicious request to completely disable the Cube API. This network-accessible vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated user with API access. No patch is currently available for affected versions.

Information Disclosure Cube.Js
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-10464 MEDIUM This Month

Birtech Information Technologies Industry and Trade Ltd. Co. Senseway is affected by cleartext storage of sensitive information (CVSS 6.5).

Information Disclosure
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-59024 MEDIUM This Month

Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 6.5 MEDIUM]

Information Disclosure Recursor
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25846 MEDIUM This Month

Youtrack versions up to 2025.3.119033 is affected by insertion of sensitive information into log file (CVSS 6.5).

Information Disclosure Youtrack
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2218 LOW POC Monitor

Command injection in D-Link DCS-933L firmware up to version 1.14.11 allows authenticated remote attackers to execute arbitrary commands through the AdminID parameter in the /setSystemAdmin endpoint. Public exploit code exists for this vulnerability, which affects only end-of-life devices no longer receiving security updates. An attacker with valid credentials can achieve remote code execution with limited system privileges.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-2194 LOW POC Monitor

Di-7100G C1 Firmware versions up to 24.04.18d1 contains a vulnerability that allows attackers to command injection (CVSS 6.3).

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-66601 MEDIUM This Month

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not specify MIME types. [CVSS 6.1 MEDIUM]

Information Disclosure Fast Tools
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-66596 MEDIUM This Month

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly validate request headers. [CVSS 6.1 MEDIUM]

Open Redirect
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2227 LOW POC Monitor

D-Link DCS-931L camera firmware versions up to 1.13.0 contain a command injection vulnerability in the /setSystemAdmin endpoint that allows remote attackers with high privileges to execute arbitrary commands by manipulating the AdminID parameter. Public exploit code exists for this vulnerability, though the affected devices are no longer supported by D-Link. An attacker with administrative access could achieve remote code execution on vulnerable cameras.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-2213 LOW POC Monitor

Unrestricted file upload in Online Music Site 1.0's AdminAddAlbum.php allows authenticated administrators with high privileges to upload arbitrary files via the txtimage parameter. Public exploit code exists for this vulnerability, enabling remote attackers to potentially execute malicious code or compromise the application. The affected component impacts both the PHP runtime and the vulnerable web application, with no patch currently available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2224 LOW POC Monitor

A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2226 LOW POC Monitor

Unrestricted file upload in DouPHP versions up to 1.9 allows remote attackers with administrative privileges to bypass upload restrictions via manipulation of the sql_filename parameter in the ZIP File Handler component. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2201 LOW POC Monitor

A security vulnerability has been detected in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. [CVSS 2.4 LOW]

Java XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2200 LOW POC Monitor

A weakness has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. [CVSS 2.4 LOW]

XSS Jfinalcms
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2222 LOW POC Monitor

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btn_functions.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2214 LOW POC Monitor

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. [CVSS 2.4 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2242 LOW POC PATCH Monitor

A vulnerability was determined in janet-lang janet up to 1.40.1. This impacts the function janetc_if of the file src/core/specials.c. [CVSS 3.3 LOW]

Buffer Overflow Janet
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2241 LOW POC PATCH Monitor

A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function os_strftime of the file src/core/os.c. [CVSS 3.3 LOW]

Buffer Overflow Janet
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2240 LOW POC PATCH Monitor

A vulnerability has been found in janet-lang janet up to 1.40.1. The impacted element is the function janetc_pop_funcdef of the file src/core/compile.c. [CVSS 3.3 LOW]

Buffer Overflow Janet
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-25765 MEDIUM PATCH This Month

Faraday HTTP client library versions before 2.14.1 fail to properly validate protocol-relative URLs when merging user-supplied paths with base URLs, allowing attackers to redirect requests to arbitrary hosts via SSRF attacks. Applications that pass untrusted input to Faraday request methods like get() or post() are vulnerable to request hijacking. A patch is available in version 2.14.1 and later.

Ruby SSRF Faraday Red Hat Suse
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-25528 MEDIUM PATCH This Month

LangSmith Client SDKs for Python and AI/ML platforms are susceptible to server-side request forgery through malicious HTTP baggage headers that allow attackers to redirect trace data exfiltration to attacker-controlled endpoints. An unauthenticated attacker can inject arbitrary api_url values during distributed tracing operations, causing the SDK to send sensitive trace data outside the intended infrastructure. No patch is currently available for this medium-severity vulnerability.

Python SSRF AI / ML
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-25905 MEDIUM This Month

Python code execution through Pyodide in the mcp-run-python library lacks isolation from the JavaScript environment, enabling attackers to manipulate the JS runtime and hijack MCP server functionality. This allows adversaries to perform malicious operations including tool shadowing and potential server compromise through crafted Python payloads. No patch is available as the project is archived.

Python AI / ML
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-25904 MEDIUM This Month

Pydantic-AI's MCP Run Python tool uses an insufficiently restrictive Deno sandbox configuration that permits Python code to access the host's localhost interface, enabling Server-Side Request Forgery (SSRF) attacks. An attacker can exploit this to probe or interact with services running on the local machine that should be isolated from external access. The archived project status means no patch is expected to be released.

Python SSRF AI / ML
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-22613 MEDIUM This Month

Improper server identity validation in Eaton Network M3 firmware upgrade functionality enables man-in-the-middle attacks by network-adjacent threat actors with high privileges. An attacker can intercept and manipulate firmware updates to inject malicious code, compromise system integrity, or disrupt availability. No patch is currently available for this medium-severity issue.

Authentication Bypass
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-25918 MEDIUM PATCH This Month

Unity-Cli versions up to 1.8.2 is affected by insertion of sensitive information into log file (CVSS 5.5).

Information Disclosure Unity Cli
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-15318 MEDIUM This Month

Tanium addressed an arbitrary file deletion vulnerability in End-User Notifications Endpoint Tools. [CVSS 5.5 MEDIUM]

Path Traversal End User Notifications
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-66595 MEDIUM This Month

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product is vulnerable to Cross-Site Request Forgery (CSRF). [CVSS 5.4 MEDIUM]

CSRF Fast Tools
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0632 MEDIUM This Month

Fluent Forms Pro Add On Pack (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 5.4).

WordPress SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14778 MEDIUM PATCH This Month

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). [CVSS 5.4 MEDIUM]

Privilege Escalation Red Hat
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23903 MEDIUM PATCH This Month

Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. [CVSS 5.3 MEDIUM]

macOS Apache Authentication Bypass Shiro Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-25878 MEDIUM PATCH This Month

Froshadminer versions up to 2.2.1 is affected by missing authentication for critical function (CVSS 5.3).

Authentication Bypass Froshadminer
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-66605 MEDIUM This Month

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. Since there are input fields on this webpage with the autocomplete attribute enabled, the input content could be saved in the browser the user is using. [CVSS 5.3 MEDIUM]

Information Disclosure Fast Tools
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66594 MEDIUM This Month

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. Detailed messages are displayed on the error page. [CVSS 5.3 MEDIUM]

Information Disclosure Fast Tools
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66607 MEDIUM This Month

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. The response header contains an insecure setting. [CVSS 5.3 MEDIUM]

Information Disclosure Fast Tools
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25598 MEDIUM This Month

Harden-Runner versions prior to 2.14.2 fail to log outbound network connections made through sendto, sendmsg, and sendmmsg socket calls when audit mode is enabled, allowing attackers to exfiltrate data from GitHub Actions runners without detection. This integrity bypass affects users relying on Harden-Runner's egress policy auditing for security monitoring. A patch is available in version 2.14.2 and later.

Github Harden Runner Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66604 MEDIUM This Month

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. The library version could be displayed on the web page. [CVSS 5.3 MEDIUM]

Information Disclosure Fast Tools
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24027 MEDIUM This Month

Crafted zones can lead to increased incoming network traffic. [CVSS 5.3 MEDIUM]

Information Disclosure Recursor
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0398 MEDIUM This Month

DNS recursive resolver denial-of-service via crafted zones and CNAME chain manipulation allows unauthenticated attackers to exhaust server resources and potentially poison the resolver's cache. The vulnerability affects Recursor instances exposed to untrusted DNS queries, enabling attackers to degrade performance or compromise DNS resolution integrity. No patch is currently available.

Denial Of Service Recursor
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63354 MEDIUM This Month

Hitron HI3120 v7.2.4.5.2b1 allows stored XSS via the Parental Control option when creating a new filter. The device fails to properly handle inputs, allowing an attacker to inject and execute JavaScript. [CVSS 4.8 MEDIUM]

XSS Hi3120 Firmware
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy