Skip to main content
CVE-2026-1837 HIGH PATCH This Week

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.

Information Disclosure Libjxl
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-25759 HIGH PATCH This Week

Authenticated users with content creation permissions in Statamic CMS versions 6.0.0 through 6.2.2 can inject persistent JavaScript through content titles that executes in the browsers of higher-privileged users, potentially allowing attackers to create unauthorized super admin accounts. The vulnerability affects users with control panel access and requires user interaction to trigger. A patch is available in version 6.2.3.

Laravel XSS Statamic
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-25990 HIGH PATCH GHSA This Week

Out-of-bounds write in Pillow versions 10.3.0 through 12.1.0 allows remote denial of service when processing maliciously crafted PSD image files. An attacker can trigger a crash by supplying a specially crafted image without authentication or user interaction. A patch is available in version 12.1.1.

Python Buffer Overflow Memory Corruption Pillow
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-10913 HIGH This Week

Saastech Cleaning and Internet Services Inc. TemizlikYolda is affected by cross-site scripting (xss) (CVSS 8.3).

XSS
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2025-10174 HIGH This Week

Cleartext Transmission of Sensitive Information vulnerability in Pan Software & Information Technologies Ltd. PanCafe Pro allows Flooding.This issue affects PanCafe Pro: from < 3.3.2 through 23092025. [CVSS 8.3 HIGH]

Information Disclosure
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2025-9986 HIGH This Week

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. [CVSS 8.2 HIGH]

Information Disclosure
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-52869 HIGH This Week

A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]

Buffer Overflow Denial Of Service Qsync Central
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-52868 HIGH This Week

A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]

Buffer Overflow Denial Of Service Qsync Central
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-48725 HIGH This Week

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]

Qnap Buffer Overflow Denial Of Service Quts Hero Qts
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-48724 HIGH This Week

A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]

Buffer Overflow Denial Of Service Qsync Central
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-48723 HIGH This Week

A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]

Buffer Overflow Denial Of Service Qsync Central
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-69871 HIGH This Week

A race condition vulnerability exists in MedusaJS Medusa v2.12.2 and earlier in the registerUsage() function of the promotion module. The function performs a non-atomic read-check-update operation when enforcing promotion usage limits. [CVSS 8.1 HIGH]

Race Condition
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-30269 HIGH This Week

A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory. [CVSS 8.1 HIGH]

Code Injection Qsync Central
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-57709 HIGH This Week

A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]

Buffer Overflow Denial Of Service Qsync Central
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-52870 HIGH This Week

A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH]

Buffer Overflow Denial Of Service Qsync Central
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-65128 HIGH This Week

A missing authentication mechanism in the web management API components of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows unauthenticated attackers on the local network to modify router and network configurations. [CVSS 8.1 HIGH]

Industrial
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-2361 HIGH This Week

Privilege escalation in PostgreSQL Anonymizer allows authenticated users with CREATE privileges to gain superuser access by exploiting unsafe function execution within temporary views. This vulnerability affects PostgreSQL 15 and later, with heightened risk on PostgreSQL 14 instances due to default public schema permissions, and impacts all users unable to upgrade to version 3.0.1 or later. No patch is currently available for affected deployments.

PostgreSQL
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-2360 HIGH This Week

PostgreSQL Anonymizer allows authenticated users to escalate to superuser privileges by injecting malicious code into custom operators placed in the public schema, which execute with elevated privileges during extension creation. This vulnerability primarily affects PostgreSQL 14 and instances upgraded from earlier versions, as PostgreSQL 15+ restricts public schema creation permissions by default. A patch is available in PostgreSQL Anonymizer version 3.0.1 and later.

PostgreSQL
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-7659 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to steal tokens and access private repositories by abusing incomplete validation in the Web IDE. [CVSS 8.0 HIGH]

Gitlab
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2024-56808 HIGH This Week

A command injection vulnerability has been reported to affect Media Streaming add-on. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. [CVSS 7.8 HIGH]

Command Injection Media Streaming Add On
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20610 HIGH This Week

Improper symlink handling in macOS Tahoe versions prior to 26.3 allows local authenticated users to escalate privileges to root. An attacker with local access can exploit this vulnerability to gain complete system control. No patch is currently available.

Apple macOS
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20615 HIGH This Week

Local privilege escalation in Apple macOS, iOS, and iPadOS through improper path validation allows authenticated attackers to gain root privileges on affected devices. The vulnerability requires local access and user interaction is not required, making it exploitable by malicious applications already present on the system. No patch is currently available for this high-severity flaw affecting multiple Apple operating systems.

Apple Path Traversal
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20614 HIGH This Week

Improper path validation in macOS (Sequoia 15.7.3 and earlier, Tahoe 26.2 and earlier, Sonoma 14.8.3 and earlier) permits local authenticated users to escalate privileges to root through a malicious application. This path traversal vulnerability (CWE-22) has a CVSS score of 7.8 and currently lacks a publicly available patch.

Apple Path Traversal
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-70083 HIGH This Week

An issue was discovered in OpenSatKit 2.2.1. The DirName field in the telecommand is provided by the ground segment and must be treated as untrusted input. [CVSS 7.8 HIGH]

Buffer Overflow Opensatkit
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20658 HIGH This Week

Unprivileged local users on macOS can exploit a package validation bypass to escalate privileges to root through a vulnerable application. This high-severity issue affects macOS systems up to version 26.2 and requires local access with standard user privileges. A patch is not yet available, leaving affected systems exposed to privilege escalation attacks.

Apple macOS
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48503 HIGH This Week

A DLL hijacking vulnerability in the AMD Software Installer could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. [CVSS 7.8 HIGH]

Privilege Escalation RCE
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2023-20548 HIGH This Week

Rocm contains a vulnerability that allows attackers to corrupt memory resulting in loss of integrity, confidentiality, or availability (CVSS 7.8).

Race Condition Rocm Radeon Pro Vii Firmware Radeon Software Radeon Vii Firmware
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2023-31324 HIGH This Week

Rocm contains a vulnerability that allows attackers to modify External Global Memory Interconnect Trusted Agent (XGMI TA) commands as t (CVSS 7.8).

Race Condition Radeon Vii Firmware Radeon Software Radeon Pro Vii Firmware Rocm
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20611 HIGH This Week

Memory corruption in Apple's media processing across iOS, macOS, watchOS, tvOS, and visionOS allows local attackers to crash applications or corrupt process memory by supplying specially crafted media files. An attacker with local access and user interaction can trigger out-of-bounds memory access during media file parsing, potentially leading to arbitrary code execution or denial of service. No patch is currently available for this vulnerability.

Apple Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20626 HIGH This Week

Privilege escalation vulnerability in Apple's macOS, iOS, iPadOS, and visionOS allows a malicious application to obtain root-level access through insufficient authorization checks. Local attackers with the ability to install or execute an app can exploit this to gain complete system control. No patch is currently available for this high-severity vulnerability affecting multiple Apple platforms.

Apple Authentication Bypass
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20620 HIGH This Week

Local attackers can exploit an out-of-bounds read vulnerability in macOS and Linux systems to crash the kernel or leak sensitive kernel memory, affecting macOS Sequoia 15.7.3 and earlier, macOS Tahoe 26.2 and earlier, and macOS Sonoma 14.8.3 and earlier. The vulnerability requires local access but no special privileges or user interaction to trigger. No patch is currently available for this HIGH severity issue.

Apple Buffer Overflow Information Disclosure
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-64487 HIGH This Week

Outline is a service that allows for collaborative documentation. Prior to 1.1.0, a privilege escalation vulnerability exists in the Outline document management system due to inconsistent authorization checks between user and group membership management endpoints. [CVSS 7.6 HIGH]

Privilege Escalation Outline
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-46290 HIGH This Week

A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.4, macOS Sonoma 14.8.4. [CVSS 7.5 HIGH]

Apple Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-20652 HIGH PATCH This Week

Remote denial-of-service attacks against Apple's macOS, iOS, iPadOS, Safari, and visionOS result from improper memory handling that allows unauthenticated attackers to crash affected systems over the network. The vulnerability affects multiple Apple platforms and requires no user interaction or elevated privileges to exploit. Patches are available for macOS Tahoe 26.3, iOS/iPadOS 18.7.5, visionOS 26.3, and Safari 26.3.

Apple Denial Of Service Ipados Iphone Os Visionos
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-70084 HIGH This Week

Directory traversal vulnerability in OpenSatKit 2.2.1 allows attackers to gain access to sensitive information or delete arbitrary files via crafted value to the FileUtil_GetFileInfo function. [CVSS 7.5 HIGH]

Path Traversal Opensatkit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2250 HIGH This Week

METIS WIC devices expose an unauthenticated /dbviewer/ endpoint that permits remote attackers to directly access and export internal SQLite databases containing sensitive operational telemetry. The affected Golang and Django applications run with debug mode enabled, causing error responses to leak backend source code, local file paths, and system configuration details. No patch is currently available.

Golang Django SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26029 HIGH This Week

Unsafe command construction in sf-mcp-server's Salesforce CLI integration allows remote code execution when processing user-supplied input through child_process.exec. An attacker can inject arbitrary shell commands that execute with the privileges of the MCP server process, potentially compromising systems running Claude for Desktop with this extension. No patch is currently available.

Command Injection
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20650 HIGH This Week

Denial-of-service attacks targeting Apple's Bluetooth stack (macOS, iOS, visionOS, watchOS) can be triggered by attackers with network access through specially crafted packets, causing service interruption without requiring user interaction. An attacker positioned on the same network segment can exploit insufficient input validation to crash Bluetooth functionality across affected devices. No patch is currently available for this vulnerability.

Apple Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-57713 HIGH This Week

A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to gain sensitive information. [CVSS 7.5 HIGH]

Information Disclosure File Station
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20660 HIGH This Week

Arbitrary file write vulnerability in Apple's macOS, iOS, iPadOS, and Safari resulting from improper path handling logic allows remote attackers to write files without authentication or user interaction. Affected versions include macOS Tahoe 26.3 and earlier, macOS Sonoma 14.8.4 and earlier, iOS 18.7.5 and earlier, and Safari 26.3 and earlier. No patch is currently available for this high-severity vulnerability.

Apple Path Traversal
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-50617 HIGH This Week

Vulnerabilities in the File Download and Get File handler components in CIPPlanner CIPAce before 9.17 allow attackers to download unauthorized files. An authenticated user can easily change the file id parameter or pass the physical file path in the URL query string to retrieve the files. [CVSS 7.5 HIGH]

Authentication Bypass Cipace
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-8099 HIGH This Week

Gitlab versions up to 18.6.6 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0958 HIGH This Week

GitLab CE/EE versions 18.4 through 18.8 are vulnerable to unauthenticated denial of service attacks where an attacker can exhaust server resources by circumventing JSON validation limits. An unauthenticated remote attacker can trigger excessive memory or CPU consumption without authentication or user interaction, potentially rendering the service unavailable. Currently no patch is available for this vulnerability.

Gitlab Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20649 HIGH This Week

Insufficient data redaction in Apple's logging mechanisms across macOS, iOS, watchOS, and tvOS allows unauthenticated attackers to view sensitive user information without user interaction. This network-accessible vulnerability affects multiple Apple platforms and products with a CVSS score of 7.5. Patches are available in watchOS 26.3, iOS 26.3, iPadOS 26.3, tvOS 26.3, and macOS Tahoe 26.3.

Apple Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-2319 HIGH PATCH This Week

Google Chrome versions prior to 145.0.7632.45 contain a race condition in DevTools that allows remote attackers to corrupt objects by convincing users to perform specific UI interactions and install a malicious extension. An attacker exploiting this vulnerability could achieve high-impact outcomes including information disclosure, data modification, or denial of service. The vulnerability currently has no available patch.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-70029 HIGH This Week

An issue in Sunbird-Ed SunbirdEd-portal v1.13.4 allows attackers to obtain sensitive information. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTP request options [CVSS 7.5 HIGH]

Information Disclosure Sunbirded Portal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14560 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting malicious content into vulnerability code flow. [CVSS 7.3 HIGH]

Gitlab
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-0595 HIGH This Week

Authenticated users in GitLab CE/EE versions 13.9 through 18.8.3 can inject HTML into test case titles to add unauthorized email addresses to victim accounts. This stored XSS vulnerability requires user interaction and does not impact confidentiality of the attacker's own data. No patch is currently available for this high-severity issue affecting multiple recent GitLab versions.

Gitlab
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-52541 HIGH This Week

A DLL hijacking vulnerability in Vivado could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. [CVSS 7.3 HIGH]

Privilege Escalation RCE
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-14541 HIGH This Week

Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).

WordPress RCE PHP
NVD
CVSS 3.1
7.2
EPSS
0.3%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy