Skip to main content
CVE-2026-20662 MEDIUM This Month

macOS devices running Sequoia 15.7.3 and earlier or Tahoe 26.2 and earlier contain an authorization bypass that permits an attacker with physical access to a locked device to view sensitive user information through improper state management. This vulnerability affects all macOS users and carries a MEDIUM severity rating with no available patch at this time. The flaw requires direct device access and does not enable code execution or system modification.

Apple macOS
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-20661 MEDIUM This Month

iOS and iPadOS devices with physical access vulnerabilities allow attackers to bypass authorization controls and access sensitive user information on locked devices through improper state management. The flaw affects multiple iOS versions including 18.7.5 and earlier, requiring only physical access to the device with no user interaction or elevated privileges. Apple has issued patches in iOS 26.3 and iPadOS 26.3, though updates for earlier versions (iOS 18.7.5 and iPadOS 18.7.5) are also available.

Apple Authentication Bypass
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-20645 MEDIUM This Month

Information disclosure on locked iOS and iPadOS devices stems from improper UI state management, allowing an attacker with physical device access to view sensitive user data. The vulnerability affects multiple Apple mobile OS versions and currently lacks a public patch, though fixes are available in iOS 26.3, iPadOS 26.3, iOS 18.7.5, and iPadOS 18.7.5.

Apple XSS
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-1094 MEDIUM This Month

GitLab CE/EE versions 18.8 before 18.8.4 allow authenticated developers to obscure file modifications from the web interface through specially crafted changes. This vulnerability enables users with developer privileges to conceal their code alterations from visibility and review, potentially bypassing transparency controls. Currently no patch is available, and the issue requires user interaction to exploit.

Gitlab
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-20605 MEDIUM This Month

System process denial of service affecting Apple macOS, iOS, and iPadOS through improper memory handling allows local attackers with physical access to crash critical system processes. The vulnerability impacts multiple recent OS versions including macOS Sequoia 15.7.4, iOS 18.7.5, iPadOS 18.7.5, and newer releases, with patches available for affected users. This could enable attackers to disrupt system stability and availability on vulnerable Apple devices.

Apple Buffer Overflow
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-0815 MEDIUM This Month

Stored XSS in WordPress Category Image plugin through version 2.0 allows authenticated users with Editor access or higher to inject malicious scripts via the tag-image parameter due to insufficient input validation. When other users view affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or site defacement. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-62856 MEDIUM This Month

A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 4.4 MEDIUM]

Path Traversal File Station
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20603 MEDIUM This Month

Root-privileged applications on macOS can bypass information redaction mechanisms to access sensitive user data due to inadequate access controls. This affects macOS Tahoe 26.3 and earlier versions, allowing a malicious or compromised privileged app to read private information that should be protected. No patch is currently available for this vulnerability.

Apple macOS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-62855 MEDIUM This Month

A path traversal vulnerability has been reported to affect File Station 5. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. [CVSS 4.4 MEDIUM]

Path Traversal File Station
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20609 MEDIUM This Month

Memory handling vulnerabilities across Apple's macOS, iOS, and iPadOS platforms allow local attackers to trigger denial-of-service conditions or leak sensitive memory contents by processing specially crafted files. The vulnerability requires user interaction and local access, affecting multiple OS versions with patches available across the Apple ecosystem. CVSS 4.4 (Medium) severity reflects the limited attack surface and lack of remote exploitability.

Apple Buffer Overflow Information Disclosure
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0724 MEDIUM This Month

The WPlyr Media Block plugin for WordPress through version 1.3.0 contains a stored cross-site scripting vulnerability in the '_wplyr_accent_color' parameter due to inadequate input sanitization, allowing authenticated administrators to inject malicious scripts that execute in other users' browsers. This requires high-privilege access and manual user interaction but impacts site integrity and user security across affected pages.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-20635 MEDIUM PATCH This Month

Denial of service affecting Apple's macOS, iOS, iPadOS, watchOS, tvOS, and visionOS results from a memory handling flaw that crashes processes when parsing malicious web content. An unauthenticated remote attacker can trigger unexpected application termination through crafted web pages, requiring only user interaction to visit a malicious site. A patch is not currently available for this medium-severity vulnerability.

Apple Buffer Overflow Ipados Iphone Os Tvos +2
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2024-50618 MEDIUM This Month

Cipace versions up to 9.17 contains a vulnerability that allows attackers to bypass a protection mechanism (CVSS 4.3).

Authentication Bypass Cipace
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1080 MEDIUM This Month

Gitlab versions up to 18.6.6 is affected by authorization bypass through user-controlled key (CVSS 4.3).

Gitlab
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12073 MEDIUM This Month

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an authenticated user to perform server-side request forgery against internal services by bypassing protections in the Git repository import functionality. [CVSS 4.3 MEDIUM]

Gitlab SSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1748 MEDIUM This Month

The Invoct PDF Invoices & Billing for WooCommerce plugin through version 1.6 fails to enforce capability checks, allowing authenticated Subscriber-level users to access sensitive data including invoice details, client information, and WordPress user email addresses. This privilege escalation vulnerability affects all WordPress installations using the affected plugin versions and has no available patch.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15524 MEDIUM This Month

The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25633 MEDIUM PATCH This Month

Statamic versions prior to 5.73.6 and 6.2.5 allow authenticated users without asset viewing permissions to download and access asset metadata through improper access controls. Only users with valid control panel access can exploit this vulnerability, as logged-out users are unaffected. A patch is available in the fixed versions.

Laravel Statamic
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2323 MEDIUM PATCH This Month

Chrome versions up to 145.0.7632.45 is affected by user interface (ui) misrepresentation of critical information (CVSS 4.3).

Google Chrome Red Hat Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1215 MEDIUM This Month

The MMA Call Tracking WordPress plugin through version 2.3.15 lacks proper CSRF protection on its admin configuration page, allowing attackers to modify call tracking settings by tricking site administrators into clicking malicious links. An unauthenticated attacker can alter plugin configurations without authorization through forged requests. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-26019 MEDIUM PATCH This Month

RecursiveUrlLoader in LangChain Community prior to 1.1.14 uses weak string-based URL validation that allows attackers to bypass the preventOutside crawling restriction by crafting domains with matching prefixes, potentially exposing the crawler to malicious or internal infrastructure endpoints. An attacker controlling a crawled webpage could inject links to cloud metadata services or private IP ranges, which the crawler would follow without validation, leading to information disclosure.

SSRF AI / ML Langchain Community Langchain Red Hat
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy