Skip to main content
CVE-2026-23748 MEDIUM This Month

Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A mali...

Denial Of Service Buffer Overflow Integer Overflow
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-2506 MEDIUM This Month

Stored cross-site scripting in the EM Cost Calculator WordPress plugin up to version 2.3.1 allows unauthenticated attackers to inject malicious scripts through the customer name field, which execute when administrators access the customer list. An attacker can exploit this to steal admin credentials or perform unauthorized actions within the WordPress environment. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-3264 LOW POC Monitor

Unauthenticated attackers can manipulate the Administrative Interface in Free CRM to achieve code execution following a redirect attack. The vulnerability affects Free CRM up to commit b83c40a and requires only network access and low privileges, with public exploit code already available. No patch is currently available, and the vendor has not responded to disclosure attempts.

Information Disclosure Free Crm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3262 LOW POC Monitor

Asp.Net-Core-Inventory-Order-Management-System versions up to 9.20250118. contains a security vulnerability (CVSS 6.3).

Information Disclosure Asp Net Core Inventory Order Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3265 LOW POC Monitor

Improper authorization in Free CRM's Security API endpoint allows authenticated remote attackers to bypass access controls and gain unauthorized access to sensitive data or functionality. The vulnerability affects an unknown component within /api/Security/ and has public exploit code available, though no patch is currently available from the vendor. Free CRM's rolling release model prevents specific version tracking, and the vendor has not responded to disclosure attempts.

Information Disclosure Free Crm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3268 LOW POC Monitor

Improper access controls in PSI Probe up to version 5.3.0 allow authenticated remote attackers to manipulate session attributes through the RemoveSessAttributeController, enabling unauthorized modifications to application state. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2680 MEDIUM This Month

A3factura's sales delivery notes endpoint is vulnerable to reflected XSS through the customerVATNumber parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via malicious links. The vulnerability requires user interaction and affects the confidentiality and integrity of victim sessions, with no patch currently available. The attack has low complexity and can impact multiple users if the vulnerable parameter is exploited in phishing or watering hole scenarios.

XSS A3factura
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2679 MEDIUM This Month

A3factura's sales invoice endpoint is vulnerable to reflected XSS through the customerName parameter, enabling attackers to execute arbitrary JavaScript in users' browsers via a crafted link. This requires user interaction to trigger but affects all A3factura users on the vulnerable platform. No patch is currently available.

XSS A3factura
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2678 MEDIUM This Month

Reflected XSS in the A3factura customer management interface allows unauthenticated attackers to inject malicious scripts through the name parameter, potentially enabling session hijacking or credential theft when victims click a crafted link. The vulnerability requires user interaction and affects the web application at wolterskluwer.es, with no patch currently available.

XSS A3factura
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2677 MEDIUM This Month

A3factura's representatives management endpoint contains a reflected XSS vulnerability in the 'name' parameter that enables attackers to inject and execute arbitrary JavaScript in users' browsers through a crafted URL. An attacker can exploit this via social engineering to steal session tokens, manipulate account data, or perform unauthorized actions on behalf of the victim. Currently no patch is available for this medium-severity vulnerability affecting the Wolters Kluwer A3factura platform.

XSS A3factura
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27901 MEDIUM PATCH This Month

Svelte versions prior to 5.53.5 fail to properly escape text bindings on contenteditable elements, allowing attackers to inject malicious HTML and execute arbitrary scripts when the application renders untrusted data as initial binding values during server-side rendering. This affects applications that use `bind:innerText` or `bind:textContent` with user-controlled input. A patch is available in version 5.53.5.

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-27154 MEDIUM This Month

Stored cross-site scripting in Discourse allows attackers to inject malicious HTML through user full names when specific display settings are enabled, which executes in the browsers of users viewing or editing affected posts. The vulnerability requires the `display_name_on_posts` setting to be true and `prioritize_username_in_ux` to be false, potentially affecting installations with these configurations. No patch is currently available, and users should disable the vulnerable display settings or upgrade to patched versions 2025.12.2, 2026.1.1, or 2026.2.0.

XSS Discourse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28280 MEDIUM PATCH This Month

Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.

XSS CSRF Osctrl Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22722 MEDIUM This Month

Null pointer dereference in Windows allows authenticated local users to cause a denial of service condition with potential system instability. An attacker with valid user credentials can trigger this memory safety issue to crash affected processes or degrade system availability. No patch is currently available for this vulnerability.

Windows Null Pointer Dereference
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28269 MEDIUM This Month

Kiteworks versions prior to 9.2.0 suffer from a command injection vulnerability that permits authenticated users to redirect command output to arbitrary file locations, potentially enabling overwriting of critical system files and privilege escalation. The vulnerability requires high privileges and manual user interaction to exploit, resulting in a medium severity rating with limited real-world exploitation likelihood (EPSS 0.1%). No patch is currently available for affected installations.

Command Injection Kiteworks
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-22715 MEDIUM This Month

VMWare Workstation and Fusion contain a logic flaw in the management of network packets. Known attack vectors: A malicious actor with administrative privileges on a Guest VM may be able to interrupt or intercept network connections of other Guest VM's. [CVSS 5.9 MEDIUM]

VMware
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-28230 MEDIUM PATCH This Month

SteVe is an open-source EV charging station management system. [CVSS 6.3 MEDIUM]

Authentication Bypass Steve
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-26932 MEDIUM This Month

Packetbeat's PostgreSQL protocol parser improperly validates array indices, allowing authenticated attackers on the same network to crash the monitoring service by sending malicious packets. An attacker exploiting this denial-of-service vulnerability can terminate the Packetbeat process, disrupting monitoring capabilities on systems with PostgreSQL protocol monitoring enabled. No patch is currently available.

Golang PostgreSQL Denial Of Service Packetbeat
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-23999 MEDIUM PATCH This Month

Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attackers with physical access to a locked device and knowledge of the approximate lock time to brute-force the 6-digit PIN within a limited search window. This vulnerability affects Fleet versions prior to 4.80.1 and requires local access and timing knowledge to exploit. No patch is currently available.

Authentication Bypass Fleet Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27948 MEDIUM PATCH This Month

Reflected XSS in Copyparty before version 1.20.9 allows unauthenticated attackers to inject malicious scripts through the setck URL parameter, potentially enabling session hijacking or credential theft from affected users. The vulnerability requires user interaction to click a crafted link but can be exploited remotely without authentication. A patch is available in version 1.20.9 and later.

XSS Copyparty
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-27902 MEDIUM PATCH This Month

Improper output encoding in Svelte versions prior to 5.53.5 allows attackers to inject malicious HTML and execute arbitrary JavaScript in user browsers through unescaped error messages returned by the transformError function. An attacker who can control error content can exploit this XSS vulnerability to compromise application security and user data. A patch is available in version 5.53.5 and later.

XSS Svelte Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-26207 MEDIUM This Month

The discourse-policy plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to verify user permissions when processing policy actions, allowing authenticated users to accept or reject policies on posts they cannot access in private categories or private messages. Attackers can exploit this authorization bypass to manipulate policies on restricted content and enumerate post IDs with policies through error message differences. The vulnerability requires authentication but affects the confidentiality and integrity of policy-protected discussions.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-64999 MEDIUM This Month

Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link. [CVSS 5.4 MEDIUM]

XSS Checkmk
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-28218 MEDIUM This Month

The Data Explorer plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to properly enforce access controls, allowing any authenticated user to execute arbitrary SQL queries against unprotected queries, including system-level queries. This affects all installations with the Data Explorer plugin enabled and permits authenticated attackers to access or modify sensitive data without proper authorization. No patch is currently available, though administrators can mitigate the issue by explicitly setting group permissions on queries or disabling the plugin.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-56605 MEDIUM This Month

A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. [CVSS 5.4 MEDIUM]

PHP XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1695 MEDIUM This Month

Cross-site scripting (XSS) in PcVue's OAuth error page (versions 12.0.0-16.3.3) allows remote attackers to inject malicious scripts by tricking users into authenticating with a crafted client ID, potentially compromising the WebVue, WebScheduler, TouchVue, and SnapVue components. An attacker can exploit this to steal session tokens or perform actions on behalf of affected users. No patch is currently available.

XSS Pcvue
NVD
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-1698 MEDIUM This Month

PcVue versions 15.0.0 through 16.3.3 are vulnerable to HTTP Host header injection in the WebClient and WebScheduler authentication endpoints, allowing unauthenticated remote attackers to manipulate server behavior and potentially conduct phishing or cache poisoning attacks. The vulnerability affects the /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and /Authentication/Logout endpoints, with the ability to inject malicious payloads that could lead to information disclosure or data modification. Currently no patch is available for this medium-severity issue.

Code Injection Pcvue
NVD
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-1693 MEDIUM This Month

PcVue versions 12.0.0 through 16.3.3 use the deprecated OAuth Resource Owner Password Credentials flow in their web services, enabling remote attackers to steal user credentials without authentication or user interaction. The vulnerability affects WebVue, WebScheduler, TouchVue, and Snapvue components and carries a high severity rating with no patch currently available.

Information Disclosure Pcvue
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-24004 MEDIUM PATCH This Month

Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated attackers to remotely trigger device unenrollment and remove Android devices from management. The vulnerability has limited impact, affecting only device management continuity without providing access to Fleet itself or device data. Organizations running vulnerable versions should upgrade immediately or disable Android MDM until patching is possible.

Android Fleet Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1692 MEDIUM This Month

PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabling cross-site WebSocket hijacking attacks against authenticated users. An attacker can trick a logged-in user into visiting a malicious site to compromise the confidentiality and integrity of their PcVue session. No patch is currently available for this medium-severity vulnerability.

Information Disclosure Pcvue
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-28132 MEDIUM This Month

The WooCommerce Photo Reviews plugin for WordPress versions up to 1.4.4 fails to properly sanitize user input in HTML contexts, enabling attackers to inject malicious scripts that execute in victims' browsers. This stored cross-site scripting vulnerability allows unauthenticated attackers to deface content or steal sensitive information from site visitors. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-27021 MEDIUM This Month

The Discourse poll plugin voters endpoint fails to validate post visibility permissions, enabling unauthenticated attackers to enumerate poll voter details across any post in affected instances. This information disclosure affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, with no workaround available until patching. No patch is currently available for earlier versions.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2356 MEDIUM This Month

Unauthenticated attackers can delete arbitrary user accounts on WordPress sites running the User Registration & Membership plugin through version 5.1.2 due to insufficient validation of the member_id parameter in the register_member function. This IDOR vulnerability specifically targets newly registered accounts marked with the urm_user_just_created meta flag. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27884 MEDIUM This Month

NetExec's spider_plus module prior to version 1.5.1 fails to sanitize path traversal characters in SMB share filenames, allowing remote attackers to write or overwrite arbitrary files on Linux systems when the DOWNLOAD feature is enabled. The vulnerability requires user interaction to trigger the malicious SMB share crawl and currently has no available patch. Organizations using NetExec should disable the DOWNLOAD=true option as a temporary mitigation.

Linux Path Traversal
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1697 MEDIUM This Month

PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and WebClient application, enabling attackers to intercept session cookies over unencrypted connections and perform cross-site request forgery attacks. This vulnerability affects organizations using the affected PcVue versions and could allow unauthorized actions on behalf of authenticated users. No patch is currently available for this medium-severity issue.

Information Disclosure Pcvue
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-27900 MEDIUM PATCH This Month

The Terraform Provider for Linode prior to version 3.9.0 exposes sensitive credentials including passwords and API tokens in debug logs when debug logging is explicitly enabled. Authenticated attackers with access to these logs through CI/CD pipelines, log aggregation systems, or shared debug output can extract exposed secrets. This vulnerability requires an authenticated user and debug logging activation, making it exploitable primarily in environments where logging is intentionally enabled for troubleshooting.

Information Disclosure Linode Provider Suse
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-26936 MEDIUM This Month

Kibana's AI Inference Anonymization Engine contains a ReDoS (Regular Expression Denial of Service) vulnerability that allows authenticated high-privilege users to crash the service through maliciously crafted input. An attacker with administrative credentials can trigger exponential regex backtracking to render the system unavailable, though no patch is currently available.

Denial Of Service AI / ML Kibana
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-22728 MEDIUM PATCH This Month

Bitnami Sealed Secrets improperly validates user-supplied annotations during secret rotation, allowing authenticated attackers to escalate secret scope from namespace-wide or strict constraints to cluster-wide. An attacker can inject a malicious annotation into the rotation request to obtain a rotated secret accessible across any namespace, potentially enabling lateral movement and unauthorized access to sensitive credentials throughout the cluster.

Authentication Bypass Suse
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-27162 MEDIUM This Month

Discourse's posts_nearby function fails to properly filter whispered posts based on user permissions, allowing authenticated users with high privileges to view confidential whispers intended only for specific recipients. The vulnerability stems from inadequate post-type filtering that bypasses guardian-based access controls. No patch is currently available for affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-27974 MEDIUM PATCH This Month

Audiobookshelf Mobile App versions up to 0.12.0 is affected by cross-site scripting (xss) (CVSS 4.8).

XSS Audiobookshelf Mobile App
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-2489 MEDIUM This Month

The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2498 MEDIUM This Month

Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2499 MEDIUM This Month

Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.

WordPress Golang XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-28219 MEDIUM This Month

Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an authorization bypass that allows authenticated users to escalate ordinary topics to site-wide notices or banners by manipulating request parameters, circumventing administrative controls. This vulnerability affects any Discourse instance where regular users should not have the ability to create global announcements. No patch is currently available, and administrators should review recent banner and notice changes for unauthorized modifications until updating.

Code Injection Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-28296 MEDIUM PATCH This Month

FTP command injection in GVfs backend allows remote attackers to execute arbitrary FTP commands by embedding CRLF sequences in crafted file paths, potentially leading to unauthorized access or code execution. The vulnerability requires user interaction and affects systems utilizing the FTP GVfs backend for file operations. A patch is available to remediate this input validation weakness.

RCE Red Hat Suse
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-26973 MEDIUM This Month

Insecure Direct Object References in Discourse ReviewableNotesController allow category moderation group members to create or delete notes on any reviewable in the system regardless of moderation scope when category group moderation is enabled. This authorization bypass affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, enabling users to manipulate moderation records outside their assigned categories. No patch is currently available.

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28295 MEDIUM PATCH This Month

GVfs FTP backend clients blindly trust server-provided IP addresses and ports during passive mode connections, enabling malicious FTP servers to conduct network reconnaissance and probe for open ports from the client's network perspective. The vulnerability requires user interaction but poses a confidentiality risk to network topology information. A patch is available to address this trust validation issue.

SSRF Red Hat Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27457 MEDIUM PATCH This Month

Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.

Information Disclosure Weblate Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27968 MEDIUM PATCH This Month

Packistry versions prior to 0.13.0 fail to validate token expiration in the RepositoryAwareController::authorize() function, allowing attackers with expired deploy tokens to maintain unauthorized access to repository endpoints and package metadata. An authenticated attacker can leverage an expired token with valid abilities to interact with Composer APIs and potentially download or access sensitive package information. This vulnerability affects self-hosted Packistry deployments and has been patched in version 0.13.0.

PHP Packistry
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-27840 MEDIUM PATCH This Month

Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.

Information Disclosure Zitadel Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy