Skip to main content
CVE-2026-29022 MEDIUM POC PATCH This Month

Heap buffer overflow in dr_libs 0.14.4 and earlier allows attackers to corrupt memory by supplying maliciously crafted WAV files to any application using drwav_init_*_with_metadata() functions. The vulnerability exploits inconsistent validation of sample loop counts between processing passes, enabling 36 bytes of attacker-controlled data to overflow heap allocations. Public exploit code exists for this vulnerability.

Buffer Overflow Heap Overflow Dr Libs
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-3484 MEDIUM POC PATCH This Month

Command injection in PhialsBasement nmap-mcp-server allows authenticated remote attackers to execute arbitrary system commands through the Nmap CLI Command Handler component due to improper input sanitization in child_process.exec. Public exploit code exists for this vulnerability, and affected users should apply the available patch to remediate the risk.

Command Injection Mcp Nmap Server
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.4%
CVE-2026-24415 MEDIUM POC PATCH This Month

Reflected cross-site scripting in OpenSTAManager v2.9.8 and earlier allows unauthenticated attackers to inject malicious scripts through unsanitized GET parameters in invoice/order/contract modification interfaces. Public exploit code exists for this vulnerability, affecting all users of the software. An attacker can steal session tokens, perform unauthorized actions, or compromise user browsers when victims interact with crafted malicious links.

XSS Openstamanager
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-64736 MEDIUM POC This Month

An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. [CVSS 6.1 MEDIUM]

Buffer Overflow Information Disclosure Libbiosig
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21866 MEDIUM POC PATCH This Month

Dify versions prior to 1.11.2 contain a stored cross-site scripting vulnerability in Mermaid diagram rendering due to insecure default security configurations, allowing authenticated attackers with user interaction to inject and execute malicious scripts with cross-site impact. Public exploit code exists for this vulnerability, affecting users and developers of the Dify LLM application development platform. A patch is available in version 1.11.2 and later.

XSS AI / ML Dify
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3351 MEDIUM POC PATCH This Month

Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authenticated users with restricted privileges to enumerate all certificate fingerprints trusted by the server. Public exploit code exists for this vulnerability. While this enables information disclosure with limited impact, it could facilitate further attacks by revealing trust relationships on the system.

Linux Lxd Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14604 MEDIUM This Month

IBM Storage Scale IBM S through rage Scale 5.2.3.0 - 5.2.3.5, and IBM S through rage Scale 6.0.0.0 - 6.0.0.1 could allow a local user to unintentionally trigger additional permissions for resources in a way that allows that resource to be executed by unintended actors. [CVSS 6.6 MEDIUM]

IBM Storage Scale
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-2606 MEDIUM This Month

Improper input validation in IBM webMethods API Gateway and API Management allows authenticated attackers to read arbitrary files on the server by supplying a file:// URI to the /createapi endpoint instead of the expected https:// schema. Affected versions include webMethods API Gateway 10.11 through 11.1_Fix7 and webMethods API Management on-premises installations. No patch is currently available for this medium-severity vulnerability.

IBM Webmethods Api Gateway
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-55025 MEDIUM This Month

Incorrect access control in the VNC component of Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 allows unauthorized attackers to access the HMI system. [CVSS 6.5 MEDIUM]

Authentication Bypass Easyweb Cmt 3072xh2 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-13616 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system. [CVSS 6.5 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1487 MEDIUM This Month

Calendar Booking Plugin for Appointments and Event versions up to 5.2.7 is affected by sql injection (CVSS 6.5).

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13688 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the wrapped command component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-13687 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the user-defined function component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-13686 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the job subroutine component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-36364 MEDIUM This Month

IBM DevOps Plan 3.0.0 through 3.0.5 allows web page cache to be stored locally which can be read by another user on the system. [CVSS 6.2 MEDIUM]

IBM Devops Plan
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-3343 MEDIUM This Month

Fireware OS Web UI contains a reflected XSS vulnerability that allows attackers to execute arbitrary JavaScript in authenticated administrators' browsers through crafted links, affecting versions 12.7-12.11.7 and 2025.1-2026.1.1. An attacker can leverage this to perform administrative actions or steal session credentials from targeted management users who click malicious links. No patch is currently available.

XSS Fireware
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-15599 MEDIUM PATCH This Month

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. [CVSS 6.1 MEDIUM]

XSS Dompurify Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-36363 MEDIUM This Month

Devops Plan versions up to 3.0.5 is affected by improper restriction of excessive authentication attempts (CVSS 5.9).

IBM Devops Plan
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-14456 MEDIUM This Month

Mq Appliance versions up to 9.4.4.0 is affected by use of a broken or risky cryptographic algorithm (CVSS 5.9).

IBM Mq Appliance
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-13490 MEDIUM This Month

IBM App Connect Operator versions CD 11.3.0 through 11.6.0 and 12.1.0 through 12.20.0, LTS versions 12.0.0 through 12.0.20, and IBM App Connect Enterprise Certified Containers Operands versions CD 12.0.11.2‑r1 through 12.0.12.5‑r1 and 13.0.1.0‑r1 through 13.0.6.1‑r1, and LTS versions 12.0.12‑r1 through 12.0.12‑r20, contain a vulnerability in which the IBM App Connect Enterprise Certified Container transmits data in clear text, potentially allowing an attacker to intercept and obtain sensitive...

IBM App Connect Enterprise Certified Containers Operands App Connect Operator
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-47147 MEDIUM This Month

s mobile device to extract the session token and exploit access for a limited duration. This issue affects Command Centre Mobile Client versions up to 9.40.123. is affected by cleartext storage of sensitive information (CVSS 5.7).

Android
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-20801 MEDIUM This Month

in a component used in the Gallagher Hanwha VMS and Gallagher NxWitness VMS integrations allows unprivileged users with local network access to view live video streams. This issue affects all versions of Gallagher NxWitness VMS integration versions up to 9.10.017 is affected by cleartext transmission of sensitive information (CVSS 5.6).

Information Disclosure
NVD
CVSS 3.1
5.6
EPSS
0.0%
CVE-2025-62816 MEDIUM This Month

An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400, 1580, and 2500. Unvalidated VS4L_VERTEXIOC_BOOTUP input leads to a denial of service. [CVSS 5.5 MEDIUM]

Samsung Denial Of Service Exynos 1580 Firmware Exynos 1380 Firmware Exynos 1280 Firmware +4
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-62815 MEDIUM This Month

An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580, and 2500. A NULL pointer dereference of npu_proto_drv.ast.thread_ref in set_cpu_affinity() causes a denial of service. [CVSS 5.5 MEDIUM]

Samsung Null Pointer Dereference Denial Of Service Exynos 1580 Firmware Exynos 2500 Firmware +3
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-13734 MEDIUM This Month

Engineering Requirements Management Doors Next versions up to 7.1 is affected by missing authorization (CVSS 5.4).

IBM Engineering Requirements Management Doors Next
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59060 MEDIUM PATCH This Month

Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue. [CVSS 5.3 MEDIUM]

Apache Ranger
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1336 MEDIUM This Month

AI ChatBot with ChatGPT and Content Generator by AYS (WordPress plugin) is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-0540 MEDIUM PATCH This Month

DOMPurify versions 2.5.3-2.5.8 and 3.1.3-3.3.1 fail to sanitize attribute values within certain rawtext HTML elements (noscript, xmp, noembed, noframes, iframe), allowing attackers to inject malicious scripts that execute when sanitized content is rendered in these contexts. An attacker can exploit this by embedding JavaScript payloads in HTML attributes, bypassing DOMPurify's sanitization to achieve cross-site scripting. A patch is available in commit 729097f.

XSS Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2024-55023 MEDIUM This Month

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to contain a hardcoded encryption key which could allow attackers to access sensitive information. [CVSS 5.3 MEDIUM]

Authentication Bypass Cmt 3072xh2 Firmware Easyweb
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3494 MEDIUM PATCH This Month

MariaDB Server through version 11.8.5 fails to audit SQL statements when the server audit plugin is enabled and queries are prefixed with SQL comments (-- or #), allowing authenticated database users to execute DDL, DML, or DCL commands without logging. This bypass affects Relational Database Service, Aurora MySQL, and MariaDB deployments relying on audit logging for compliance and security monitoring. An attacker with database credentials could perform unauthorized administrative or data manipulation operations while evading audit trails.

Information Disclosure Relational Database Service Aurora Mysql MariaDB
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-14480 MEDIUM This Month

Aspera Faspio Gateway versions up to 1.3.6 is affected by use of a broken or risky cryptographic algorithm (CVSS 5.1).

IBM Aspera Faspio Gateway
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2026-27600 MEDIUM This Month

Homebox prior to 0.24.0-rc.1 allows authenticated users to trigger HTTP POST requests to arbitrary destinations through the notifier feature without host or port validation, enabling attackers to enumerate internal services by observing application behavior differences based on network responses. The vulnerability affects all users with authentication access to the notifier functionality and carries a medium risk due to its reliance on behavioral side-channels rather than direct information disclosure.

SSRF Homebox
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-1713 MEDIUM This Month

Improper use of cryptographic functions in IBM MQ versions 9.1 through 9.4 allows local attackers with user privileges to modify message integrity through user interaction. The vulnerability affects multiple LTS and CD releases across the supported product line, with no patch currently available. An attacker could manipulate messages in transit to alter their content without detection.

IBM Mq
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-3344 MEDIUM This Month

WatchGuard Fireware OS contains a filesystem integrity bypass vulnerability in versions 12.0-12.11.7, 12.5.9-12.5.16, and 2025.1-2026.1.1 that allows authenticated attackers with high privileges to deploy malicious firmware updates and establish limited persistence on affected appliances. An attacker could circumvent security checks designed to validate firmware authenticity, though currently no patch is available.

Authentication Bypass Fireware
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-14923 MEDIUM This Month

Websphere Application Server versions up to 26.0.0.2 is affected by use of hard-coded cryptographic key (CVSS 4.7).

IBM Websphere Application Server
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-26272 MEDIUM PATCH This Month

Stored XSS in Homebox prior to 0.24.0-rc.1 allows authenticated users to upload malicious HTML or SVG files containing executable JavaScript that runs in the application's security context when accessed by other users. An attacker with valid credentials can exploit improper file type validation in the attachment upload feature to execute arbitrary scripts against victims viewing the malicious files. The vulnerability has been patched in version 0.24.0-rc.1.

XSS Homebox
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-25590 MEDIUM This Month

GLPI Inventory Plugin versions prior to 1.6.6 contain a reflected cross-site scripting vulnerability in task jobs that allows authenticated attackers with high privileges to execute malicious scripts in users' browsers. An attacker can exploit this by crafting a malicious link to inject arbitrary HTML or JavaScript when a user clicks it, potentially leading to session hijacking or credential theft. No patch is currently available for affected installations.

XSS Glpi Inventory
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-1265 MEDIUM This Month

Infosphere Information Server versions up to 11.7.1.6 is affected by insertion of sensitive information into log file (CVSS 4.3).

IBM Infosphere Information Server
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2021-35483 MEDIUM This Month

Impact versions up to 19.11.2.10-20210118042150283 is affected by cross-site scripting (xss) (CVSS 4.1).

XSS Impact
NVD
CVSS 3.1
4.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy