Skip to main content
CVE-2026-27119 MEDIUM PATCH This Month

Improper HTML escaping in Svelte versions 5.39.3 through 5.51.4 allows HTML injection attacks through unescaped option element content during server-side rendering, enabling attackers to inject malicious HTML into SSR output. Client-side rendering is unaffected, and the vulnerability is limited to applications using vulnerable Svelte versions on the server. This medium-severity flaw requires upgrading to version 5.51.5 or later, as no patch is currently available for affected versions.

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27016 MEDIUM PATCH This Month

Stored cross-site scripting in LibreNMS versions 24.10.0 through 26.1.1 allows authenticated users to inject malicious scripts through the unsanitized unit parameter in Custom OID configurations, which are then executed when other users view the affected pages. An attacker with login credentials could exploit this to steal session tokens, perform actions on behalf of other administrators, or compromise the monitoring infrastructure. The vulnerability has been patched in version 26.2.0.

MySQL SNMP XSS Librenms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-34438 MEDIUM This Month

Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19. [CVSS 5.3 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69325 MEDIUM This Month

primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).

WordPress Path Traversal PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-2605 MEDIUM This Month

Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS. [CVSS 5.3 MEDIUM]

Information Disclosure Tanos
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-43228 MEDIUM This Month

Missing Authorization vulnerability in SecuPress SecuPress Free secupress.This issue affects SecuPress Free: from n/a through <= 2.2.5.3. [CVSS 5.3 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2739 MEDIUM PATCH This Month

This affects versions of the package bn.j versions up to 5.2.3. is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.3).

Denial Of Service Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27017 MEDIUM PATCH This Month

uTLS versions 1.6.0 through 1.8.0 fail to properly mimic Chrome's cipher suite selection behavior when using GREASE ECH, randomly choosing ChaCha20 for encrypted client hello while consistently using AES for the outer handshake—a mismatch that does not occur in actual Chrome and creates detectable fingerprints. This inconsistency affects users relying on uTLS for fingerprinting resistance and could enable network observers to distinguish uTLS traffic from legitimate Chrome connections. A patch is available to correct the cipher suite selection logic.

Information Disclosure Utls Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-26977 MEDIUM This Month

Frappe Learning Management System versions 2.44.0 and below allow unauthenticated attackers to retrieve sensitive details about unpublished courses through API endpoints, exposing course content that should remain restricted. This information disclosure vulnerability affects all users of the affected versions, with no patch currently available pending the 2.45.0 release.

Authentication Bypass Learning
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-26967 MEDIUM PATCH This Month

PJSIP versions 2.16 and below contain a heap buffer overflow in the H.264 video unpacketizer that fails to properly validate NAL unit size fields in malformed SRTP packets, allowing remote attackers to trigger memory corruption on systems receiving H.264 video streams. The vulnerability has a CVSS score of 5.3 and enables information disclosure through heap memory access. A patch is available for affected deployments.

Github Buffer Overflow Heap Overflow Pjsip Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27502 MEDIUM This Month

Reflected XSS in SVXportal 2.5 and earlier allows unauthenticated attackers to inject malicious JavaScript through an unsanitized search parameter in log.php, enabling session hijacking or unauthorized actions when victims click a crafted link. The vulnerability requires user interaction but has no authentication requirement and affects all users of the vulnerable versions.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27505 MEDIUM This Month

SVXportal version 2.5 and earlier allow unauthenticated attackers to perform stored cross-site scripting attacks through the user registration form, where unencoded user inputs are persisted and executed in administrator browsers. An attacker can inject malicious JavaScript via registration fields like firstname, lastname, or email that will trigger when administrators access the users management interface. No patch is currently available for this vulnerability.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27504 MEDIUM This Month

SVXportal 2.5 and earlier allows authenticated attackers to inject arbitrary scripts through an unsanitized stationid parameter in radiomobile_front.php, which executes in an administrator's browser context when they visit a crafted URL. This reflected XSS vulnerability enables attackers to hijack admin sessions or execute unauthorized actions with administrative privileges. No patch is currently available.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27506 MEDIUM This Month

SVXportal 2.5 and earlier allows authenticated users to inject malicious scripts into user profile fields (firstname, lastname, email, image_url) that execute in administrators' browsers when viewing user management pages. An attacker with a valid account can exploit this stored XSS vulnerability to perform administrative actions or steal session credentials by targeting users with higher privileges. No patch is currently available for this vulnerability.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27503 MEDIUM This Month

Reflected XSS in SVXportal 2.5 and earlier allows attackers to inject malicious JavaScript through the search parameter in admin/log.php, which executes in administrators' browsers when they visit a crafted URL. An authenticated attacker could exploit this to steal admin sessions, forge administrative actions, or perform other browser-based attacks with elevated privileges. No patch is currently available.

PHP XSS Svxportal
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-27111 MEDIUM PATCH This Month

Kargo versions 1.9.0 through 1.9.2 fail to enforce the custom "promote" authorization verb in three REST API endpoints, allowing authenticated users with standard Kubernetes RBAC permissions to trigger promotions without the intended fine-grained access controls. An attacker with patch permissions on freight status or create permissions on promotions can bypass promotion pipeline restrictions and advance software artifacts unauthorized. A patch is available to restore the missing authorization checks.

Golang Kubernetes Kargo Suse
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-2408 MEDIUM This Month

Tanium addressed a use-after-free vulnerability in the Cloud Workloads Enforce client extension. [CVSS 4.7 MEDIUM]

Use After Free Cloud Workloads
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-67972 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through <= 2.2.8. [CVSS 7.1 HIGH]

XSS
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2024-54222 MEDIUM This Month

Seraphinite Solutions Seraphinite Accelerator seraphinite-accelerator is affected by missing authorization (CVSS 4.3).

Authentication Bypass Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22885 LOW Monitor

A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory. [CVSS 3.7 LOW]

IoT
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-52603 LOW Monitor

Connections versions up to 7.0 contains a vulnerability that allows attackers to obtain limited information when a single piece of internal metadata is returned (CVSS 3.5).

Information Disclosure Connections
NVD
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-27007 LOW PATCH Monitor

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. [CVSS 3.3 LOW]

Docker
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-26964 LOW Monitor

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. [CVSS 2.7 LOW]

Information Disclosure Windmill
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-21620 LOW Monitor

Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (tftp_file modules), erlang otp tftp (tftp_file modules) allows Relative Path Traversal.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-2819 LOW Monitor

Missing authorization in Dromara RuoYi-Vue-Plus up to version 5.5.3 allows authenticated remote attackers to delete workflow instances without proper access controls via the SaServletFilter component. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The flaw enables low-impact compromise of workflow data integrity with network accessibility and minimal attack complexity.

Authentication Bypass
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2825 LOW Monitor

A vulnerability has been found in rachelos WeRSS we-mp-r versions up to 1.4.8. is affected by cross-site scripting (xss) (CVSS 3.5).

XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2858 LOW Monitor

A vulnerability was identified in wren-lang wren up to 0.4.0. This affects the function peekChar of the file src/vm/wren_compiler.c of the component Source File Parser. [CVSS 3.3 LOW]

Buffer Overflow Wren
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2473 PATCH Monitor

Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).

Google RCE
NVD
EPSS
0.3%
CVE-2026-27020 This Week

Photobooth prior to 1.0.1 has a cross-site scripting (XSS) vulnerability in user input fields. Malicious users could inject scripts through unvalidated form inputs.

XSS
NVD GitHub
EPSS
0.1%
CVE-2026-26957 PATCH Monitor

Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an authenticated "Application Admin" to force the server to make HTTP requests to arbitrary internal destinations. This could compromise the underlying cloud infrastructure or internal corporate network...

Information Disclosure
NVD GitHub VulDB
EPSS
0.1%
CVE-2025-14547 This Week

An integer underflow vulnerability is present in Silicon Lab’s implementation of PSA Crypto and SE Manager EC-JPAKE APIs during ZKP parsing. Triggering the underflow can lead to a hard fault, causing a temporary denial of service.

Integer Overflow Denial Of Service
NVD
EPSS
0.1%
CVE-2026-1842 Monitor

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used.

Authentication Bypass
NVD
EPSS
0.1%
CVE-2026-27118 PATCH Monitor

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning.

CSRF
NVD GitHub
EPSS
0.0%
CVE-2026-2832 This Week

Certain Samsung MultiXpress Multifunction Printers may be vulnerable to information disclosure, potentially exposing address book entries and other device configuration information through specific APIs without proper authorization.

Samsung Information Disclosure
NVD
EPSS
0.0%
CVE-2026-21627 Monitor

The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.

Joomla
NVD
EPSS
0.0%
CVE-2025-14055 This Week

An integer underflow vulnerability in Silicon Labs Secure NCP host implementation allows a buffer overread via a specially crafted packet.

Integer Overflow
NVD
EPSS
0.0%
Prev Page 8 of 8

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy