Skip to main content
CVE-2026-27695 MEDIUM PATCH This Month

Zae-Limiter versions up to 0.10.1 is affected by allocation of resources without limits or throttling (CVSS 4.3).

Denial Of Service Zae Limiter
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14742 MEDIUM This Month

WP Recipe Maker (WordPress plugin) is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2301 MEDIUM This Month

Protected post metadata injection in Post Duplicator plugin for WordPress allows authenticated contributors and higher-privileged users to arbitrarily set sensitive meta keys like _wp_page_template on duplicated posts by bypassing WordPress's standard metadata protection mechanisms. The vulnerability exists in versions up to 3.0.8 due to direct database insertion instead of using WordPress's protected metadata validation function. Attackers can exploit this through the customMetaData parameter in the REST API endpoint to manipulate post properties and potentially compromise site functionality.

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2410 MEDIUM This Month

The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14103 MEDIUM This Month

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions. [CVSS 4.3 MEDIUM]

Gitlab
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1747 MEDIUM This Month

Unauthorized modification of protected Conan packages in GitLab EE allows Developer-role users to bypass package protection controls under specific conditions. Affected versions include 17.11 through 18.7.4, 18.8.0 through 18.8.4, and 18.9.0 before 18.9.1. An attacker with Developer privileges could alter protected package contents despite insufficient permissions to do so.

Gitlab
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28194 MEDIUM This Month

Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

React Open Redirect Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28195 MEDIUM This Month

Insufficient authorization checks in JetBrains TeamCity before version 2025.11.3 permit project developers to modify build configuration parameters without proper access controls. An authenticated attacker with developer privileges could inject malicious parameters into build configurations, potentially altering build behavior or exposing sensitive information. No patch is currently available for this vulnerability.

Authentication Bypass Teamcity
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27795 MEDIUM PATCH This Month

LangChain's RecursiveUrlLoader in @langchain/community versions prior to 1.1.18 fails to validate redirect targets, allowing authenticated attackers to bypass SSRF protections by redirecting from whitelisted URLs to internal or metadata endpoints. An attacker with user credentials can exploit this to access sensitive internal resources or cloud metadata services through automatic redirect following. Affected applications should upgrade to version 1.1.18, which disables automatic redirects and re-validates each redirect destination.

SSRF Langchain Community
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-24005 NONE POC PATCH Awaiting Data

Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers.

Kubernetes SSRF
NVD GitHub
EPSS
0.0%
CVE-2025-67860 LOW PATCH Monitor

A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. [CVSS 3.8 LOW]

Authentication Bypass
NVD GitHub
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-3189 LOW Monitor

A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to v...

SSRF
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-21725 LOW Monitor

A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. [CVSS 2.6 LOW]

Grafana Information Disclosure
NVD
CVSS 3.1
2.6
EPSS
0.0%
CVE-2026-28196 LOW Monitor

In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk [CVSS 2.3 LOW]

Information Disclosure Teamcity
NVD
CVSS 3.1
2.3
EPSS
0.0%
CVE-2026-3209 LOW Monitor

Improper access control in the Role Handler component of fosrl Pangolin up to version 1.15.4-s.3 allows authenticated remote attackers to bypass role and API key verification checks. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to gain unauthorized access to protected functionality. Users should upgrade to version 1.15.4-s.4 or later to remediate this issue.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3188 LOW Monitor

Path traversal in feiyuchuixue sz-boot-parent versions up to 1.3.2-beta allows authenticated remote attackers to read arbitrary files by manipulating the templateName parameter in the /api/admin/common/download/templates endpoint. Public exploit code exists for this vulnerability. Users should upgrade to version 1.3.3-beta or later, which implements proper path validation checks.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-0542 Monitor

ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow Sandbox.

RCE
NVD
EPSS
0.3%
CVE-2026-27701 This Week

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection.

Github
NVD GitHub
EPSS
0.1%
CVE-2026-27739 PATCH This Week

The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the dest...

Angular SSRF
NVD GitHub HeroDevs
EPSS
0.1%
CVE-2026-27738 PATCH Monitor

The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` hea...

Angular Open Redirect
NVD GitHub
EPSS
0.1%
CVE-2026-3206 Monitor

Improper Resource Shutdown or Release vulnerability in KrakenD, SLU KrakenD-CE (CircuitBreaker modules), KrakenD, SLU KrakenD-EE (CircuitBreaker modules). This issue affects KrakenD-CE: before 2.13.1; KrakenD-EE: before 2.12.5.

Denial Of Service
NVD
EPSS
0.0%
CVE-2026-25701 Monitor

An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like: * gain access to possible private information found in /var/lib/pcrlock.d * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.

Information Disclosure
NVD
EPSS
0.0%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy