Skip to main content
CVE-2026-3192 LOW POC Monitor

Improper authentication in Chia Blockchain 2.1.0's RPC Credential Handler (_authenticate function) allows remote attackers to bypass credential validation with high complexity exploitation. Public exploit code exists for this vulnerability, and the vendor dismissed the report as a design choice placing responsibility on users for host security. Affected systems may experience confidentiality, integrity, and availability impacts through unauthorized RPC access.

Authentication Bypass Blockchain
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-20099 MEDIUM This Month

Insufficient input validation in Cisco FXOS and UCS Manager web interfaces enables authenticated administrators to inject arbitrary commands and achieve root-level code execution on affected systems. The vulnerability requires local access and valid admin credentials, allowing privileged attackers to bypass normal OS restrictions. No patch is currently available, and the lack of input sanitization on command arguments represents a critical privilege escalation vector for insider threats.

Cisco Command Injection
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-27794 MEDIUM PATCH This Month

Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.

Redis RCE SQLi Deserialization AI / ML +1
NVD GitHub
CVSS 3.1
6.6
EPSS
0.3%
CVE-2026-27632 LOW POC Monitor

Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. [CVSS 2.6 LOW]

PHP CSRF
NVD GitHub
CVSS 3.1
2.6
EPSS
0.0%
CVE-2026-20036 MEDIUM This Month

Cisco UCS Manager's CLI and web management interfaces are vulnerable to OS command injection when authenticated administrators submit specially crafted input due to inadequate argument validation. An attacker with valid admin credentials can exploit this to execute arbitrary commands as root on the affected device. No patch is currently available for this vulnerability.

Cisco
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-3100 MEDIUM This Month

Man-in-the-middle attacks in TLS/SSL certificate verification for FTPES/FTPS connections in ADM 4.1.0-4.3.3.ROF1 and 5.0.0-5.1.2.RE51 allow remote attackers to intercept and modify backup data and authentication credentials without patching available. The FTP Backup feature fails to properly validate certificates, enabling network traffic interception and credential compromise during secure file transfers. Affected organizations should implement network segmentation or disable FTPES/FTPS backup functionality until patches become available.

TLS Data Master
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-3525 MEDIUM This Month

Gitlab versions up to 18.7.5 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3118 MEDIUM This Month

Denial of Service in Red Hat Developer Hub's Orchestrator Plugin allows authenticated users to crash the entire Backstage application through malformed GraphQL queries due to insufficient input validation. An attacker can leverage this to temporarily disable platform access for all legitimate users. No patch is currently available to address this vulnerability.

Red Hat Denial Of Service SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2845 MEDIUM This Month

Gitlab versions up to 18.7.5 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27705 MEDIUM PATCH This Month

Plane prior to version 1.2.2 allows authenticated users to modify project assets across any workspace by directly referencing asset IDs, as the asset lookup fails to verify workspace and project ownership. An attacker with guest-level credentials can enumerate asset UUIDs and alter asset attributes and upload status without authorization. The vulnerability has been patched in version 1.2.2.

Authentication Bypass Plane
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2367 MEDIUM This Month

Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1614 MEDIUM This Month

Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-22721 MEDIUM PATCH This Month

Privilege escalation in VMware Aria Operations allows authenticated users with vCenter access to escalate their privileges to administrative level within Aria Operations. The vulnerability affects multiple Broadcom products including Telco Cloud Platform, Aria Operations, and Cloud Foundation, requiring administrative intervention but no user interaction to exploit. Patches are available through VMSA-2026-0001.

VMware Broadcom Privilege Escalation Telco Cloud Platform Aria Operations +2
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2026-27846 MEDIUM This Month

Missing authentication in the mesh network functionality of Netgear MR9600 (1.0.4.205530) and MX4200 (1.0.13.210200) allows an attacker with physical device access to add unauthorized mesh devices and extract sensitive credentials including admin passwords and Wi-Fi keys. The vulnerability requires no user interaction and affects the confidentiality of authentication materials stored on the device. No patch is currently available for this issue.

Authentication Bypass
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-21443 MEDIUM PATCH This Month

Cross-site scripting (XSS) in OpenEMR prior to version 8.0.0 allows unauthenticated attackers to inject malicious scripts through the translation database, as the `xl()` function returns unescaped strings that are used directly in the application without proper context-specific escaping. An attacker with database access could exploit this to execute arbitrary JavaScript in users' browsers and compromise sensitive patient data or application functionality. The vulnerability is resolved in OpenEMR 8.0.0 and later versions.

XSS Openemr
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-3187 LOW POC PATCH Monitor

Unrestricted file uploads in Sz Boot Parent versions up to 1.3.2-beta allow authenticated remote attackers to upload malicious files via the /api/admin/sys-file/upload API endpoint. Public exploit code exists for this vulnerability, which has been patched in version 1.3.3-beta through the addition of file extension and MIME type whitelisting controls. Immediate upgrade to the patched version is strongly recommended.

File Upload Authentication Bypass Sz Boot Parent
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3163 LOW POC Monitor

Website Link Extractor versions up to 1.0 is affected by server-side request forgery (ssrf) (CVSS 6.3).

SSRF Website Link Extractor
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27746 MEDIUM PATCH This Month

Reflected XSS in SPIP jeux plugin before version 4.1.1 allows unauthenticated remote attackers to inject malicious scripts through unencoded request parameters in the pre_propre pipeline. An attacker can craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript in the victim's browser with access to the page's context. A patch is available for affected installations.

XSS Jeux
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3150 LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0's teacher management interface allows authenticated attackers to manipulate the teacher_id parameter in /admin/display-teacher.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling remote exploitation by users with administrative access. The vulnerability remains unpatched and carries medium severity with potential for data confidentiality, integrity, and availability compromise.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3149 LOW POC Monitor

College Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27736 MEDIUM PATCH This Month

Bigbluebutton versions up to 3.0.20 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Open Redirect Bigbluebutton
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3186 LOW POC PATCH Monitor

Improper authorization in Sz Boot Parent up to version 1.3.2-beta allows authenticated attackers to reset arbitrary user passwords by manipulating the userId parameter in the password reset API endpoint. Public exploit code exists for this vulnerability, enabling remote password reset attacks against any user account. Upgrade to version 1.3.3-beta or later to remediate.

Information Disclosure Sz Boot Parent
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3171 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-27629 MEDIUM This Month

InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch code generation functionality, enabling server-side template injection that can expose sensitive data or execute arbitrary code. Once a staff member modifies the template maliciously, any user triggering batch code generation via the API will execute the injected code within their user context. This vulnerability requires staff-level access to set up but can be exploited by lower-privileged users once the malicious template is in place.

RCE Inventree
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-3170 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3147 LOW POC PATCH Monitor

Libvips up to version 8.18.0 contains a heap buffer overflow in the CSV parsing function that allows local attackers with user-level privileges to corrupt memory and potentially execute arbitrary code. Public exploit code is available for this vulnerability, and a patch has been released to address the issue.

Buffer Overflow Libvips
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3137 LOW POC Monitor

Stack-based buffer overflow in CodeAstro Food Ordering System 1.0 allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code, with public exploit code currently available. The vulnerability affects food_ordering.exe through an undocumented function and requires local access to exploit. No patch is currently available for affected systems.

Buffer Overflow Food Ordering System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3200 MEDIUM This Month

SQL injection in z-9527 admin 1.0/2.0 user controller functions (checkName, register, login, getUser, getUsers) allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The impact includes potential unauthorized data access, modification, and service disruption with no available patch.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-2636 MEDIUM This Month

Local denial of service in Windows CLFS.sys driver allows unprivileged users to crash the system through improper handling of special elements. Affected versions include Windows 11 2024 LTSC and Windows Server 2025 prior to the September 2025 cumulative update, while Windows 25H2 and later contain the patch. No public exploit code is currently available, and the vulnerability carries a CVSS score of 5.5 with zero estimated probability of exploitation.

Microsoft Windows Denial Of Service
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-3203 MEDIUM PATCH This Month

Wireshark versions 4.4.0-4.4.13 and 4.6.0-4.6.3 crash when processing malformed RF4CE Profile protocol packets, enabling local denial of service attacks through user interaction. An attacker can trigger an out-of-bounds read by supplying a specially crafted packet file to a target user, causing the application to become unavailable. No patch is currently available for this vulnerability.

Denial Of Service Wireshark Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20107 MEDIUM This Month

Device reload in Cisco APIC's Object Model CLI component allows authenticated local users to trigger a denial of service through insufficient input validation on crafted commands. An attacker with valid credentials and CLI access can exploit this vulnerability to crash the affected device, though no patch is currently available. This vulnerability affects systems where attackers can obtain legitimate user credentials with appropriate role permissions.

Cisco Denial Of Service
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26104 MEDIUM PATCH This Month

Unprivileged users can extract LUKS encryption headers from the udisks daemon due to missing authorization checks on a privileged D-Bus method, allowing attackers to read sensitive cryptographic metadata and potentially compromise encrypted storage confidentiality. The vulnerability affects systems running vulnerable versions of udisks and requires local access to exploit. No patch is currently available.

Authentication Bypass Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-2694 MEDIUM This Month

The Events Calendar plugin for WordPress through version 6.15.16 fails to properly validate user capabilities in REST API endpoints, allowing authenticated contributors and higher-privileged users to modify or delete events, organizers, and venues without proper authorization. This capability check bypass affects all installations with the vulnerable plugin version and enables authenticated attackers with lower-level access to cause data integrity issues and service disruption. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27639 MEDIUM PATCH This Month

Stored XSS in Mercator prior to version 2026.02.22 allows authenticated users to execute arbitrary JavaScript in other users' browsers by injecting malicious payloads into entity fields like contact points. The vulnerability exploits improperly escaped Blade template directives, enabling attackers to compromise administrator accounts and perform actions with their privileges. A patch is available in version 2026.02.22.

XSS Mercator
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27578 MEDIUM PATCH This Month

n8n is an open source workflow automation platform. [CVSS 5.4 MEDIUM]

XSS N8n
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-26271 MEDIUM PATCH This Month

FreeRDP versions prior to 3.23.0 are vulnerable to a buffer overread in icon data processing that allows denial of service when clients receive crafted RDP Window Icon data from a server or network attacker. An unauthenticated remote attacker can exploit this vulnerability to crash the FreeRDP client by sending malicious icon structures during the RDP connection. A patch is available in version 3.23.0 and later.

Buffer Overflow Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1725 MEDIUM This Month

Gitlab versions up to 18.9.0 is affected by allocation of resources without limits or throttling (CVSS 5.3).

Gitlab Denial Of Service
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3193 LOW POC Monitor

A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. [CVSS 3.1 LOW]

CSRF Blockchain
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-2878 MEDIUM This Month

Telerik Ui For Asp.Net Ajax versions up to 2026.1.225 contains a vulnerability that allows attackers to collisions and file content tampering (CVSS 5.3).

Information Disclosure Telerik Ui For Asp.Net Ajax
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-5781 MEDIUM This Month

Configuration Manager versions up to 11.0.5-00 is affected by insertion of sensitive information into log file (CVSS 5.2).

Information Disclosure Ops Center Api Configuration Manager Device Manager Configuration Manager
NVD
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-3194 LOW POC Monitor

Chia Blockchain 2.1.0's RPC Server Master Passphrase Handler lacks proper authentication in the send_transaction and get_private_key functions, allowing authenticated local attackers to bypass security controls with public exploit code available. An attacker with local access and existing privileges could manipulate these functions to gain unauthorized access to sensitive blockchain operations, though exploitation requires high complexity and the vendor considers this a user responsibility issue. A patch is not currently available.

Authentication Bypass Blockchain
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-2479 MEDIUM This Month

Authenticated WordPress users with Author-level or higher privileges can exploit a Server-Side Request Forgery vulnerability in the Responsive Lightbox & Gallery plugin (versions up to 2.7.1) due to improper hostname validation in the image upload function. This allows attackers to send arbitrary web requests from the vulnerable server to internal services, potentially exposing or modifying sensitive information within the network. The vulnerability affects all versions up to 2.7.1 with no patch currently available.

WordPress SSRF
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-3221 MEDIUM This Month

Devolutions Server 2025.3.14 and earlier stores sensitive user account information in plaintext within the database, enabling attackers with database access to extract this data without authentication. This vulnerability affects deployments where database security is compromised or where privileged users have malicious intent. No patch is currently available.

Information Disclosure Devolutions Server
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-26717 MEDIUM PATCH This Month

OpenFUN Richie LMS's course synchronization API uses non-constant-time comparison for HMAC signature validation, allowing remote attackers to forge valid signatures through timing analysis and bypass authentication controls. This vulnerability affects the sync_course_run_from_request function and requires no user interaction, though successful exploitation demands careful timing measurements. No patch is currently available for this medium-severity issue.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-20091 MEDIUM This Month

web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software is affected by cross-site scripting (xss) (CVSS 4.8).

Cisco XSS
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-0976 MEDIUM This Month

Configuration Manager versions up to 11.0.4-00 is affected by insertion of sensitive information into log file (CVSS 4.7).

Information Disclosure Configuration Manager Ops Center Api Configuration Manager
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-3202 MEDIUM PATCH This Month

NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allows denial of service [CVSS 4.7 MEDIUM]

Denial Of Service Wireshark Red Hat Suse
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-11563 MEDIUM PATCH This Month

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. [CVSS 4.6 MEDIUM]

Path Traversal Wcurl Red Hat Suse
NVD
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-25135 MEDIUM PATCH This Month

OpenEMR versions prior to 8.0.0 expose complete contact details for all users, organizations, and patients to authenticated attackers with specific FHIR export and location read permissions. The vulnerability requires administrator-enabled OAuth2 confidential client access, limiting exploitation to high-trust server-to-server integrations with established relationships. This information disclosure affects OpenEMR deployments since 2023 and can be mitigated by upgrading to version 8.0.0 or later.

Information Disclosure Openemr
NVD GitHub
CVSS 3.1
4.5
EPSS
0.1%
CVE-2026-20037 MEDIUM This Month

Cisco UCS Manager NX-OS CLI improperly grants excessive privileges to read-only users, allowing authenticated local attackers to modify files and execute privileged actions on affected systems. An attacker with read-only credentials can exploit this privilege escalation to create, overwrite files, or perform limited administrative operations. No patch is currently available.

Cisco
NVD
CVSS 3.1
4.4
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy