Skip to main content
CVE-2026-27607 HIGH PATCH This Week

Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to circumvent presigned POST upload policy restrictions, bypassing content-length-range, starts-with, and Content-Type controls. An attacker can exploit this to upload oversized files, write to arbitrary object keys, and spoof file types, resulting in storage exhaustion and potential unauthorized data access.

Code Injection Rustfs
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-3172 HIGH POC PATCH This Week

Buffer overflow in parallel HNSW index build in pgvector 0.6.0 versions up to 0.8.1 is affected by integer underflow (CVSS 8.1).

Buffer Overflow Denial Of Service AI / ML Red Hat Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-26985 HIGH This Week

Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configuration files containing hardcoded database and service credentials. An attacker with valid application access and appropriate permissions can leverage publicly available source code to easily craft requests that expose these sensitive files, potentially enabling lateral movement to backend systems. No patch is currently available for affected versions.

Path Traversal Loris
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-0752 HIGH This Week

GitLab CE/EE versions 16.2 through 18.9.0 are vulnerable to cross-site scripting (XSS) in the Mermaid sandbox UI, allowing unauthenticated attackers to inject arbitrary scripts under specific conditions. The vulnerability affects multiple release branches and currently has no available patch, requiring users to upgrade to patched versions 18.7.5, 18.8.5, or 18.9.1 and later. An attacker could exploit this to perform malicious actions in the context of other users' sessions, potentially compromising sensitive data or account security.

Gitlab
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-22720 HIGH PATCH This Week

Stored XSS in VMware Aria Operations allows authenticated users with benchmark creation privileges to inject malicious scripts and execute arbitrary administrative actions within the platform. This vulnerability affects VMware, Broadcom, and Telco Cloud Infrastructure products with a CVSS score of 8.0, requiring user interaction to trigger the attack. Patches are available through VMSA-2026-0001.

VMware Broadcom XSS Telco Cloud Infrastructure Telco Cloud Platform +2
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-2914 HIGH This Week

Unauthorized privilege escalation in CyberArk Endpoint Privilege Manager Agent versions 25.10.0 and earlier allows local authenticated users to elevate privileges by exploiting flaws in the elevation dialog mechanism. An attacker with local access and valid credentials could bypass privilege controls to gain elevated system access. No patch is currently available for this high-severity vulnerability (CVSS 7.8).

Privilege Escalation Endpoint Privilege Manager
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20048 HIGH This Week

Improper SNMP request parsing in Cisco Nexus 9000 Series switches running ACI mode allows authenticated remote attackers to trigger kernel panics and device reloads by sending specially crafted queries to specific MIBs. An attacker with valid SNMP read-only community credentials can exploit this vulnerability across SNMP versions 1, 2c, and 3 to achieve denial of service. No patch is currently available for this vulnerability.

Cisco Linux SNMP Denial Of Service
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-27706 HIGH This Week

Plane versions before 1.2.2 contain a server-side request forgery vulnerability in the "Add Link" feature that allows authenticated users to send arbitrary GET requests to internal networks and retrieve full response bodies. An attacker with basic user privileges can exploit this to steal sensitive data from internal services and cloud metadata endpoints. No patch is currently available.

SSRF Plane
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-1916 HIGH This Week

Unauthenticated attackers can forge authentication tokens in the WPGSI: Spreadsheet Integration plugin for WordPress (versions up to 3.8.3) due to missing capability checks and weak token validation that relies only on Base64-encoded, unsigned user data. This allows remote attackers to create, modify, and delete arbitrary WordPress posts and pages without authentication. No patch is currently available.

WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27950 HIGH PATCH This Week

FreeRDP versions prior to 3.23.0 contain an incomplete fix for a heap-use-after-free vulnerability that affects only the SDL2 code path, where freed memory pointers are not properly nulled, allowing an unauthenticated attacker to trigger a denial of service condition. Users running FreeRDP with SDL2 backends remain vulnerable despite the advisory claiming the issue was resolved. Upgrade to version 3.23.0 or later to obtain the complete fix.

Use After Free Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27704 HIGH This Week

The Dart and Flutter SDKs provide software development kits for the Dart programming language. [CVSS 7.5 HIGH]

Path Traversal Flutter Dart Software Development Kit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14511 HIGH This Week

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted files to the container registry event endpoint under certain conditions. [CVSS 7.5 HIGH]

Gitlab Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27628 HIGH PATCH This Week

Pypdf versions up to 6.7.2 is affected by loop with unreachable exit condition (infinite loop) (CVSS 7.5).

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1388 HIGH This Week

Gitlab versions up to 18.7.5 is affected by inefficient regular expression complexity (redos) (CVSS 7.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1662 HIGH This Week

Gitlab versions up to 18.7.5 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Gitlab Jira Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27850 HIGH This Week

Misconfigured firewall rules in Meraki MR9600 (1.0.4.205530) and MX4200 (1.0.13.210200) routers accept WAN connections on source port 5222, allowing unauthenticated remote attackers to access services normally restricted to the local network. An attacker can leverage this to gain unauthorized access to sensitive internal services and information. No patch is currently available to remediate this vulnerability.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27640 HIGH This Week

tfplan2md versions before 1.26.1 fail to properly mask sensitive values in Terraform plan reports across multiple rendering paths, causing credentials and other confidential data to be exposed in plaintext markdown output instead of being redacted. Administrators and developers using affected versions to generate infrastructure reports may inadvertently expose secrets to unauthorized parties with access to the generated documentation. No patch is currently available for this high-severity information disclosure vulnerability affecting Azure and Terraform workflows.

Azure Tfplan2md
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22866 HIGH MAL This Week

Improper RSA signature validation in Ethereum Name Service (ENS) versions 1.6.2 and earlier allows attackers to forge DNS signatures for domains under .cc and .name TLDs, enabling unauthorized domain claims on ENS without actual DNS ownership. The vulnerability exploits Bleichenbacher's 2006 attack against RSA keys with low public exponents (e=3), which are used by these two TLDs' Key Signing Keys. No patch is currently available, leaving affected domains vulnerable to takeover attacks.

Information Disclosure Ethereum Name Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20051 HIGH This Week

Cisco Nexus 3600 and 9500-R switches are vulnerable to Layer 2 traffic loops when processing maliciously crafted EVPN frames, allowing unauthenticated adjacent attackers to trigger a denial of service condition by overwhelming network bandwidth. An attacker can exploit this logic error in Layer 2 ingress packet processing by sending crafted Ethernet frames, causing VxLAN traffic loops that drop all data plane traffic. No patch is currently available for this vulnerability.

Cisco Denial Of Service
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-20033 HIGH This Week

Cisco Nexus 9000 Series Fabric Switches in ACI mode contains a vulnerability that allows attackers to cause the device to reload unexpectedly, resulting in a DoS condition (CVSS 7.4).

Cisco Denial Of Service
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-20010 HIGH This Week

Cisco NX-OS devices can be forced to reload through a crafted LLDP packet sent by an adjacent, unauthenticated attacker, causing a denial of service condition. The vulnerability stems from improper frame field validation in the LLDP process, exploitable only from directly connected network segments. No patch is currently available for affected systems.

Cisco Denial Of Service
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-26103 HIGH PATCH This Week

Improper authorization in the udisks D-Bus API allows local unprivileged users to manipulate LUKS encryption headers on block devices with root privileges, potentially destroying encryption keys and rendering volumes inaccessible. An attacker with local access can exploit this to cause permanent data loss through denial-of-service. No patch is currently available for this vulnerability.

Authentication Bypass Enterprise Linux Udisks
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27610 HIGH PATCH This Week

Privilege escalation via cache key collision in Parse Dashboard (npm parse-dashboard) versions 7.3.0-alpha.42 through 9.0.0-alpha.7 allows an authenticated read-only user to obtain the full master key. The flaw lives in ConfigKeyCache, which reuses one cache entry for both the master key and the read-only master key when those keys are function-typed; under a timing race a read-only session can read back the cached full master key (or a regular user the read-only key). Exploitation requires an authenticated dashboard session and a non-default configuration (function-typed keys plus the agent block); no public exploit identified at time of analysis and EPSS is low (0.05%), but the GitHub Security Advisory and patch commit confirm the issue.

Information Disclosure Parse Dashboard
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy