Skip to main content
CVE-2026-26128 HIGH PATCH This Week

Windows SMB Server's authentication mechanism can be bypassed by local authenticated users to gain elevated privileges on affected systems. This high-severity vulnerability (CVSS 7.8) impacts confidentiality, integrity, and availability, though no patch is currently available. Organizations should implement compensating controls and monitor for exploitation attempts targeting this authentication weakness.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26117 HIGH PATCH This Week

Privilege escalation in Microsoft Azure Connected Machine Agent on Windows allows local authenticated users to bypass authentication mechanisms and gain elevated system privileges. An attacker with existing local access can exploit alternate authentication paths to escalate their permissions without user interaction. No patch is currently available for this vulnerability affecting Arc Enabled Servers.

Authentication Bypass Microsoft Arc Enabled Servers Azure Connected Machine Agent Windows
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24290 HIGH PATCH This Week

Windows Projected File System in Windows 11 and Server 2022 contains improper access control that enables authenticated local users to escalate privileges to system level. An attacker with valid credentials can exploit this vulnerability to gain elevated permissions without user interaction. Currently, no patch is available to address this issue.

Microsoft Authentication Bypass Windows 11 24h2 Windows Server 2022 23h2 Windows 11 26h1 +9
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27278 HIGH This Week

Arbitrary code execution in Adobe Acrobat and Acrobat Reader versions 24.001.30307 and earlier stems from a use-after-free memory vulnerability triggered when users open specially crafted files. An attacker can achieve code execution with the privileges of the current user, though exploitation requires victim interaction. No patch is currently available for affected versions.

Adobe Use After Free Acrobat Reader Dc Acrobat Acrobat Dc
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27220 HIGH This Week

Arbitrary code execution in Adobe Acrobat Reader and Acrobat (versions 24.001.30307 and earlier) via a use-after-free vulnerability requires victims to open a malicious file. Local attackers can exploit this to execute code with the privileges of the current user. No patch is currently available.

Adobe Use After Free Acrobat Reader Dc Acrobat Acrobat Dc
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27277 HIGH This Week

Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through a use-after-free memory vulnerability that triggers when users open specially crafted malicious files. An attacker can exploit this to execute code with the privileges of the affected user, though no patch is currently available to remediate the issue.

Use After Free Substance 3d Stager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27276 HIGH This Week

Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier stems from a use-after-free vulnerability that executes with the privileges of the current user. An attacker can exploit this by crafting a malicious file that, when opened by a victim, triggers memory corruption and code execution. No patch is currently available for this high-severity vulnerability.

Use After Free Substance 3d Stager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-3483 HIGH This Week

Privilege escalation in Ivanti DSM versions before 2026.1.1 stems from an exposed dangerous method that allows authenticated local users to gain elevated system privileges. An attacker with local access could exploit this vulnerability to obtain high-level permissions, compromising system integrity and confidentiality. No patch is currently available for this issue.

Ivanti
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27272 HIGH This Week

Arbitrary code execution in Adobe Illustrator 29.8.4, 30.1 and earlier through an out-of-bounds write vulnerability affecting local users who open malicious files. An attacker can exploit this to execute code with the privileges of the targeted user, requiring only that the victim interact with a crafted document. No patch is currently available for this high-severity vulnerability.

Adobe Illustrator
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27271 HIGH This Week

Heap buffer overflow in Adobe Illustrator 29.8.4 and 30.1 allows arbitrary code execution under the current user's privileges when opening a malicious file. The vulnerability requires user interaction but carries no patch availability, leaving affected systems at risk. An attacker can achieve code execution by crafting and distributing a malicious document that triggers the memory corruption flaw.

Adobe Buffer Overflow Heap Overflow Illustrator
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27267 HIGH This Week

Arbitrary code execution in Adobe Illustrator 29.8.4 and 30.1 through a stack-based buffer overflow when processing malicious files. Local exploitation requires user interaction to open a crafted document, executing code with the privileges of the current user. No patch is currently available for affected versions.

Adobe Buffer Overflow Stack Overflow Illustrator
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-21362 HIGH This Week

Arbitrary code execution in Adobe Illustrator versions 29.8.4 and 30.1 and earlier results from an out-of-bounds write flaw that executes with user privileges. An attacker can achieve code execution by crafting a malicious file that triggers the vulnerability when opened by a victim. No patch is currently available for this high-severity issue.

Adobe Illustrator
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27280 HIGH This Week

Arbitrary code execution in DNG SDK 1.7.1 2471 and earlier via an out-of-bounds write vulnerability that executes with user privileges when a victim opens a malicious file. The vulnerability requires user interaction but no special privileges, making it exploitable through social engineering with crafted documents. No patch is currently available for affected DNG Software Development Kit users.

Buffer Overflow RCE Dng Software Development Kit
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27279 HIGH This Week

Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered when users open malicious files. An attacker can execute code with the privileges of the affected user, requiring only social engineering to deliver the malicious file. No patch is currently available for this high-severity vulnerability.

Buffer Overflow RCE Substance 3d Stager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27275 HIGH This Week

Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered by opening a malicious file. An attacker can achieve code execution with user privileges by crafting a weaponized file and socially engineering a victim into opening it. No patch is currently available for this high-severity vulnerability.

Buffer Overflow RCE Substance 3d Stager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27274 HIGH This Week

Arbitrary code execution in Adobe Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability that executes with user privileges when a victim opens a crafted file. The vulnerability requires user interaction but no special permissions, making it a practical attack vector for local exploitation. No patch is currently available.

Buffer Overflow RCE Substance 3d Stager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27273 HIGH This Week

Arbitrary code execution in Substance 3D Stager 3.1.7 and earlier through an out-of-bounds write vulnerability triggered by opening a malicious file. Users running affected versions face code execution at their privilege level with no available patch. This requires social engineering to trick users into opening a crafted file.

Buffer Overflow RCE Substance 3d Stager
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27269 HIGH This Week

Code execution in Adobe Premiere Pro 25.5 and earlier via out-of-bounds read when processing malicious media files. An attacker can achieve arbitrary code execution within the user's security context by crafting a specially formatted file that triggers a memory read past allocated buffer boundaries. Exploitation requires the victim to open the malicious file, and no patch is currently available.

Buffer Overflow Information Disclosure Premiere Pro
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23239 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit.

Linux Information Disclosure Race Condition
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0124 HIGH This Week

Local privilege escalation in Android results from an out-of-bounds write vulnerability caused by insufficient bounds validation. A local attacker with limited privileges can exploit this flaw without user interaction to gain elevated system permissions. No patch is currently available.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31796 HIGH This Week

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by heap-based buffer overflow (CVSS 7.8).

Buffer Overflow Heap Overflow Iccdev
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30987 HIGH This Week

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by classic buffer overflow (CVSS 7.8).

Buffer Overflow Iccdev
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30985 HIGH This Week

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by classic buffer overflow (CVSS 7.8).

Buffer Overflow Iccdev
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30983 HIGH This Week

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by classic buffer overflow (CVSS 7.8).

Buffer Overflow Iccdev
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30979 HIGH This Week

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by classic buffer overflow (CVSS 7.8).

Buffer Overflow Iccdev
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-24018 HIGH This Week

following vulnerability in Fortinet FortiClientLinux 7.4.0 versions up to 7.4.4 contains a vulnerability that allows attackers to a local and unprivileged user to escalate their privileges to root (CVSS 7.8).

Fortinet Privilege Escalation Forticlient
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30978 HIGH This Week

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by use after free (CVSS 7.8).

Use After Free Denial Of Service Memory Corruption Iccdev
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31795 HIGH This Week

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by classic buffer overflow (CVSS 7.8).

Buffer Overflow Iccdev
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31792 HIGH This Week

iccDEV provides a set of libraries and tools for working with ICC color management profiles. versions up to 2.3.1.5 is affected by null pointer dereference (CVSS 7.8).

Null Pointer Dereference Denial Of Service Iccdev
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26130 HIGH PATCH This Week

Uncontrolled resource allocation in ASP.NET Core enables unauthenticated remote attackers to exhaust system resources and cause denial of service without requiring user interaction. The vulnerability affects .NET applications exposed to network access, allowing attackers to trigger unbounded resource consumption from any network location. A patch is available to address this issue.

Denial Of Service Asp Net Core
NVD VulDB
CVSS 3.1
7.5
EPSS
1.3%
CVE-2026-27689 HIGH This Week

Denial of service in a remote-enabled function module allows authenticated attackers to exhaust system resources by submitting requests with oversized loop parameters, rendering the affected system unavailable. The vulnerability requires valid user credentials and network access but no user interaction, making it exploitable by any authenticated user on the network. No patch is currently available to address this high-severity flaw.

Denial Of Service
NVD VulDB
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-30953 HIGH This Week

Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network addresses and cloud metadata endpoints by providing malicious URLs during link creation, bypassing validation controls that exist elsewhere in the application. An attacker with valid credentials can exploit this to access Docker service hostnames, internal services, and sensitive metadata endpoints. No patch is currently available for this vulnerability affecting PHP-based LinkAce deployments.

PHP Docker SSRF Linkace
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-31801 HIGH PATCH This Week

Zot registry versions 1.3.0 through 2.1.14 have an authorization bypass in the manifest upload endpoint that allows authenticated users with only create permissions to overwrite the latest tag when it already exists. An attacker with limited write privileges can leverage this flaw to replace the latest image version, potentially distributing malicious container images to downstream consumers. The vulnerability is fixed in version 2.1.15.

Authentication Bypass Zot Suse
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-30929 HIGH PATCH This Week

High severity vulnerability in ImageMagick. MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack.

Buffer Overflow Stack Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-30919 HIGH This Week

facileManager is a modular suite of web apps built with the sysadmin in mind. versions up to 6.0.4 is affected by cross-site scripting (xss) (CVSS 7.6).

XSS Facilemanager
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-30918 HIGH This Week

FacileManager versions prior to 6.0.4 contain a reflected cross-site scripting vulnerability in the fmDNS module's log_search_query parameter that allows authenticated attackers to inject malicious JavaScript through crafted URLs. An attacker with login credentials can exploit this to execute arbitrary scripts in users' browsers, potentially compromising sensitive administrative data or session tokens. No patch is currently available for affected deployments.

XSS Facilemanager
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-2339 HIGH This Week

TUBITAK BILGEM Software Technologies Research Institute Liderahenk is affected by missing authentication for critical function (CVSS 7.5).

Command Injection Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-0109 HIGH This Week

Android versions up to - is affected by improper check for unusual or exceptional conditions (CVSS 7.5).

Denial Of Service Android Google
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26121 HIGH PATCH This Week

Azure IoT Explorer is vulnerable to server-side request forgery that enables unauthenticated network-based attackers to perform spoofing attacks and access sensitive information. The vulnerability requires no user interaction and can be exploited remotely with low attack complexity, affecting the confidentiality of exposed data. No patch is currently available.

SSRF Microsoft Azure Iot Explorer
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26144 HIGH PATCH This Week

Information disclosure in Microsoft 365 Apps Excel allows unauthenticated remote attackers to extract sensitive data through stored cross-site scripting attacks in generated web content. The vulnerability requires no user interaction and affects all Excel users who process untrusted documents. No patch is currently available, leaving users dependent on mitigation strategies until Microsoft releases a fix.

Microsoft XSS 365 Apps
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23674 HIGH PATCH This Week

Windows MapUrlToZone security bypass in Windows 11 24H2, Windows 10 21H2, and Windows Server 2016/2025 allows unauthenticated remote attackers to circumvent zone-based security restrictions through improper path equivalence resolution. An attacker can exploit this network-accessible vulnerability without user interaction to bypass intended access controls. No patch is currently available for this high-severity vulnerability.

Microsoft Authentication Bypass Windows 11 24h2 Windows 10 21h2 Windows Server 2025 +12
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30939 HIGH PATCH This Week

Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. All Parse Server versions prior to 8.6.13 and 9.5.1-alpha.2 are affected when the Cloud Function endpoint is exposed.

Node.js Denial Of Service Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23664 HIGH PATCH This Week

Azure IoT Explorer fails to properly restrict communication to intended endpoints, enabling unauthenticated attackers to intercept and disclose sensitive information over the network. The vulnerability requires no user interaction and can be exploited remotely with a CVSS score of 7.5. A patch is available for affected Azure IoT products.

Azure IoT Azure Iot Explorer
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30952 HIGH PATCH This Week

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. versions up to 10.25.0 is affected by path traversal.

Path Traversal Liquidjs
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25181 HIGH PATCH This Week

Information disclosure in Windows GDI+ affects Windows 11 (24h2, 25h2) and Windows Server 2012/2016, allowing unauthenticated attackers to read sensitive data remotely through an out-of-bounds memory access vulnerability. The flaw requires no user interaction and can be exploited over the network to compromise confidentiality without modifying system data or availability. No patch is currently available for this high-severity vulnerability.

Information Disclosure Buffer Overflow Microsoft Windows 11 24h2 Windows Server 2012 +13
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3585 HIGH This Week

The Events Calendar (WordPress plugin) versions up to 6.15.17 is affected by path traversal (CVSS 7.5).

WordPress Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30933 HIGH PATCH GHSA This Week

FileBrowser versions prior to 1.3.1-beta and 1.2.2-stable leak authentication tokens through the /public/api/share/info endpoint, allowing unauthenticated attackers to bypass password protections on shared files. The vulnerability stems from an incomplete fix to CVE-2026-27611 and enables token disclosure that could facilitate unauthorized file access. No patch is currently available for affected installations.

Information Disclosure Filebrowser Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26801 HIGH PATCH This Week

pdfmake versions 0.3.0-beta.2 through 0.3.5 contain a server-side request forgery vulnerability in the URLResolver component that allows unauthenticated remote attackers to access sensitive information through crafted URL requests. Affected applications using vulnerable versions without proper URL access controls are at risk of information disclosure. No patch is currently available, though version 0.3.6 introduces URL access policy controls to mitigate the risk.

SSRF Pdfmake
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28691 HIGH PATCH This Week

High severity vulnerability in ImageMagick. An uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check.

Information Disclosure Imagemagick
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30972 HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23 allow remote attackers to bypass rate limiting protections by submitting multiple requests within a single batch request, since batch processing routes requests internally and circumvents Express middleware controls. Deployments relying on built-in rate limiting are vulnerable to abuse and denial of service attacks. A patch is available in the specified versions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy