Skip to main content
CVE-2026-21528 MEDIUM PATCH This Month

Azure IoT Explorer binds to unrestricted IP addresses, enabling unauthenticated remote attackers to intercept and disclose sensitive information over the network. This vulnerability affects Azure IoT deployments where the Explorer tool is exposed without proper network segmentation. No patch is currently available, making network isolation the primary mitigation strategy.

Azure IoT Azure Iot Explorer
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-21527 MEDIUM PATCH This Month

Microsoft Exchange Server is vulnerable to UI spoofing attacks that allow unauthenticated remote attackers to misrepresent critical information and deceive users. The vulnerability has a CVSS score of 6.5 and currently lacks an available patch, leaving affected systems exposed to social engineering and impersonation attacks. Organizations running Exchange Server should implement network-level protections and monitor for suspicious activity until a fix is released.

Microsoft Exchange Server Authentication Bypass
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-21512 MEDIUM PATCH This Month

Authenticated users of Azure and Azure DevOps Server can exploit a server-side request forgery vulnerability to perform network-based spoofing attacks. This MEDIUM severity issue (CVSS 6.5) requires valid credentials but allows attackers to manipulate the server into making unauthorized requests, potentially compromising confidentiality. No patch is currently available.

Azure SSRF Azure Devops Server
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-1602 MEDIUM This Month

Authenticated attackers can exploit SQL injection in Ivanti Endpoint Manager prior to version 2024 SU5 to extract sensitive data from the underlying database. This network-accessible vulnerability requires valid credentials but allows unauthorized information disclosure with no user interaction needed. No patch is currently available for affected systems.

Ivanti SQLi Endpoint Manager
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-23655 MEDIUM PATCH This Month

Confidential Sidecar Containers is affected by cleartext storage of sensitive information (CVSS 6.5).

Azure Confidential Sidecar Containers
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-25613 MEDIUM This Month

MongoDB server denial of service can be triggered by authenticated users querying collections with malformed compound wildcard indexes. An attacker with valid credentials can crash the MongoDB instance, disrupting availability for all users. No patch is currently available.

MongoDB
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25610 MEDIUM This Month

MongoDB server crashes when an authenticated user executes a $geoNear aggregation pipeline with malformed index hints, enabling denial of service attacks by any user with database access. This medium-severity vulnerability requires valid credentials and does not affect confidentiality or integrity, only availability. No patch is currently available.

Denial Of Service MongoDB
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1850 MEDIUM This Month

MongoDB's Query Planner can be exhausted of available memory when processing specially crafted complex queries, leading to service denial through out-of-memory crashes. Authenticated users can trigger this condition without user interaction, affecting availability of MongoDB instances. No patch is currently available to address this vulnerability.

MongoDB Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1849 MEDIUM This Month

MongoDB Server can be crashed via denial of service by authenticated users who craft expressions that generate deeply nested documents, exploiting missing recursion depth validation that causes out-of-memory failures. This vulnerability affects deployments where database access is granted to untrusted users and requires valid credentials to exploit. No patch is currently available.

MongoDB
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1847 MEDIUM This Month

MongoDB replica set replication can be disrupted when oversized documents are inserted, preventing secondaries from synchronizing oplog entries with the primary and potentially causing server crashes. Authenticated users with write access can trigger this denial of service condition to destabilize replica set availability. No patch is currently available for this vulnerability.

Denial Of Service MongoDB
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0653 MEDIUM This Month

Guest users on TP-Link Tapo C260 v1 cameras can modify protected device settings by exploiting inadequate access controls on synchronization endpoints. Authenticated attackers with limited privileges can bypass restrictions to change sensitive configuration parameters without authorization. No patch is currently available for this vulnerability.

TP-Link Authentication Bypass RCE Tapo C260 Firmware
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-32003 MEDIUM This Month

Out-of-bounds read in the firmware for some 100GbE Intel(R) Ethernet Network Adapter E810 before version cvl fw 1.7.6, cpk 1.3.7 within Ring 0: Bare Metal OS may allow a denial of service. [CVSS 6.5 MEDIUM]

Denial Of Service Intel Information Disclosure Buffer Overflow Ethernet Controller
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25612 MEDIUM This Month

MongoDB server's resource locking mechanism can cause unintended collisions between collections due to improper internal encoding, leading to service denial of availability. Authenticated users can trigger this condition to disrupt database operations across affected collections without requiring user interaction. No patch is currently available to remediate this vulnerability.

MongoDB
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2303 MEDIUM PATCH This Month

The mongo-go-driver's GSSAPI authentication wrapper on Linux and macOS contains a heap buffer over-read vulnerability stemming from improper handling of non-null-terminated GSSAPI buffers, allowing authenticated attackers to read sensitive memory content. This vulnerability affects applications using Go-based MongoDB drivers with Kerberos authentication enabled and could lead to information disclosure of heap memory. No patch is currently available.

Linux macOS Golang Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2302 MEDIUM This Month

Mongoid's Criteria.from_hash method in Ruby can execute arbitrary code when processing specially crafted Hash objects, allowing authenticated attackers to achieve remote code execution on systems using vulnerable versions. The vulnerability requires valid credentials and network access but no user interaction, making it exploitable in environments where untrusted users have application access. No patch is currently available.

Ruby
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1495 MEDIUM This Month

Unprivileged users with Event Log Reader privileges can extract proxy server credentials and URLs from PI to CONNECT event logs, potentially enabling unauthorized proxy access. This local information disclosure affects systems where such log access is granted to low-privileged accounts. No patch is currently available.

Authentication Bypass Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24324 MEDIUM This Month

Businessobjects Business Intelligence Platform versions up to 430 contains a security vulnerability (CVSS 6.5).

SAP Denial Of Service Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-30508 MEDIUM This Month

Improper authorization in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. [CVSS 6.5 MEDIUM]

Linux Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0484 MEDIUM This Month

Sap Basis versions up to 700 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).

SAP Sap Basis
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0996 MEDIUM This Month

Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.

WordPress XSS AI / ML
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1922 MEDIUM This Month

Stored cross-site scripting in The Events Calendar Shortcode & Block plugin for WordPress up to version 3.1.2 allows authenticated users with contributor-level access to inject malicious scripts through the `ecs-list-events` shortcode's `message` attribute due to inadequate input sanitization. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-62439 MEDIUM CISA This Month

vulnerability in Fortinet FortiOS 7.6.0 versions up to 7.6.4 contains a vulnerability that allows attackers to an authenticated user with knowledge of FSSO policy configurations to gain unaut (CVSS 4.2).

Fortinet Authentication Bypass
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-24328 MEDIUM This Month

Business Server Pages versions up to 740 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

SAP Business Server Pages
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2098 MEDIUM This Month

Reflected XSS in AgentFlow enables unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers during phishing campaigns, potentially compromising user sessions and data. The vulnerability affects the AI/ML platform with no patch currently available, requiring users to rely on defensive measures such as email filtering and user awareness training.

XSS AI / ML Agentflow
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25956 MEDIUM PATCH This Month

Malicious signup URLs in Frappe versions prior to 14.99.14 and 15.94.0 can redirect users to attacker-controlled sites or execute reflected XSS payloads during the registration process. An attacker can craft a crafted signup link to trick users into visiting malicious destinations or having malicious scripts executed in their browsers. A patch is available in the fixed versions.

Open Redirect Frappe
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0505 MEDIUM This Month

Unauthenticated attackers can manipulate unvalidated URL parameters in S4core, Document Management System, and ERP applications to redirect users to malicious websites, potentially compromising user credentials or distributing malware. The vulnerability requires user interaction to exploit and has limited impact on confidentiality and integrity, with no availability impact. No patch is currently available.

XSS S4core Document Management System Erp
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-24323 MEDIUM This Month

Document Management System versions up to 600 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Open Redirect S4core Document Management System Erp
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-27560 MEDIUM This Month

Loop with unreachable exit condition ('infinite loop') for some Intel(R) Platform within Ring 0: Kernel may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable denial of service. [CVSS 6.0 MEDIUM]

Linux Denial Of Service
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-27243 MEDIUM This Month

Out-of-bounds write in the firmware for some Intel(R) Ethernet Controller E810 before version cvl fw 1.7.8.x within Ring 0: Bare Metal OS may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable denial of service. [CVSS 6.0 MEDIUM]

Denial Of Service Intel Memory Corruption Buffer Overflow Ethernet Controller
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-24851 MEDIUM This Month

Uncaught exception in the firmware for some 100GbE Intel(R) Ethernet Controller E810 before version cvl fw 1.7.8.x within Ring 0: Bare Metal OS may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable denial of service. [CVSS 6.0 MEDIUM]

Denial Of Service Intel Ethernet Controller
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-23684 MEDIUM This Month

Commerce Cloud versions up to 2205 contains a vulnerability that allows attackers to a cart entry being created with erroneous product value which could be checked o (CVSS 5.9).

SAP Race Condition Commerce Cloud
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-68686 MEDIUM This Month

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. [CVSS 5.9 MEDIUM]

Fortinet Fortigate Fortios
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-15572 LOW POC Monitor

A vulnerability has been found in wasm3 up to 0.5.0. The affected element is the function NewCodePage. [CVSS 3.3 LOW]

Information Disclosure Wasm3
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-15571 LOW POC Monitor

A security vulnerability has been detected in ckolivas lrzip up to 0.651. This vulnerability affects the function ucompthread of the file stream.c. [CVSS 3.3 LOW]

Denial Of Service Lrzip
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2258 LOW POC PATCH Monitor

A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. [CVSS 3.3 LOW]

Buffer Overflow Lobster
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2259 LOW POC PATCH Monitor

A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. [CVSS 3.3 LOW]

Buffer Overflow Lobster
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-15570 LOW POC Monitor

A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. [CVSS 5.3 MEDIUM]

Buffer Overflow Denial Of Service Lrzip
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-24319 MEDIUM This Month

SAP Business One stores sensitive data unencrypted in memory dump files, allowing high-privileged local users with user interaction to extract credentials and other confidential information. An attacker with access to these dumps could leverage the exposed data to perform unauthorized operations and modify company data within the B1 environment. No patch is currently available for this medium-severity vulnerability.

SAP Business One
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-21529 MEDIUM PATCH This Month

Azure HDInsight contains a cross-site scripting (XSS) vulnerability in web page generation that allows authenticated attackers to conduct spoofing attacks over the network. An attacker with valid credentials and user interaction can exploit this weakness to manipulate web content and deceive users. No patch is currently available for this issue.

Azure XSS Azure Hdinsight
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-12063 MEDIUM This Month

An insecure direct object reference allowed a non-admin user to modify or remove certain data objects without having the appropriate permissions. [CVSS 5.7 MEDIUM]

Authentication Bypass Camera Station Pro
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-21258 MEDIUM PATCH This Month

Information disclosure in Microsoft Excel allows local attackers with user interaction to read sensitive data through improper input validation in Office 365 Apps and Long Term Servicing Channel. An attacker must socially engineer a user into opening a specially crafted file to trigger the vulnerability. No patch is currently available for this medium-severity issue.

Microsoft Office 365 Apps Office Long Term Servicing Channel Excel +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-15314 MEDIUM This Month

Tanium addressed an arbitrary file deletion vulnerability in end-user-cx. [CVSS 5.5 MEDIUM]

Path Traversal End User Cx
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21222 MEDIUM PATCH This Month

Windows Kernel inadvertently logs sensitive information accessible to authenticated local users, enabling information disclosure attacks. This medium-severity vulnerability affects Windows 10 22H2, Windows 11 23H2, and 24H2, as well as Linux systems, allowing authorized attackers with local access to retrieve confidential data. No patch is currently available for this issue.

Linux Windows Windows 10 22h2 Windows 11 24h2 Windows 11 23h2 +10
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21348 MEDIUM This Month

Memory disclosure in Substance 3D Modeler 1.22.5 and earlier through an out-of-bounds read allows attackers to expose sensitive information when victims open specially crafted files. The vulnerability requires user interaction but no special privileges, making it accessible to local attackers with access to craft malicious documents. Currently no patch is available, and exploitation could reveal confidential data stored in process memory.

Buffer Overflow Information Disclosure Substance 3d Modeler
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21355 MEDIUM This Month

Out-of-bounds memory read in DNG SDK 1.7.1 (2410) and earlier enables attackers to extract sensitive information from process memory when a user opens a specially crafted file. The vulnerability requires local user interaction but poses a direct confidentiality risk to applications processing untrusted DNG image files. No patch is currently available for affected versions.

Buffer Overflow Information Disclosure Dng Software Development Kit
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21340 MEDIUM This Month

Out-of-bounds memory read in Substance 3D Designer 15.1.0 and earlier allows attackers to extract sensitive data from process memory when a victim opens a specially crafted file. The vulnerability requires user interaction but can bypass existing protections to leak confidential information. No patch is currently available for this local attack vector.

Buffer Overflow Information Disclosure Substance 3d Designer
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21339 MEDIUM This Month

Out-of-bounds memory reads in Substance 3D Designer 15.1.0 and earlier allow attackers to extract sensitive data from process memory when a victim opens a specially crafted file. This local vulnerability requires user interaction and affects systems running the vulnerable Designer versions. No patch is currently available for this issue.

Buffer Overflow Information Disclosure Substance 3d Designer
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21337 MEDIUM This Month

Memory disclosure in Substance 3D Designer 15.1.0 and earlier stems from an out-of-bounds read flaw that exposes sensitive data from application memory. An attacker can exploit this vulnerability by crafting a malicious file and tricking a user into opening it, requiring no special privileges. Currently, no patch is available for affected users.

Buffer Overflow Information Disclosure Substance 3d Designer
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21332 MEDIUM This Month

Out-of-bounds memory read in Adobe InDesign versions 21.1, 20.5.1 and earlier enables disclosure of sensitive information residing in application memory. Exploitation requires a victim to open a specially crafted malicious file, making this a user-interaction dependent attack vector. No patch is currently available for affected users.

Adobe Indesign
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21319 MEDIUM This Month

Out-of-bounds memory read in Adobe After Effects 25.6 and earlier allows attackers to disclose sensitive information from process memory by tricking users into opening specially crafted files. This local vulnerability requires user interaction but carries no patch availability, leaving affected systems exposed until an update is released.

Buffer Overflow Information Disclosure After Effects
NVD
CVSS 3.1
5.5
EPSS
0.0%
Prev Page 4 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy