Skip to main content
CVE-2026-2319 HIGH PATCH This Week

Google Chrome versions prior to 145.0.7632.45 contain a race condition in DevTools that allows remote attackers to corrupt objects by convincing users to perform specific UI interactions and install a malicious extension. An attacker exploiting this vulnerability could achieve high-impact outcomes including information disclosure, data modification, or denial of service. The vulnerability currently has no available patch.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-70029 HIGH This Week

An issue in Sunbird-Ed SunbirdEd-portal v1.13.4 allows attackers to obtain sensitive information. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTP request options [CVSS 7.5 HIGH]

Information Disclosure Sunbirded Portal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14560 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by injecting malicious content into vulnerability code flow. [CVSS 7.3 HIGH]

Gitlab
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-0595 HIGH This Week

Authenticated users in GitLab CE/EE versions 13.9 through 18.8.3 can inject HTML into test case titles to add unauthorized email addresses to victim accounts. This stored XSS vulnerability requires user interaction and does not impact confidentiality of the attacker's own data. No patch is currently available for this high-severity issue affecting multiple recent GitLab versions.

Gitlab
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-52541 HIGH This Week

A DLL hijacking vulnerability in Vivado could allow a local attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. [CVSS 7.3 HIGH]

Privilege Escalation RCE
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-14541 HIGH This Week

Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).

WordPress RCE PHP
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-15440 HIGH This Week

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-25999 HIGH PATCH This Week

Klaw versions before 2.10.2 contain an improper access control flaw in the /resetMemoryCache endpoint that allows authenticated attackers to wipe cached metadata, configurations, and cluster data across any tenant without proper authorization. This vulnerability affects Apache Kafka deployments using Klaw for topic governance and could disrupt Kafka cluster management and visibility. A patch is available in version 2.10.2 and later.

Apache Klaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-1669 HIGH PATCH This Week

Arbitrary local file disclosure in Keras 3.0.0 through 3.13.1 allows a remote attacker to read sensitive files from a victim's system by tricking them into loading a malicious .keras model that abuses HDF5 external dataset references in the model-loading path. Exploitation requires the victim to open the attacker-supplied model (UI:P), but no authentication is needed; EPSS is very low (0.01%, 2nd percentile) and there is no public exploit identified at time of analysis. A vendor patch is available.

Information Disclosure Keras
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-20641 HIGH This Week

Installed application enumeration in Apple operating systems (macOS, iOS, iPadOS, tvOS, visionOS, watchOS) allows local applications to discover what other apps a user has installed through insufficient privacy controls. An attacker can exploit this through a malicious app to profile a user's installed software without explicit permission. This vulnerability affects multiple Apple platforms and requires user interaction to execute a malicious application.

Apple Information Disclosure
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-20606 HIGH This Week

Applications on Apple macOS and iOS platforms can circumvent user privacy preferences through a code execution vulnerability affecting multiple OS versions including Tahoe 26.3, Sonoma 14.8.4, Sequoia 15.7.4, and iOS 18.7.5. A local attacker with user interaction can exploit this to access sensitive user data or modify system settings protected by privacy controls. The vulnerability requires patching through official OS updates, as no workaround is currently available.

Apple Information Disclosure
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-20628 HIGH This Week

Sandbox escape vulnerability in Apple's macOS, iOS, tvOS, and related platforms (CVE-2026-20628) permits malicious applications to break out of their sandbox restrictions through a permissions bypass. A local attacker with user interaction can achieve high-impact confidentiality and integrity violations by exploiting this weakness. Patches are available across multiple OS versions including macOS Tahoe 26.3, iOS 18.7.5, tvOS 26.3, and others.

Apple Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-20617 HIGH This Week

Unprivileged local users can exploit a race condition in Apple's operating systems (macOS, iOS, iPadOS, tvOS, and visionOS) to escalate privileges to root through improper state handling during concurrent operations. This vulnerability affects multiple OS versions and requires local access with low privileges to trigger, making it exploitable by malicious applications or local attackers. No patch is currently available for this vulnerability.

Apple Race Condition Information Disclosure
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-25869 MEDIUM This Month

MiniGal Nano 0.3.5 and earlier are vulnerable to a path traversal attack in the dir parameter that bypasses insufficient dot-dot sequence filtering, allowing unauthenticated remote attackers to access and enumerate image files from arbitrary filesystem locations readable by the web server. This results in confidential information disclosure from unintended directories. No patch is currently available.

PHP Path Traversal Information Disclosure Minigal Nano
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-69873 LOW POC PATCH Monitor

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. [CVSS 2.9 LOW]

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
2.9
EPSS
0.1%
CVE-2025-13651 MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Actor vulnerability in Microcom ZeusWeb allows Web Application Fingerprinting of sensitive data.

Information Disclosure Zeusweb
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-48722 MEDIUM This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]

Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-47209 MEDIUM This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]

Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-30266 MEDIUM This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]

Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-22894 MEDIUM This Month

File Station 6 contains a path traversal vulnerability that allows authenticated attackers to read arbitrary files and system data on affected systems. An attacker with valid user credentials can exploit this flaw to access sensitive information beyond intended restrictions. No patch is currently available for File Station 6, though File Station 5.5.6.5190 and later versions have been remediated.

Path Traversal File Station
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68406 MEDIUM This Month

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]

Path Traversal Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-66278 MEDIUM This Month

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]

Path Traversal File Station
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-58470 MEDIUM This Month

A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]

Path Traversal Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-58467 MEDIUM This Month

A relative path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]

Path Traversal Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-54169 MEDIUM This Month

An out-of-bounds read vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data. [CVSS 6.5 MEDIUM]

Buffer Overflow Information Disclosure File Station
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20644 MEDIUM PATCH This Month

Memory handling flaws in Apple's macOS, iOS, iPadOS, and Safari allow remote attackers to crash affected processes by serving specially crafted web content, requiring only user interaction to trigger the denial of service. The vulnerability affects multiple Apple platforms and products across recent versions, with fixes available in macOS Tahoe 26.3, iOS 18.7.5, iPadOS 18.7.5, and Safari 26.3. No patches are currently available for all affected versions.

Apple Buffer Overflow Ipados Iphone Os Visionos
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20636 MEDIUM PATCH This Month

Denial of service in Apple Safari, iOS, iPadOS, and macOS results from improper memory handling when processing maliciously crafted web content, causing unexpected process crashes. An unauthenticated remote attacker can trigger this vulnerability through a specially crafted webpage, affecting users who view the malicious content. No patch is currently available for this vulnerability.

Apple Buffer Overflow Ipados Iphone Os Visionos
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62854 MEDIUM This Month

An uncontrolled resource consumption vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]

Denial Of Service File Station
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-57708 MEDIUM This Month

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. [CVSS 6.5 MEDIUM]

Denial Of Service Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54148 MEDIUM This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]

Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54147 MEDIUM This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]

Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54146 MEDIUM This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]

Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53598 MEDIUM This Month

A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. [CVSS 6.5 MEDIUM]

Null Pointer Dereference Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1387 MEDIUM This Month

Gitlab versions up to 18.6.6 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13431 MEDIUM This Month

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress Industrial SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2320 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2318 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1458 MEDIUM This Month

Gitlab versions up to 18.6.6 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1456 MEDIUM This Month

Gitlab versions up to 18.7.4 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1786 MEDIUM This Month

The Twitter posts to Blog plugin for WordPress versions up to 1.11.25 lacks proper access controls on the settings function, allowing unauthenticated attackers to modify plugin configuration including Twitter API credentials and post parameters. This capability check bypass could enable attackers to hijack the plugin's functionality or escalate privileges within WordPress installations. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2316 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 6.5).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-65127 MEDIUM This Month

A lack of session validation in the web API component of Shenzhen Zhibotong Electronics ZBT WE2001 23.09.27 allows remote unauthenticated attackers to access administrative information-retrieval functions intended for authenticated users. [CVSS 6.5 MEDIUM]

Industrial
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62853 MEDIUM This Month

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 6.5 MEDIUM]

Path Traversal File Station
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54170 MEDIUM This Month

An out-of-bounds read vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data. [CVSS 6.5 MEDIUM]

Buffer Overflow Information Disclosure Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-54152 MEDIUM This Month

A use of out-of-range pointer offset vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read sensitive portions of memory. [CVSS 6.5 MEDIUM]

Buffer Overflow Information Disclosure Qsync Central
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2317 MEDIUM PATCH This Month

Google Chrome versions before 145.0.7632.45 contain an animation implementation flaw that allows remote attackers to exfiltrate cross-origin data through specially crafted HTML pages. The vulnerability requires user interaction to trigger and affects all Chrome users, potentially exposing sensitive information from other websites. No patch is currently available.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1235 MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-20680 MEDIUM This Month

Sandboxed applications on Apple platforms (macOS Tahoe, Sonoma, Sequoia, iOS, and iPadOS) can bypass app state observability restrictions to access sensitive user data. A local attacker with app execution privileges could exploit this information disclosure vulnerability to observe data from other applications. Patches are available in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5, and iPadOS 18.7.5.

Apple Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26012 MEDIUM This Month

Vaultwarden versions prior to 1.35.3 allow authenticated organization members to bypass collection-level access controls and retrieve all ciphers within their organization through the /ciphers/organization-details endpoint. An attacker with regular member privileges can access sensitive credentials and encrypted data they should not have permission to view. No patch is currently available for affected deployments.

Authentication Bypass Vaultwarden Red Hat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15400 MEDIUM This Month

The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 4 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy