Skip to main content
CVE-2026-28428 MEDIUM This Month

Talishar is a fan-made Flesh and Blood project. [CVSS 5.3 MEDIUM]

Authentication Bypass Talishar
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-30833 MEDIUM This Month

Unauthenticated NoSQL injection in Rocket.Chat's authentication service allows attackers to manipulate MongoDB queries by injecting operator expressions into username fields, potentially bypassing login controls and accessing unintended user accounts. The vulnerability affects versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, with no patch currently available for affected deployments.

Code Injection Rocket.Chat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-29790 MEDIUM PATCH This Month

Path traversal in dbt-common's tarball extraction function allows attackers to write files outside the intended destination directory by exploiting improper path validation in the safe_extract() method. An attacker can craft a malicious tarball to place files in sibling directories, potentially compromising systems using affected versions of dbt-common in dbt-core and adapter implementations. No patch is currently available for this vulnerability.

Path Traversal Dbt Common
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3419 MEDIUM PATCH This Month

Fastify improperly validates Content-Type headers by accepting RFC 9110-violating malformed values with trailing characters, allowing attackers to bypass content-type restrictions and route requests to unintended parsers. When regex-based content-type parsing is enabled, requests with invalid Content-Type headers such as "application/json garbage" are processed normally instead of being rejected, potentially enabling request misrouting and manipulation of parser behavior. No patch is currently available for this medium-severity vulnerability affecting Fastify applications.

Authentication Bypass Fastify Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28804 MEDIUM PATCH This Month

pypdf versions prior to 6.7.5 are vulnerable to denial-of-service attacks where specially crafted PDF files with ASCIIHexDecode filtered streams can cause excessive processing time and application hang. An unauthenticated attacker can exploit this by providing a malicious PDF that consumes significant computational resources when processed. A patch is available in version 6.7.5 and later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28675 MEDIUM This Month

OpenShift versions prior to 1.6.3-alpha leak sensitive information through multiple vectors, including raw exception strings in API responses and authentication tokens exposed in UI rendering and token rotation endpoints. An unauthenticated remote attacker can obtain this information over the network to compromise user sessions or gain insight into application internals. No patch is currently available for affected deployments.

Information Disclosure Opensift
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2752 MEDIUM This Month

The /api/ais-data endpoint in Navtor NavBox leaks sensitive information through unhandled exception error messages, allowing unauthenticated remote attackers to obtain verbose .NET stack traces containing internal class names, method calls, and library dependencies. This information disclosure (CWE-209) enables attackers to map the application's internal structure and identify potential attack vectors. No patch is currently available for this medium-severity vulnerability affecting .NET implementations.

Information Disclosure Navbox Firmware
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2589 MEDIUM This Month

animation and page builder block versions up to 12.8.3 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure Google
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30835 MEDIUM PATCH This Month

Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 expose sensitive database information through unfiltered error responses when processing malformed regex queries. An unauthenticated attacker can craft specially crafted query parameters to leak database internals including error messages, cluster details, and topology information. Patches are available for affected versions.

Node.js Parse Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23925 MEDIUM PATCH This Month

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts.

Authentication Bypass Zabbix Red Hat Suse
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-1468 MEDIUM This Month

QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges.

CSRF
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-29060 MEDIUM PATCH This Month

Privilege escalation in Gokapi prior to version 2.2.3 allows authenticated users to generate API keys with elevated permissions for file request management, despite lacking those privileges themselves. This affects deployments where no administrative users have access to the upload menu, enabling unauthorized users to create or modify file requests. No patch is currently available.

Authentication Bypass Gokapi Suse
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-69644 MEDIUM PATCH This Month

An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. [CVSS 5.0 MEDIUM]

Denial Of Service Binutils Red Hat Suse
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-28717 MEDIUM This Month

Improper directory permissions in Acronis Cyber Protect 17 for Windows (before build 41186) allow local authenticated users to escalate privileges through a user-interaction-dependent attack vector. An attacker with local access could modify files or settings to gain elevated system permissions. No patch is currently available for this vulnerability.

Windows Privilege Escalation Cyber Protect
NVD
CVSS 3.0
5.0
EPSS
0.0%
CVE-2026-27807 MEDIUM This Month

Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).

XXE Denial Of Service Markus
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-29791 MEDIUM PATCH This Month

Agentgateway versions prior to 0.12.0 fail to sanitize input parameters (path, query, and header values) when converting MCP tool requests to OpenAPI calls, allowing authenticated users to inject malicious data that could lead to unauthorized information disclosure or data modification. An attacker with valid credentials could exploit this input validation weakness to manipulate API requests across agent frameworks. No patch is currently available for affected deployments.

Information Disclosure Agentgateway
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-30228 MEDIUM PATCH This Month

Parse Server versions before 8.6.5 and 9.5.0-alpha.3 allow the readOnlyMasterKey to perform write and delete operations on files, violating the intended read-only access restriction. An authenticated attacker with the readOnlyMasterKey can upload arbitrary files or delete existing files via the Files API on affected deployments. No patch is currently available for this medium-severity vulnerability that impacts organizations using Parse Server with exposed file endpoints.

Node.js Parse Server
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-28714 MEDIUM This Month

Acronis Cyber Protect 17 before build 41186 transmits sensitive cryptographic material unnecessarily, allowing adjacent network attackers to potentially intercept and obtain this sensitive data under specific conditions. The vulnerability requires user interaction and affects both Linux and Windows deployments. No patch is currently available.

Information Disclosure Cyber Protect Windows
NVD
CVSS 3.0
4.8
EPSS
0.0%
CVE-2026-28106 MEDIUM This Month

Kings Plugins B2BKing Premium before version 5.4.20 contains an open redirect vulnerability that allows attackers to craft malicious links redirecting users to untrusted external sites. This network-accessible vulnerability requires user interaction to exploit but can be leveraged for phishing attacks with no patch currently available. The vulnerability has a CVSS score of 4.7 and affects the confidentiality of user information through credential harvesting or social engineering.

Open Redirect
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-29084 MEDIUM PATCH This Month

Gokapi versions prior to 2.2.3 lack CSRF protection on the login endpoint, allowing authenticated attackers to perform unwanted actions on behalf of legitimate users through malicious cross-site requests. An attacker can exploit this by crafting a webpage that tricks a logged-in user into unknowingly submitting forged login credentials or session-modifying requests. The vulnerability requires user interaction and a prior login session but could lead to unauthorized account access or session hijacking on self-hosted Gokapi instances.

CSRF Gokapi Suse
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-30413 MEDIUM This Month

Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40497, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186. [CVSS 4.4 MEDIUM]

Information Disclosure Cyber Protect Agent Windows macOS
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-11790 MEDIUM This Month

Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124. [CVSS 4.4 MEDIUM]

Information Disclosure Agent Windows macOS
NVD
CVSS 3.0
4.4
EPSS
0.0%
CVE-2026-28716 MEDIUM This Month

Improper authorization checks in Acronis Cyber Protect 17 (Linux, Windows) before build 41186 allow local authenticated users to access sensitive information and modify data. This medium-severity vulnerability requires local access and user privileges but poses no availability risk. No patch is currently available for this issue.

Linux Windows Information Disclosure Cyber Protect
NVD
CVSS 3.0
4.4
EPSS
0.0%
CVE-2026-29049 MEDIUM PATCH This Month

Melange versions 0.40.5 and earlier are vulnerable to disk exhaustion when the update-cache function downloads files from attacker-controlled URIs without enforcing size limits or timeouts. An attacker can craft a malicious melange configuration file to trigger unbounded disk writes on build systems, consuming all available storage and denying service to legitimate builds. No patch is currently available.

Denial Of Service Melange
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-59544 MEDIUM This Month

Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. [CVSS 4.3 MEDIUM]

Authentication Bypass Chamilo Lms
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28723 MEDIUM This Month

Acronis Cyber Protect 17 (Linux, Windows) before build 41186 contains an improper access control vulnerability allowing authenticated users to delete reports they should not have permission to access. An attacker with valid credentials could exploit this to remove audit trails or other critical reports, potentially compromising compliance and forensic capabilities. No patch is currently available for this issue.

Authentication Bypass Cyber Protect Windows
NVD
CVSS 3.0
4.3
EPSS
0.0%
CVE-2026-28720 MEDIUM This Month

Acronis Cyber Protect 17 on Linux and Windows before build 41186 allows authenticated users to modify application settings due to inadequate authorization validation. An attacker with valid credentials could exploit this to alter configurations and potentially compromise system integrity or bypass security controls. No patch is currently available.

Authentication Bypass Cyber Protect Windows
NVD
CVSS 3.0
4.3
EPSS
0.0%
CVE-2026-28719 MEDIUM This Month

Acronis Cyber Protect 17 on Linux and Windows (before build 41186) fails to properly validate user permissions, allowing authenticated users to modify resources they should not have access to. The vulnerability requires valid credentials and does not enable remote code execution or denial of service, but could allow privilege escalation or unauthorized data manipulation within the application. No patch is currently available.

Authentication Bypass Cyber Protect Windows
NVD
CVSS 3.0
4.3
EPSS
0.0%
CVE-2026-28709 MEDIUM This Month

Acronis Cyber Protect 17 on Linux and Windows before build 41186 contains an authorization bypass that allows authenticated users to manipulate resources they should not have access to. The vulnerability requires valid credentials and network access but poses a moderate risk of unauthorized data modification within the affected environment.

Linux Windows Cyber Protect
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28726 MEDIUM This Month

Improper access control in Acronis Cyber Protect 17 (Linux and Windows) prior to build 41186 allows authenticated users to view sensitive information they should not have access to. The vulnerability requires valid credentials and network access but does not enable data modification or system availability impacts. No patch is currently available for this medium-severity disclosure risk.

Information Disclosure Authentication Bypass Cyber Protect Windows
NVD
CVSS 3.0
4.3
EPSS
0.0%
CVE-2026-28724 MEDIUM This Month

Acronis Cyber Protect 17 prior to build 41186 contains insufficient access control validation that permits authenticated users to read sensitive data they should not have access to. The vulnerability affects both Linux and Windows deployments and requires valid credentials to exploit, limiting the attack surface to authenticated attackers. No patch is currently available.

Authentication Bypass Cyber Protect Windows
NVD
CVSS 3.0
4.3
EPSS
0.0%
CVE-2026-28080 MEDIUM This Month

Rank Math SEO PRO through version 3.0.95 contains an authorization bypass in its access control implementation that allows authenticated users to perform unauthorized modifications. An attacker with valid login credentials could exploit this misconfiguration to alter content or settings they should not have access to. No patch is currently available to address this vulnerability.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1128 MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-29795 MEDIUM PATCH This Month

Stellar-xdr prior to version 25.0.1 fails to validate string length constraints in the StringM::from_str function, allowing oversized strings to bypass maximum length checks and create invalid StringM objects. Applications relying on this type's length invariant for serialization, validation, or security decisions could process malformed data that violates expected constraints. Local attackers or malicious input sources could exploit this to cause unexpected behavior in dependent code.

Denial Of Service Stellar Xdr
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy