Skip to main content
CVE-2026-0489 MEDIUM This Month

DOM-based XSS in SAP Business One Job Service allows unauthenticated attackers to inject malicious code through unvalidated URL query parameters, compromising user sessions when victims interact with crafted links. Successful exploitation could leak sensitive data or modify application content, though availability is not affected. No patch is currently available.

SAP XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-36173 MEDIUM This Month

Affected Product(s)Version(s)InfoSphere Data Architect9.2.1 [CVSS 6.1 MEDIUM]

XSS Infosphere Data Architect
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-70128 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. [CVSS 6.1 MEDIUM]

PHP XSS
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31797 MEDIUM This Month

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 6.1).

Buffer Overflow Information Disclosure Iccdev
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30984 MEDIUM This Month

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 6.1).

Buffer Overflow Information Disclosure Iccdev
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30982 MEDIUM This Month

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by heap-based buffer overflow (CVSS 6.1).

Buffer Overflow Heap Overflow Iccdev
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-30981 MEDIUM This Month

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by classic buffer overflow (CVSS 6.1).

Buffer Overflow Iccdev
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-22614 MEDIUM This Month

Eaton EasySoft project files use weak encryption vulnerable to brute force attacks, allowing local attackers with file access to extract sensitive information and modify project configurations. An authenticated user on the affected system can exploit this weakness to compromise confidentiality and integrity of stored data. No patch is currently available for this vulnerability.

Information Disclosure Easysoft
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1776 MEDIUM This Month

Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem.

Path Traversal Camaleon Cms
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2025-49784 MEDIUM This Month

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer-BigData 7.6.0, FortiAnalyzer-BigData 7.4.0 through 7.4.4, FortiAnalyzer-BigData 7.2 all versions, FortiAnalyzer-BigData 7.0 all versions, FortiAnalyzer-BigData 6.4 all versions, FortiAnalyzer-BigData 6.2 all versions may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted requests. [CVSS 6.0 MEDIUM]

Fortinet SQLi Fortianalyzer Big Data Fortianalyzer
NVD VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-27686 MEDIUM This Month

SAP Business Warehouse Service API lacks proper authorization controls on RFC function modules, allowing authenticated attackers to modify configurations and disrupt request processing. An attacker with valid credentials could exploit this vulnerability to cause denial of service and alter system integrity without detection. No patch is currently available for this medium-severity vulnerability.

SAP Denial Of Service
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-13219 MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to information disclosure if unauthorized parties have access to the URLs via serve (CVSS 5.9).

IBM Information Disclosure Aspera Orchestrator
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-23656 MEDIUM This Month

Windows App Installer fails to adequately authenticate package data, enabling network-based attackers to conduct spoofing attacks without user interaction. This vulnerability affects Windows and Windows App installations, potentially allowing threat actors to deceive users into installing malicious or tampered applications. While no patch is currently available, the low EPSS score suggests exploitation is unlikely in the near term.

Windows Windows App Microsoft
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-54659 MEDIUM This Month

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] vulnerability in Fortinet FortiSOAR Agent Communication Bridge 1.1.0, FortiSOAR Agent Communication Bridge 1.0 all versions may allow an unauthenticated attacker to read files accessible to the fortisoar user on a system where the agent is deployed, via sending a crafted request to the agent port. [CVSS 5.8 MEDIUM]

Fortinet Path Traversal
NVD VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-27687 MEDIUM This Month

Insufficient authorization validation in SAP S/4HANA and ERP HCM Portugal modules allows high-privileged users to view confidential data from other companies. An authenticated attacker with elevated permissions could exploit this cross-tenant data exposure to access sensitive information without proper access controls. No patch is currently available for this medium-severity vulnerability.

SAP
NVD VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-3315 MEDIUM This Month

Incorrect Default Permissions, : Execution with Unnecessary Privileges, : Incorrect Permission Assignment for Critical Resource vulnerability in ASSA ABLOY Visionline on Windows allows Configuration/Environment Manipulation.This issue affects Visionline: from 1.0 before 1.33.

Microsoft Privilege Escalation
NVD VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-30883 MEDIUM PATCH This Month

ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by buffer overflow (CVSS 5.7).

Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-24311 MEDIUM This Month

SAP Customer Checkout stores operational data with weak encryption that can be accessed and modified by authenticated users with high privileges through local interaction, potentially compromising confidentiality and integrity of application behavior. This vulnerability requires physical access and user interaction but carries no availability impact, affecting SAP industrial deployment environments where no patch is currently available.

SAP Industrial
NVD VulDB
CVSS 3.1
5.6
EPSS
0.0%
CVE-2026-25186 MEDIUM PATCH This Month

Unauthorized disclosure of sensitive information in Windows Accessibility Infrastructure (ATBroker.exe) affects Windows Server 2019, 2025, Windows 10 22h2, and Windows 11 25h2, allowing local authenticated attackers to read confidential data. The vulnerability requires user privileges and local access but poses no risk to system integrity or availability. No patch is currently available for this issue.

Information Disclosure Microsoft Windows Server 2019 Windows 10 22h2 Windows Server 2025 +12
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-25180 MEDIUM PATCH This Month

Microsoft Graphics Component contains an out-of-bounds read vulnerability affecting Windows 10 1607, Windows Server 2019, and 2022, enabling local attackers to read sensitive information from memory. The vulnerability requires user interaction and local access, posing a confidentiality risk without offering a currently available patch. Attack complexity is low, making it a practical concern for systems running affected Office and Windows versions.

Microsoft Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-24282 MEDIUM PATCH This Month

Windows Push Message Routing Service contains an out-of-bounds read vulnerability that enables authenticated local users to access sensitive information on affected systems running Windows 10 and Windows 11. The vulnerability requires valid credentials to exploit and poses a confidentiality risk, though no patch is currently available. This affects multiple Windows versions including 21H2, 22H2, and 23H2 releases.

Buffer Overflow Information Disclosure Windows 10 21h2 Windows 10 1607 Windows 11 25h2 +6
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-26123 MEDIUM PATCH This Month

Microsoft Authenticator contains an information disclosure vulnerability that allows local attackers to access sensitive data without requiring elevated privileges or user interaction beyond standard operation. The vulnerability stems from improper categorization of security controls, enabling unauthorized disclosure of confidential information on affected systems. No patch is currently available for this issue.

Microsoft Information Disclosure Authenticator
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27221 MEDIUM This Month

Improper certificate validation in Adobe Acrobat Reader DC versions 24.001.30307 and earlier allows local attackers to forge digital signatures by spoofing signer identity, bypassing security features that users rely on for document verification. This attack requires user interaction and affects multiple Adobe products including Acrobat DC. No patch is currently available.

Adobe Acrobat Dc Acrobat Reader Dc Acrobat
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27270 MEDIUM This Month

Out-of-bounds memory read in Adobe Illustrator 29.8.4 and 30.1 and earlier enables attackers to disclose sensitive information from process memory by tricking users into opening malicious files. This local vulnerability requires user interaction but poses a high confidentiality risk with no available patch. Affected organizations should restrict file opening from untrusted sources until Adobe releases a fix.

Adobe Illustrator
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27268 MEDIUM This Month

Out-of-bounds memory read in Adobe Illustrator 29.8.4, 30.1 and earlier enables local attackers to extract sensitive data from process memory by tricking users into opening crafted files. No patch is currently available for this vulnerability, which requires user interaction but poses a meaningful confidentiality risk to affected users.

Adobe Illustrator
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27219 MEDIUM This Month

Out-of-bounds memory read in Substance 3D Painter 11.1.2 and earlier allows attackers to expose sensitive data from application memory. Exploitation requires a user to open a malicious file, making this a local attack vector dependent on social engineering. No patch is currently available for this vulnerability.

Buffer Overflow Information Disclosure Substance 3d Painter
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27216 MEDIUM This Month

Out-of-bounds memory read in Substance 3D Painter 11.1.2 and earlier enables attackers to leak sensitive data from application memory when a user opens a specially crafted file. This local vulnerability requires user interaction but poses a meaningful confidentiality risk to designers and artists using affected versions. No patch is currently available.

Buffer Overflow Information Disclosure Substance 3d Painter
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21365 MEDIUM This Month

Memory disclosure in Substance 3D Painter 11.1.2 and earlier allows attackers to read sensitive data from process memory through an out-of-bounds read vulnerability. Exploitation requires user interaction, as victims must open a specially crafted malicious file. No patch is currently available for this vulnerability.

Buffer Overflow Information Disclosure Substance 3d Painter
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27281 MEDIUM This Month

DNG SDK versions 1.7.1 and earlier contain an integer overflow vulnerability that allows local attackers to crash affected applications through specially crafted files. Exploitation requires user interaction, as victims must open a malicious file to trigger the denial-of-service condition. No patch is currently available for this vulnerability.

Integer Overflow Denial Of Service Dng Software Development Kit
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27218 MEDIUM This Month

Substance 3D Painter versions 11.1.2 and earlier contain a null pointer dereference that allows local attackers to crash the application by tricking users into opening malicious files. This denial-of-service vulnerability requires user interaction but requires no elevated privileges to exploit. No patch is currently available for this medium-severity issue.

Null Pointer Dereference Denial Of Service Substance 3d Painter
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27217 MEDIUM This Month

Substance 3D Painter versions 11.1.2 and earlier contain a null pointer dereference that enables local denial-of-service attacks when users open specially crafted files. An attacker can crash the application to disrupt workflow, though exploitation requires user interaction and no patch is currently available. The vulnerability has a moderate CVSS score of 5.5 with zero percent estimated exploitation probability.

Null Pointer Dereference Denial Of Service Substance 3d Painter
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27215 MEDIUM This Month

Substance 3D Painter versions 11.1.2 and earlier contain a null pointer dereference vulnerability that allows local attackers to crash the application by convincing users to open a malicious file. This denial-of-service impact disrupts application availability, though no patch is currently available. User interaction is required for exploitation, and the vulnerability affects local attack scenarios only.

Null Pointer Dereference Denial Of Service Substance 3d Painter
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27214 MEDIUM This Month

Denial-of-service in Substance 3D Painter 11.1.2 and earlier stems from improper null pointer handling that crashes the application when processing malicious files. An attacker can trigger this crash by tricking a user into opening a specially crafted file, temporarily disrupting the victim's workflow. No patch is currently available to address this vulnerability.

Null Pointer Dereference Denial Of Service Substance 3d Painter
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21364 MEDIUM This Month

Denial-of-service crashes in Adobe Substance 3D Painter versions 11.1.2 and earlier stem from a null pointer dereference vulnerability triggered when users open specially crafted files. An attacker can exploit this flaw to force application crashes and disrupt user workflows, though no patch is currently available. Exploitation requires social engineering to convince victims to open a malicious file.

Null Pointer Dereference Denial Of Service Substance 3d Painter
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21363 MEDIUM This Month

Substance 3D Painter versions 11.1.2 and earlier contain a null pointer dereference vulnerability that allows local attackers to crash the application by tricking users into opening a malicious file. This denial-of-service condition disrupts workflow for affected users, though no patch is currently available. The vulnerability requires user interaction and does not enable code execution or data compromise.

Null Pointer Dereference Denial Of Service Substance 3d Painter
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-30986 MEDIUM This Month

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 5.5).

Buffer Overflow Information Disclosure Iccdev
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31826 MEDIUM PATCH This Month

pypdf is a free and open-source pure-python PDF library. versions up to 6.8.0 is affected by allocation of resources without limits or throttling.

Python Denial Of Service Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-30936 MEDIUM PATCH This Month

Medium severity vulnerability in ImageMagick. A crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur.

Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31794 MEDIUM This Month

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 5.5).

Denial Of Service Buffer Overflow Information Disclosure Iccdev
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31793 MEDIUM This Month

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by out-of-bounds read (CVSS 5.5).

Denial Of Service Buffer Overflow Information Disclosure Iccdev
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-30980 MEDIUM This Month

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by stack-based buffer overflow (CVSS 5.5).

Stack Overflow Buffer Overflow Iccdev
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-31802 MEDIUM PATCH This Month

node-tar is a full-featured Tar for Node.js.

Node.js Path Traversal Tar Red Hat
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-2266 MEDIUM This Month

DOM-based XSS in GitHub Enterprise Server prior to version 3.20 allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by injecting malicious HTML through task list content in issues and pull requests. The vulnerability stems from improper input neutralization in the task list rendering logic, which fails to re-encode user-supplied content before display. An attacker with repository access could exploit this to steal session tokens or perform actions on behalf of other users.

Github XSS Enterprise Server
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-31832 MEDIUM PATCH This Month

Umbraco CMS versions 14.0.0 through 16.5.0 and 17.0.0-17.2.1 contain an authorization bypass in a backoffice API endpoint that allows authenticated editors to assign domain configurations to content nodes they lack permission to access. An attacker with valid credentials could exploit this to modify domain settings on restricted content, potentially affecting content visibility or routing. The vulnerability affects Umbraco deployments without patches 16.5.1 or 17.2.2 applied.

Authentication Bypass Umbraco Cms
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36226 MEDIUM This Month

IBM Aspera Faspex 5 5.0.0 through 5.0.14.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 5.4 MEDIUM]

IBM XSS Aspera Faspex
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13213 MEDIUM This Month

Aspera Orchestrator versions up to 4.1.2 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Orchestrator
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-36227 MEDIUM This Month

Aspera Faspex versions up to 5.0.14.3 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 5.4).

IBM XSS Aspera Faspex
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30964 MEDIUM PATCH This Month

The webauthn-lib PHP library before version 5.2.4 incorrectly validates origin restrictions by comparing only hostname components, allowing attackers to bypass authentication policies that rely on scheme or port differentiation. This enables an attacker to authenticate from origins that should be blocked, such as using HTTP instead of HTTPS or non-standard ports. Applications using this library with strict origin policies are affected until they upgrade to the patched version.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30948 MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.

Node.js XSS Parse Server
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30927 MEDIUM PATCH This Month

Unauthorized event participation manipulation in Admidio prior to 5.0.6 allows authenticated users to register or cancel participation for other users by manipulating the user_uuid parameter in event functions. Any user with event participation privileges can exploit this to modify another user's event enrollment status without authorization. The vulnerability requires authentication and affects confidentiality through unauthorized modifications.

PHP Authentication Bypass Admidio
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy