Skip to main content
CVE-2026-27969 HIGH PATCH This Week

Path traversal in Vitess backup manifest handling allows authenticated attackers with access to backup storage to write arbitrary files to any location during restore operations, potentially achieving remote code execution on production MySQL deployments. An attacker can manipulate backup manifests to extract files outside intended directories, gaining unauthorized access to sensitive data and the ability to execute arbitrary commands in the production environment. Patches are available for versions 23.0.3 and 22.0.4.

MySQL Path Traversal Vitess Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-27963 MEDIUM POC PATCH This Month

Stored XSS in Audiobookshelf prior to version 2.32.0 enables privileged users to inject malicious code into library metadata that executes in other users' browsers, potentially compromising sessions and enabling data theft. Public exploit code exists for this vulnerability. A patch is available in version 2.32.0 and later.

XSS Audiobookshelf
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-26938 HIGH This Week

Kibana versions up to 9.3.0 contains a vulnerability that allows attackers to read arbitrary files from the Kibana server filesystem, and perform Server-Side (CVSS 8.6).

SSRF Code Injection Kibana
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-3071 HIGH This Week

Arbitrary code execution in Flair's LanguageModel class (versions 0.4.1 and later) allows local attackers to execute arbitrary commands by crafting malicious ML model files that exploit unsafe deserialization. Affected users loading untrusted models from external sources face complete system compromise with no patch currently available. This vulnerability impacts all AI/ML applications using Flair's model loading functionality.

Deserialization AI / ML
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-27839 MEDIUM POC PATCH This Month

Wger versions up to 2.4 allow authenticated users to access other users' private nutrition plans through insecure direct object references in the nutritional_values endpoints, exposing sensitive dietary data including caloric intake and macronutrient breakdowns. The vulnerability stems from bypassing user-scoped querysets via direct primary key lookups, and public exploit code is available.

Authentication Bypass Wger
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27835 MEDIUM POC PATCH This Month

Wger versions up to 2.4 expose all users' repetition configuration data to any authenticated attacker due to missing authorization checks in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet endpoints. A registered user can enumerate the complete workout structures of all other users on the platform. Public exploit code exists for this vulnerability, and a patch is available.

Authentication Bypass Wger
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-71057 HIGH This Week

Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. [CVSS 8.2 HIGH]

D-Link Authentication Bypass
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-1779 HIGH This Week

Unauthenticated attackers can bypass authentication in the WordPress User Registration & Membership plugin (versions up to 5.1.2) due to flawed logic in the user registration function, allowing them to gain unauthorized access to newly created accounts. The vulnerability requires specific conditions but poses a high risk due to the network-accessible nature of the attack and the lack of authentication requirements. No patch is currently available for affected installations.

WordPress Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25191 HIGH This Week

Arbitrary code execution in FinalCode Client installer (Digital Arts Inc.) results from unsafe DLL loading that allows an attacker to place a malicious library in the same directory as the installer and execute it with elevated privileges when a user runs the installation. This local attack requires user interaction to place the malicious file and execute the installer, but poses significant risk as there is currently no available patch.

Privilege Escalation RCE
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-23703 HIGH This Week

FinalCode Client installer by Digital Arts Inc. improperly configures file permissions, enabling local non-administrative users to execute arbitrary code with SYSTEM-level privileges. This privilege escalation affects all users of the affected installer versions and allows attackers to achieve complete system compromise. No patch is currently available for this vulnerability.

Privilege Escalation RCE
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-28211 HIGH This Week

Arbitrary code execution in NVDA Dev & Test Toolbox versions 2.0-8.0 through unsafe evaluation of Python expressions embedded in log files. An attacker can trick users into opening a malicious log file and reading it with the add-on's log reader commands, causing arbitrary code execution under the user's privileges without requiring elevated permissions or user interaction beyond opening the file.

Python
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27938 HIGH This Week

Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.

WordPress Github Command Injection
NVD GitHub
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-27970 HIGH PATCH This Week

Cross-site scripting in Angular's internationalization (i18n) pipeline allows attacker-controlled JavaScript to execute in the application origin when a poisoned translation file is merged into an app. The flaw affects Angular versions before 21.2.0, 21.1.16, 20.3.17, and 19.2.19, where HTML inside ICU (International Components for Unicode) messages from translated content was not sanitized before rendering. Exploitation is not open to arbitrary users - it requires first compromising a translation file (xliff, xtb, etc.), so this is effectively a supply-chain/third-party-translation risk; EPSS is very low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.

Angular XSS
NVD GitHub HeroDevs
CVSS 4.0
7.6
EPSS
0.0%
CVE-2025-14343 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dokuzsoft Technology Ltd. E-Commerce Product allows Reflected XSS.This issue affects E-Commerce Product: through 10122025. [CVSS 7.6 HIGH]

XSS
NVD VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-28136 HIGH This Week

The WP SMS plugin for WordPress through version 6.9.12 contains an SQL injection vulnerability that allows high-privileged authenticated users to manipulate database queries and extract sensitive information. An attacker with administrative credentials could exploit this to read arbitrary data from the WordPress database, potentially compromising user information and site configuration. No patch is currently available for this vulnerability.

WordPress SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-22205 HIGH This Week

Spip versions up to 4.4.10 contains a vulnerability that allows attackers to access protected information (CVSS 7.5).

PHP Authentication Bypass Spip
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-28276 HIGH This Week

Unauthenticated access to uploaded files in Initiative project management platform prior to version 0.32.2 allows remote attackers to retrieve sensitive documents by directly accessing the unprotected /uploads/ directory. The vulnerability stems from missing authentication and authorization controls on file serving, enabling disclosure of confidential project data without requiring any credentials. Initiative versions 0.32.2 and later contain patches to restrict access to uploaded documents.

Authentication Bypass Information Disclosure Initiative
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27633 HIGH PATCH This Week

TinyWeb versions prior to 2.02 are vulnerable to denial of service through memory exhaustion when unauthenticated attackers send HTTP POST requests with extremely large Content-Length headers, causing the server to allocate unbounded memory and crash. The vulnerability affects all organizations running vulnerable TinyWeb instances, and patch version 2.02 addresses it by implementing a 10MB maximum entity body size limit.

Nginx Denial Of Service Tinyweb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27630 HIGH PATCH This Week

TinyWeb versions prior to 2.02 lack connection limits and request timeouts, enabling unauthenticated remote attackers to trigger denial of service through Slowloris attacks by maintaining numerous concurrent connections and transmitting data at minimal rates. The vulnerability affects all systems running vulnerable TinyWeb instances, with attackers capable of exhausting server resources and rendering services unavailable. A patch is available that implements connection limits and idle timeouts to mitigate the attack vector.

Nginx Denial Of Service Tinyweb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27818 HIGH PATCH This Week

Improper input validation in TerriaJS-Server versions before 4.0.3 allows unauthenticated remote attackers to bypass domain allowlist restrictions and proxy requests to arbitrary domains. This vulnerability affects Node.js deployments of TerriaJS and could enable attackers to access restricted resources or perform server-side request forgery attacks. A patch is available in version 4.0.3 and later.

Node.js Terriajs Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27141 HIGH PATCH This Week

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic [CVSS 7.5 HIGH]

Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27449 HIGH PATCH This Week

Umbraco Engage versions prior to 16.2.1 and 17.1.1 expose unauthenticated API endpoints that lack access control, allowing remote attackers to retrieve sensitive data by directly querying endpoints with arbitrary identifier parameters. An attacker can enumerate records at scale without authentication or valid session credentials, potentially exposing confidential business intelligence information. No patch is currently available for affected installations.

Industrial
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27831 HIGH This Week

Heap buffer over-read vulnerability in rldns DNS server version 1.3 allows remote attackers to trigger denial of service without authentication or user interaction. The flaw enables reading beyond allocated memory boundaries, causing the service to crash. Version 1.4 addresses this issue, though no patch is currently available for affected 1.3 deployments.

DNS Heap Overflow Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27942 HIGH PATCH This Week

Stack overflow denial of service in fast-xml-parser versions prior to 5.3.8 occurs when the XML builder is used with the preserveOrder option enabled, causing the application to crash. An attacker can trigger this vulnerability remotely by sending specially crafted XML input, resulting in service unavailability for applications using the affected library. A patch is available in version 5.3.8 and later.

Stack Overflow Denial Of Service Fast Xml Parser Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27888 HIGH PATCH This Week

Denial of service in pypdf prior to version 6.7.3 allows remote attackers to exhaust system memory by crafting malicious PDF files that exploit FlateDecode-compressed streams accessed through the xfa property. The vulnerability requires no authentication or user interaction and affects any application processing untrusted PDF documents with the vulnerable library. Upgrade to pypdf 6.7.3 or later to remediate.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26265 HIGH This Week

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an insecure direct object reference (IDOR) in the directory items endpoint that allows unauthenticated attackers to retrieve private user field values for all directory users. The vulnerability stems from missing authorization checks on the user_field_ids parameter, enabling bulk exfiltration of sensitive user data that should be restricted by visibility settings. No patch is currently available for affected deployments.

Authentication Bypass Information Disclosure Discourse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26078 HIGH This Week

Discourse instances with an unconfigured patreon_webhook_secret allow remote attackers to forge valid webhook signatures using an empty HMAC-MD5 key, enabling arbitrary creation, modification, or deletion of Patreon pledge data and unauthorized patron synchronization. The vulnerability affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, and currently lacks an available patch. Administrators must explicitly configure the patreon_webhook_secret setting or upgrade to patched versions to mitigate this integrity attack.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28279 HIGH PATCH This Week

Remote code execution in osctrl prior to version 0.5.0 allows authenticated administrators to inject arbitrary OS commands through the hostname parameter during environment configuration, which are then executed on all endpoints enrolling via the compromised environment. The injected commands execute with root/SYSTEM privileges before osquery installation, providing complete system compromise with minimal audit trails. A patch is available in version 0.5.0 and later.

RCE Command Injection Osctrl Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-28138 HIGH This Week

Stylemix uListing versions 2.2.0 and earlier contain an unsafe deserialization vulnerability that enables object injection attacks, allowing authenticated attackers with high privileges to execute arbitrary code on affected systems. With no available patch, this vulnerability presents a significant risk to organizations running vulnerable versions of the plugin. The network-accessible nature of the flaw (CVSS 7.2) means exploitation requires only valid credentials to trigger the attack.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-23750 HIGH This Week

Heap-based buffer overflow in Golioth Pouch 0.1.0 (prior to commit 1b2219a1) lets an adjacent, unauthenticated BLE client corrupt device memory through the GATT server-certificate characteristic. The server_cert_write() handler sizes a heap buffer once on the first fragment but appends later fragments with memcpy() and no bounds check, so an oversized fragmented write overflows the allocation, crashing the device and potentially corrupting adjacent heap data. EPSS is negligible (0.01%, 3rd percentile) and there is no public exploit identified at time of analysis, but the flaw is remotely reachable within BLE range without credentials.

Buffer Overflow Heap Overflow
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-25741 HIGH This Week

Zulip's payment method update API endpoint in the upgrade flow lacks proper authorization checks, allowing any organization member to modify the default payment method by completing a Stripe Checkout session. This vulnerability affected Zulip Cloud users and has been patched; self-hosted deployments are not impacted and require no action.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27838 LOW POC PATCH Monitor

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. [CVSS 3.1 LOW]

Authentication Bypass Wger
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-27896 HIGH PATCH This Week

s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions up to 1.3.1. contains a security vulnerability.

Information Disclosure Mcp Go Sdk
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-23939 MEDIUM This Month

Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relative path manipulation in the file storage routines. Only self-hosted hexpm deployments using Local Storage are affected; the managed hex.pm service is not vulnerable. An attacker can access arbitrary files accessible to the hexpm process without authentication or user interaction.

Path Traversal Hexpm
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-26935 MEDIUM This Month

Kibana's Content Connectors search endpoint fails to properly validate user input, allowing authenticated attackers to trigger a denial of service condition through crafted request data. This medium-severity vulnerability affects systems where users have login credentials and can be exploited without user interaction.

Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-26077 MEDIUM This Month

Unauthenticated attackers can submit forged webhook payloads to multiple email provider integrations in Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 when authentication tokens are not configured, allowing them to artificially inflate user bounce scores and disable legitimate user accounts. The vulnerability affects webhook endpoints for SendGrid, Mailjet, Mandrill, Postmark, and SparkPost, with Mailpace having no token validation whatsoever. Administrators should immediately configure webhook authentication tokens for all email provider integrations as a workaround until patching is available.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-26934 MEDIUM This Month

Kibana contains a vulnerability that allows attackers to an authenticated attacker with view-only privileges to cause a Denial of Service (CVSS 6.5).

Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-26937 MEDIUM This Month

Kibana's Timelion component is vulnerable to denial of service through uncontrolled resource consumption when processing malicious input data, affecting authenticated users with network access to the application. An attacker with valid credentials can manipulate input to exhaust system resources and render the service unavailable. No patch is currently available for this vulnerability.

Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27465 MEDIUM PATCH This Month

Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar resources associated with the service acc (CVSS 6.5).

Privilege Escalation Fleet Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27945 MEDIUM PATCH This Month

Server-Side Request Forgery in Zitadel's Action V2 webhook feature allows unauthenticated attackers to probe internal network services and gather information about internal infrastructure by crafting malicious webhook target URLs pointing to localhost or private IP addresses. The vulnerability affects Zitadel versions 4.0.0 through 4.11.0, with schema validation providing limited mitigation. No patch is currently available.

SSRF Zitadel Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25963 MEDIUM PATCH This Month

Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template deletion API that allows team administrators to delete certificate templates belonging to other teams. The vulnerability stems from insufficient validation of template ownership during batch deletion operations, enabling cross-team resource destruction that could disrupt certificate-dependent functions like device enrollment and VPN access. A patch is not yet available as of this CVE publication.

Privilege Escalation Fleet Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28131 MEDIUM This Month

WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder contains a security vulnerability (CVSS 6.5).

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28083 MEDIUM This Month

Stored cross-site scripting in UX-themes Flatsome version 3.20.1 and earlier enables authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger the stored payload, and no patch is currently available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27946 MEDIUM PATCH GHSA This Month

Zitadel versions prior to 4.11.1 and 3.4.7 permit authenticated users to bypass email and phone verification procedures through the self-management feature, allowing them to mark contact information as verified without completing actual validation. This integrity bypass enables account compromise scenarios where attackers with valid credentials can impersonate other users or escalate privileges by falsifying verified contact details. No patch is currently available for affected deployments, though implementing action rules (v2) can mitigate the risk.

Authentication Bypass Zitadel Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27149 MEDIUM This Month

SQL injection in Discourse's private message tag filtering allows authenticated users to bypass tag restrictions and read unauthorized private message metadata. Affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 expose sensitive conversation information to users who should not have access. No patch workaround exists for unpatched installations.

SQLi Discourse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27954 MEDIUM This Month

Live Helper Chat is an open-source application that enables live support websites. [CVSS 6.5 MEDIUM]

PHP Privilege Escalation Live Helper Chat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27735 MEDIUM PATCH This Month

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within the repository boundaries.

Path Traversal Model Context Protocol Servers
NVD GitHub
CVSS 4.0
6.4
EPSS
0.1%
CVE-2026-2029 MEDIUM This Month

Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-26227 MEDIUM This Month

VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploita...

Authentication Bypass Google
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-23747 MEDIUM This Month

Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes...

Buffer Overflow Stack Overflow Denial Of Service
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.1%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy