Skip to main content
CVE-2025-55289 HIGH This Week

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. [CVSS 8.8 HIGH]

XSS Chamilo Lms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-29089 HIGH This Week

Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.

PostgreSQL RCE Timescaledb Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-20882 HIGH This Week

Unrestricted authentication requests in the WebSocket API enable attackers to launch denial-of-service attacks against charger telemetry systems or execute brute-force attacks to gain unauthorized access. The vulnerability affects systems relying on this API without rate-limiting controls, and no patch is currently available. An unauthenticated remote attacker can exploit this over the network with minimal complexity to disrupt service availability or compromise system access.

Authentication Bypass Mobiliti E Mobi Hu
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-27778 HIGH This Week

Denial-of-service and credential brute-forcing vulnerabilities in ePower.ie's WebSocket API allow remote unauthenticated attackers to disrupt electric vehicle charger operations or gain unauthorized system access. The API accepts unlimited authentication attempts without rate limiting (CWE-307), enabling attackers to suppress critical charger telemetry, mis-route charging station data, or systematically guess credentials. CISA ICS-CERT has published an advisory (ICSA-26-062-07) indicating industrial control system impact. EPSS score of 0.07% (21st percentile) suggests low automated exploitation probability, and no active exploitation or public POC is identified at time of analysis.

Authentication Bypass Epower Ie
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-24696 HIGH This Week

Remote denial-of-service and credential brute-force attacks against Everon's api.everon.io WebSocket interface allow unauthenticated attackers to disrupt electric vehicle charging infrastructure by overwhelming the authentication endpoint with unlimited login attempts, suppressing or mis-routing charger telemetry data, or compromising accounts through password guessing. EPSS score is low (0.06%, 20th percentile) indicating limited observed exploitation activity, though the network-accessible, zero-authentication attack vector poses clear operational risk to charging station operators relying on this API for fleet management.

Authentication Bypass Api Everon Io
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-29063 HIGH PATCH GHSA This Week

Immutable.js provides many Persistent Immutable data structures. versions up to 3.8.3 is affected by improperly controlled modification of object prototype attributes (prototype pollution).

Prototype Pollution Information Disclosure Immutable
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-29062 HIGH PATCH This Week

Uncontrolled-recursion denial of service in FasterXML jackson-core 3.0.0 through 3.0.x lets a remote attacker crash JSON-processing services by submitting a deeply nested JSON document. The UTF8DataInputJsonParser (DataInput sources) and ReaderBasedJsonParser fail to enforce the StreamReadConstraints maxNestingDepth limit (default 500), so excessive nesting drives a StackOverflowError. No public exploit identified at time of analysis and EPSS is low (0.06%), but the bug is trivially triggerable against any service that parses untrusted JSON with these parsers; fixed in 3.1.0.

Denial Of Service Jackson Core
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-15602 HIGH PATCH This Week

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset,...

Information Disclosure Snipe It
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-28683 HIGH PATCH This Week

Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript in users' browsers via hotlinked files. An attacker with valid credentials can craft SVG payloads that persist in the application and compromise other users accessing the shared links. No patch is currently available for versions prior to 2.2.3.

XSS Gokapi Suse
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-28508 HIGH PATCH This Week

Idno prior to version 1.6.4 contains an authentication bypass in the URL unfurl API endpoint that allows unauthenticated attackers to trigger arbitrary outbound HTTP requests from the server. An attacker can exploit this to access internal network addresses and cloud metadata services, potentially exposing sensitive configuration and credentials. No patch is currently available for affected installations.

CSRF SSRF Known
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-30242 HIGH PATCH This Week

Plane is an an open-source project management tool. [CVSS 8.5 HIGH]

SSRF Plane
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-29075 HIGH PATCH This Week

Unsafe checkout of untrusted code in Mesa's benchmarks.yml GitHub Actions workflow prior to version 3.5.1 enables arbitrary code execution with elevated privileges on CI/CD runners. An attacker can exploit this by submitting malicious pull requests to execute commands in the privileged runner environment, potentially compromising the build pipeline and downstream users. A patch is available in commit c35b8cd.

Python AI / ML Mesa
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-29046 HIGH This Week

TinyWeb versions prior to 2.04 fail to properly sanitize control characters and encoded sequences (CR, LF, NUL) in HTTP request headers, allowing attackers to inject malicious values into CGI environment variables and bypass parser validation. This network-accessible vulnerability enables header injection attacks that could lead to data corruption or denial of service without requiring authentication. No patch is currently available for affected deployments.

Information Disclosure Tinyweb
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-30845 HIGH PATCH This Week

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered publication of integration data, allowing any user with board access—including read-only members and users on public boards—to retrieve sensitive credentials. Attackers can leverage these exposed tokens to make unauthorized requests to connected external services and trigger unintended actions. The vulnerability affects Wekan's board composite publication mechanism and has been patched in version 8.34.

Information Disclosure Wekan
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-28677 HIGH This Week

OpenSift versions prior to 1.6.3-alpha are vulnerable to server-side request forgery (SSRF) attacks through the URL ingest pipeline, which fails to properly validate credentialed URLs, non-standard ports, and cross-host redirects in non-localhost deployments. An unauthenticated remote attacker can exploit this to access internal resources and potentially exfiltrate sensitive data from the affected system. No patch is currently available for this vulnerability.

SSRF Opensift
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-30230 HIGH This Week

self-hostable file sharing platform that integrates with screenshot tools. versions up to 1.7.2 is affected by authorization bypass through user-controlled key.

Authentication Bypass Red Hat
NVD GitHub
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-30241 HIGH PATCH This Week

Mercurius versions prior to 16.8.0 fail to validate GraphQL subscription query depth limits over WebSocket connections, allowing remote attackers to bypass depth restrictions that are properly enforced for HTTP queries. An attacker can exploit this to submit arbitrarily nested subscription queries that cause denial of service through exponential data resolution on schemas with recursive types. A patch is available in version 16.8.0.

Denial Of Service Mercurius
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-29091 HIGH PATCH This Week

Remote code execution in Locutus prior to version 3.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript code through improper validation in the call_user_func_array function, which unsafely passes user-controlled callback parameters to eval(). Applications using the vulnerable versions of this JavaScript standard library implementation are at risk of complete compromise through network-based attacks. No patch is currently available for affected deployments.

RCE Code Injection Locutus
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-28681 HIGH PATCH This Week

Host header injection in Internet Routing Registry daemon (IRRd) 4.4.0-4.4.4 and 4.5.0 allows remote attackers to redirect password reset and account creation confirmation links to attacker-controlled domains, enabling account takeover of IRR database maintainer accounts. Successfully exploited accounts can modify routing policy objects (RPSL) in the IRR database. EPSS score of 0.06% (18th percentile) indicates low predicted exploitation probability. Vendor patches available in versions 4.4.5 and 4.5.1.

Open Redirect
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-29093 HIGH This Week

Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.

PHP Docker Authentication Bypass Avideo
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-30844 HIGH PATCH This Week

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP requests by supplying malicious attachment URLs during board imports from JSON data or Trello. An attacker could exploit this to access internal network services, cloud metadata endpoints, or expose sensitive credentials without any URL validation occurring on the server side.

SSRF Wekan
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-59541 HIGH This Week

Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. [CVSS 8.1 HIGH]

CSRF Chamilo Lms
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-28727 HIGH This Week

Acronis Cyber Protect and Cloud Agent on macOS before specific builds contain an insecure Unix socket permissions vulnerability that allows local authenticated users to escalate privileges and gain complete system control. An attacker with local access can exploit this misconfiguration to read sensitive data, modify system files, and execute arbitrary commands with elevated rights. No patch is currently available for this HIGH severity vulnerability.

Privilege Escalation Apple
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-29178 HIGH PATCH This Week

Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs...

SSRF
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-28429 HIGH This Week

Remote unauthenticated attackers can read arbitrary files from Talishar (Flesh and Blood fan-made game) servers via path traversal in the ParseGamestate.php script's gameName parameter. The vulnerability affects all versions prior to commit 6be3871 and allows direct access to sensitive server files without authentication (CVSS 7.5, AV:N/PR:N). While EPSS exploitation probability is relatively low (0.47%, 64th percentile), the unauthenticated remote attack vector and confirmed patch availability make this a priority for exposed deployments. No active exploitation or public POC identified at time of analysis.

PHP Path Traversal
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-30846 HIGH PATCH This Week

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.

Authentication Bypass Information Disclosure Wekan
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-29783 HIGH PATCH This Week

Arbitrary code execution in GitHub Copilot CLI versions <=0.0.422 allows attackers to bypass the agent's shell command safety classifier using bash parameter expansion operators (${var@P}, ${var=value}, ${!var}, and nested $(cmd)/<(cmd)). Attackers influencing agent inputs via prompt injection through repository files, MCP server responses, or user instructions can execute hidden commands disguised as read-only operations on the user's workstation. A detailed proof-of-concept is published in the GHSA advisory; EPSS is low (0.10%, 28th percentile) and the issue is not in CISA KEV, so no public exploit identified at time of analysis beyond the vendor-published PoC.

RCE Command Injection Copilot Command Line Interface
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-28718 HIGH This Week

Acronis Cyber Protect 17 on Linux and Windows versions prior to build 41186 is vulnerable to denial of service through improper input validation in authentication logging functions. An unauthenticated remote attacker can crash the application or render it unavailable without requiring user interaction. No patch is currently available for this vulnerability.

Linux Windows Denial Of Service Cyber Protect
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2753 HIGH This Week

Navtor NavBox exposes an unauthenticated path traversal vulnerability in its HTTP service that allows remote attackers to read arbitrary files from the server by submitting requests with absolute filesystem paths. Successful exploitation enables unauthorized disclosure of sensitive configuration files and system information, limited only by the service process privileges. No patch is currently available.

Path Traversal Navbox Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25679 HIGH PATCH This Week

Denial of service in Go's net/url package allows remote unauthenticated attackers to crash applications via malformed URLs with invalid host/authority components. The url.Parse function fails to properly validate authority sections, enabling resource exhaustion attacks against any Go application parsing untrusted URLs. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation despite the network attack vector. Vendor patch available with multiple Red Hat security advisories issued.

Information Disclosure Go
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-70363 HIGH This Week

Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x allows unauthenticated attackers to access sensitive data via enumerating object IDs. [CVSS 7.5 HIGH]

Authentication Bypass Information Disclosure Ez Platform
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2754 HIGH This Week

Navtor NavBox devices allow unauthenticated remote attackers to retrieve sensitive operational data including ECDIS information, device identifiers, and service logs by sending HTTP requests to the unprotected API on port 8080. An attacker with network access can obtain this configuration and system information without any credentials, potentially facilitating further attacks against maritime navigation systems. No patch is currently available for this vulnerability.

Authentication Bypass Navbox Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-29068 HIGH PATCH This Week

PJSIP versions prior to 2.17 are vulnerable to a stack buffer overflow in the RTP payload parsing mechanism when processing more frames than allocated buffers can accommodate, enabling remote denial of service attacks over the network without authentication. An attacker can trigger a crash by sending specially crafted RTP packets containing excessive frame data, causing the application to become unavailable.

Buffer Overflow Pjsip Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28799 HIGH PATCH This Week

PJSIP versions prior to 2.17 contain a heap use-after-free vulnerability in the event subscription framework that can be triggered through presence unsubscription requests, allowing remote attackers without authentication to cause denial of service. The vulnerability resides in the evsub.c component and is exploitable over the network with no user interaction required. A patch is available in version 2.17 and later.

Use After Free Pjsip Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-29087 HIGH PATCH This Week

@hono/node-server versions prior to 1.19.10 contain an authorization bypass in static file serving due to inconsistent URL decoding between routing middleware and file resolution logic. An unauthenticated remote attacker can bypass route-based access controls by crafting requests with encoded slashes (%2F) to access protected static resources that should be restricted by middleware. Organizations running affected versions should upgrade immediately as no workaround is available.

Node.js Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3589 HIGH This Week

WooCommerce plugin versions 5.4.0 through 10.5.2 fail to properly validate batch requests, enabling unauthenticated attackers to execute administrative actions through CSRF attacks, including creation of arbitrary admin accounts. The vulnerability affects all WordPress installations running vulnerable WooCommerce versions and requires user interaction to exploit. No patch is currently available.

WordPress CSRF
NVD WPScan
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27137 HIGH PATCH This Week

X.509 certificate chain validation in Go 1.26.0 improperly enforces email address constraints when multiple constraints share local parts but differ in domain parts, causing all but the last constraint to be ignored. This CWE-295 (Improper Certificate Validation) flaw allows attackers to bypass intended certificate usage restrictions through specially crafted certificate chains, potentially enabling unauthorized access to services relying on Go's TLS implementation for email-based certificate validation. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis.

Information Disclosure Go
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30244 HIGH This Week

Unauthenticated attackers can enumerate workspace members and harvest sensitive information including email addresses, user roles, and internal identifiers from Plane prior to version 1.2.2 due to misconfigured Django REST Framework permissions. The vulnerability requires no authentication or user interaction and allows remote attackers to directly access protected endpoints over the network. No patch is currently available for affected Golang and Django deployments.

Golang Django Plane
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69654 HIGH This Week

A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7b3028531f53cd1190a3877454f6b3 (2025-12-11),`qjs` interpreter using the `-m` option and a low memory limit can cause an out-of-memory condition followed by an assertion failure in JS_FreeRuntime (list_empty(&rt->gc_obj_list)) during runtime cleanup. [CVSS 7.5 HIGH]

Denial Of Service Quickjs
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28722 HIGH This Week

Improper symbolic link handling in Acronis Cyber Protect 17 for Windows (before build 41186) enables local attackers with limited privileges to escalate to system-level access through a race condition. An authenticated user can exploit this vulnerability to gain full control over the affected system, including reading sensitive data and modifying system configurations. No patch is currently available for this high-severity flaw.

Windows Privilege Escalation Cyber Protect
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2026-28721 HIGH This Week

Acronis Cyber Protect 17 for Windows before build 41186 allows local attackers with standard user privileges to escalate to system-level access through improper handling of symbolic links. An authenticated attacker can exploit this vulnerability to gain full control over the affected system, including the ability to read, modify, or delete sensitive data and execute arbitrary code. No patch is currently available for this vulnerability.

Windows Privilege Escalation Cyber Protect
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2025-11792 HIGH This Week

Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 41124. [CVSS 7.3 HIGH]

Privilege Escalation Agent Windows
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2026-28507 HIGH PATCH This Week

Unauthenticated attackers can achieve remote code execution in Idno social publishing platform versions before 1.6.4 by exploiting a chain of import file write and template path traversal vulnerabilities. An attacker with high privileges can leverage command injection to execute arbitrary code on affected systems. A patch is available in version 1.6.4 and should be applied immediately as this vulnerability carries a 7.2 CVSS score.

RCE Path Traversal Command Injection Known
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-29182 HIGH PATCH This Week

Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.

Node.js Parse Server
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-30229 HIGH PATCH This Week

Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. All Parse Server deployments utilizing readOnlyMasterKey functionality are affected, and no patch is currently available.

Node.js Parse Server
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-28713 HIGH This Week

Acronis Cyber Protect and Agent virtual appliances on VMware contain hardcoded default credentials for local privileged accounts, allowing attackers with network access and user interaction to gain high-level system access and potentially modify or disrupt backup operations. The vulnerability affects Cyber Protect Cloud Agent (VMware) before build 36943 and Cyber Protect 17 (VMware) before build 41186, with no patch currently available. An attacker exploiting this could achieve privilege escalation and lateral movement within virtualized environments.

Information Disclosure Cyber Protect Agent
NVD
CVSS 3.0
7.1
EPSS
0.0%
CVE-2025-11791 HIGH This Week

Sensitive information disclosure and manipulation due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124. [CVSS 5.5 MEDIUM]

Information Disclosure Authentication Bypass Cyber Protect Agent Windows +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy