Skip to main content
CVE-2026-2683 LOW POC Monitor

Tsinghua Unigroup Electronic Archives System 3.2.210802 contains a path traversal vulnerability in the download functionality that allows authenticated remote attackers to read arbitrary files on the affected system. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires valid credentials but no user interaction, making it accessible to any authenticated user with network access.

Path Traversal Electronic Archives System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2666 LOW POC Monitor

Unrestricted file upload in mingSoft MCMS 6.1.1's template archive handler allows authenticated attackers with high privileges to upload arbitrary files via manipulation of the File parameter in /ms/file/uploadTemplate.do. Public exploit code exists for this vulnerability and no patch is currently available. The attack requires network access and high-level authentication but could lead to remote code execution or system compromise.

File Upload Authentication Bypass Mcms
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2661 LOW POC Monitor

A security flaw has been discovered in Squirrel up to 3.2. This affects the function SQObjectPtr::operator in the library squirrel/sqobject.h. [CVSS 3.3 LOW]

Buffer Overflow Squirrel
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2659 LOW POC Monitor

A vulnerability was determined in Squirrel up to 3.2. Affected by this vulnerability is the function SQFuncState::PopTarget of the file src/squirrel/squirrel/sqfuncstate.cpp. [CVSS 3.3 LOW]

Buffer Overflow Squirrel
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2662 LOW POC Monitor

A weakness has been identified in FascinatedBox lily up to 2.3. This vulnerability affects the function count_transforms of the file src/lily_emitter.c. [CVSS 3.3 LOW]

Buffer Overflow Lily
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2660 LOW POC Monitor

A vulnerability was identified in FascinatedBox lily up to 2.3. Affected by this issue is the function shorthash_for_name of the file src/lily_symtab.c. [CVSS 3.3 LOW]

Buffer Overflow Denial Of Service Lily
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2657 LOW POC Monitor

A vulnerability has been found in wren-lang wren up to 0.4.0. This impacts the function printError of the file src/vm/wren_compiler.c of the component Error Message Handler. [CVSS 3.3 LOW]

Buffer Overflow Wren
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2644 LOW POC Monitor

A weakness has been identified in niklasso minisat up to 2.2.0. This issue affects the function Solver::value in the library core/SolverTypes.h of the component DIMACS File Parser. [CVSS 3.3 LOW]

Buffer Overflow Minisat
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2641 LOW POC Monitor

A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. The ...

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2653 LOW POC PATCH Monitor

Admesh versions up to 0.98.5 contain a heap buffer overflow in the stl_check_normal_vector function that allows local attackers to corrupt memory with low integrity and confidentiality impact. Public exploit code exists for this vulnerability, and the product appears to be unmaintained with no patch available.

Buffer Overflow Admesh
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-23229 MEDIUM PATCH CISA This Month

The Linux kernel's virtio-crypto driver lacks proper synchronization when handling virtqueue notifications from multiple processes, causing data corruption and system hangs when processing cryptographic operations concurrently. Local attackers with user privileges can trigger denial of service by running parallel crypto workloads, as demonstrated through multi-process OpenSSL benchmarks that expose race conditions in the virtcrypto_done_task() handler. No patch is currently available for this medium-severity vulnerability affecting systems running virtio-crypto with builtin backends.

Linux OpenSSL Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23228 MEDIUM PATCH CISA This Month

The Linux kernel ksmbd server leaks the active_num_conn counter when kthread_run() fails during TCP connection initialization, allowing local authenticated users to exhaust connection tracking resources and cause a denial of service. The vulnerability stems from improper cleanup that fails to decrement the counter when freeing the transport structure. No patch is currently available for this medium-severity issue.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23220 MEDIUM PATCH CISA This Month

The Linux kernel's ksmbd SMB server implementation contains a denial-of-service vulnerability where failed signature verification on chained SMB2 requests causes an infinite loop due to improper state reset. A local or authenticated attacker can trigger this condition by sending a malformed signed request, causing the ksmbd process to hang and become unresponsive.

Linux Denial Of Service
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71237 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: nilfs2: Fix potential block overflow that cause system hang When a user executes the FITRIM command, an underflow can occur when calculating nblocks if end_block is too small.

Linux Buffer Overflow Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71236 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Validate sp before freeing associated memory System crash with the following signature [154563.214890] nvme nvme2: NVME-FC{1}: controller connect complete [154564.169363] qla2xxx [0000:b0:00.1]-3002:2: nvme: Sched: Set ZIO exchange threshold to 3.

Linux Null Pointer Dereference Denial Of Service Microsoft Linux Kernel +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71235 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71233 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Avoid creating sub-groups asynchronously The asynchronous creation of sub-groups by a delayed work could lead to a NULL pointer dereference when the driver directory is removed before the work completes.

Linux Null Pointer Dereference Denial Of Service Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71232 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71229 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() rtw_core_enable_beacon() reads 4 bytes from an address that is not a multiple of 4. This results in a crash on some systems.

Linux Denial Of Service Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23218 MEDIUM PATCH This Month

A null pointer dereference in the Linux kernel's loongson-64bit GPIO driver allows local attackers with user privileges to cause a denial of service through an incorrect NULL check that fails to validate chip->irq.parents after memory allocation. The vulnerability affects Linux systems with Loongson GPIO hardware and requires no user interaction to trigger. No patch is currently available.

Linux Null Pointer Dereference Denial Of Service Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23217 MEDIUM PATCH This Month

A deadlock vulnerability in the Linux kernel's RISC-V tracing subsystem allows local users with tracing privileges to hang the system by enabling ftrace snapshots on __sbi_ecall functions, causing recursive IPI interrupts that trigger infinite snapshot loops. This issue is particularly easy to exploit on RISC-V systems lacking the SSTC extension, where timer events automatically invoke SBI ecalls. The vulnerability requires local access and is only exploitable if tracing is enabled, making it a denial of service vector for systems with active kernel tracing.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23211 MEDIUM PATCH This Month

Linux kernel swap handling can cause a kernel panic under heavy memory pressure when arch_prepare_to_swap fails due to read-only swap address space restrictions introduced in a prior commit. A local attacker with user privileges can trigger this denial of service condition during memory reclamation operations. No patch is currently available for this medium-severity vulnerability.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71227 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for connections on invalid channels It's not clear (to me) how exactly syzbot managed to hit this, but it seems conceivable that e.g.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-71230 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: hfs: ensure sb->s_fs_info is always cleaned up When hfs was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23219 MEDIUM PATCH This Month

Memory allocation profiling in the Linux kernel fails to properly clear allocation tags during abort operations when CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, allowing a local privileged user to trigger a denial of service through kernel warnings and potential system instability. The vulnerability affects the slab memory allocator's interaction with memcg abort handling and requires local access with elevated privileges to exploit. No patch is currently available for this medium-severity issue.

Linux Code Injection Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23215 MEDIUM PATCH This Month

The Linux kernel's VMware hypercall implementation improperly handles register state during mouse events, allowing local attackers with user privileges to trigger a denial of service through a kernel panic via crafted input to the vmmouse driver. The vulnerability stems from incomplete register preservation when the QEMU VMware mouse emulation clears the upper 32 bits of CPU registers containing kernel pointers. No patch is currently available for this medium-severity issue affecting Linux systems running on VMware or QEMU with vmmouse support.

Linux VMware Information Disclosure Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23214 MEDIUM PATCH This Month

A denial of service vulnerability in the Linux kernel's btrfs filesystem allows local users with standard privileges to cause a system crash by triggering transaction aborts on read-only mounted filesystems. An attacker can exploit this by mounting a malformed btrfs filesystem with rescue options, causing the kernel to abort transactions with error handling failures during unmount. No patch is currently available for this medium-severity vulnerability.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23213 MEDIUM PATCH This Month

AMD GPU drivers on Linux systems fail to prevent MMIO register access during SMU Mode 1 reset, allowing incomplete PCIe transactions that can trigger NMI panics or system hangs. A local attacker with driver interaction capabilities could exploit this to cause a denial of service by accessing registers while the device is offline. The vulnerability affects Linux kernel implementations with AMD PM functionality and currently lacks an available patch.

Linux Information Disclosure Amd Linux Kernel Red Hat +1
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-14876 MEDIUM PATCH This Month

A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. [CVSS 5.5 MEDIUM]

Denial Of Service Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-69287 MEDIUM PATCH This Month

BSV Blockchain SDK is a unified TypeScript SDK for developing scalable apps on the BSV Blockchain. versions up to 2.0.0 contains a security vulnerability (CVSS 5.4).

Python Authentication Bypass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-2127 MEDIUM This Month

Arbitrary shortcode execution in the SiteOrigin Widgets Bundle plugin for WordPress affects authenticated users with Subscriber access and above due to missing capability checks in an AJAX preview function. Attackers can exploit this vulnerability to execute arbitrary shortcodes when the Post Carousel widget is present, as the required nonce is publicly exposed in the page HTML. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-26270 MEDIUM PATCH This Month

InvoicePlane 1.7.0 and earlier contains a stored XSS vulnerability in the Invoice Groups "Identifier Format" field that authenticated users can exploit to inject malicious scripts executed when other users access the invoice list or dashboard. An attacker with invoice group management permissions can inject arbitrary JavaScript that runs in the context of other users' browsers, potentially leading to session hijacking or credential theft. A patch is available in version 1.7.1.

XSS Invoiceplane
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1656 MEDIUM This Month

Business Directory (WordPress plugin) versions up to 6.4.20. is affected by missing authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12074 MEDIUM This Month

The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'context_blog_modal_popup' due to insufficient restrictions on which posts can be included. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-7630 MEDIUM This Month

Doruk Communication and Automation Industry and Trade Inc. Wispotter is affected by improper authentication (CVSS 5.3).

Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-10256 MEDIUM PATCH This Month

A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. [CVSS 5.3 MEDIUM]

Null Pointer Dereference Denial Of Service Ffmpeg Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-71225 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2126 MEDIUM This Month

Unauthenticated attackers can manipulate post category assignments in the WordPress User Submitted Posts plugin through missing authorization checks on user-supplied category IDs. This allows bypassing frontend category restrictions to assign posts to arbitrary or restricted categories via crafted POST requests. The vulnerability affects all versions up to 20260113 with no patch currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1938 MEDIUM This Month

Unauthorized license key deletion in the YayMail WooCommerce Email Customizer plugin (versions up to 4.3.2) stems from missing authorization checks on a REST API endpoint, allowing authenticated Shop Manager-level users to remove the plugin license if they can obtain the REST API nonce. This integrity violation affects WordPress installations running the vulnerable plugin and could disrupt email customization functionality.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14444 MEDIUM This Month

The RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2656 LOW POC Monitor

A flaw has been found in ChaiScript up to 6.1.0. This affects the function chaiscript::Type_Info::bare_equal of the file include/chaiscript/dispatchkit/type_info.hpp. [CVSS 2.5 LOW]

Buffer Overflow Denial Of Service Chaiscript
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-2655 LOW POC Monitor

A vulnerability was detected in ChaiScript up to 6.1.0. The impacted element is the function chaiscript::str_less::operator of the file include/chaiscript/chaiscript_defines.hpp. [CVSS 2.5 LOW]

Buffer Overflow Denial Of Service Chaiscript
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2025-8781 MEDIUM This Month

The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-0577 MEDIUM PATCH This Month

An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions. [CVSS 4.8 MEDIUM]

Information Disclosure Red Hat Suse
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-23212 MEDIUM PATCH This Month

A data-race condition in the Linux kernel bonding driver's slave->last_rx field can be accessed without proper synchronization, potentially causing a denial of service on systems using bonded network interfaces. Local attackers with limited privileges can trigger the race condition to cause system instability or crashes. A patch is not currently available, and exploitation requires specific timing conditions.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-1304 MEDIUM This Month

Stored Cross-Site Scripting in the Membership Plugin for WordPress versions up to 3.2.18 allows authenticated administrators to inject malicious scripts into invoice settings fields due to inadequate input sanitization. When other users access pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. Exploitation requires administrator-level access and no patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-1649 MEDIUM This Month

Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2281 MEDIUM This Month

Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-12037 MEDIUM This Month

WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-13727 MEDIUM This Month

The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy