Skip to main content
CVE-2026-23662 HIGH PATCH This Week

Azure IoT Explorer fails to enforce authentication on a critical function, enabling unauthenticated network attackers to remotely access and exfiltrate sensitive information. This high-severity vulnerability (CVSS 7.5) affects Azure IoT deployments and requires immediate patching to prevent unauthorized disclosure of IoT configuration and operational data. A patch is available.

Azure IoT Azure Iot Explorer
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28431 HIGH This Week

Misskey is an open source, federated social media platform.

Authentication Bypass Misskey
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23661 HIGH PATCH This Week

Sensitive data transmission over cleartext in Azure IoT Explorer enables network-based attackers to intercept and disclose confidential information without authentication. This vulnerability affects Azure IoT deployments and could expose device credentials, configuration details, or other sensitive metadata to passive network observers. A patch is available to remediate the cleartext transmission issue.

Azure IoT Azure Iot Explorer
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30941 HIGH PATCH This Week

NoSQL injection in Parse Server's password reset and email verification endpoints allows unauthenticated attackers to extract authentication tokens by injecting MongoDB query operators through the unvalidated token parameter. Affected deployments running MongoDB with these features enabled are vulnerable to email verification bypass and password reset token theft. The vulnerability is fixed in versions 8.6.14 and 9.5.2-alpha.1.

Node.js MongoDB SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30951 HIGH PATCH This Week

SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. Node.js applications using affected Sequelize versions are at risk of complete database compromise.

Node.js SQLi Sequelize
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31830 HIGH PATCH This Week

Sigstore-ruby versions before 0.2.3 fail to properly validate artifact digests when verifying DSSE bundles with in-toto attestations, causing the library to incorrectly return successful verification even when the artifact does not match the attested subject. This allows attackers to bypass cryptographic verification controls and accept mismatched or tampered artifacts as valid. Organizations using sigstore-ruby for supply chain verification should upgrade to version 0.2.3 immediately, though no patch is currently available for other affected projects.

Information Disclosure Sigstore
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28432 HIGH This Week

federated social media platform. All Misskey server versions up to 2026.3.1 is affected by improper verification of cryptographic signature.

Authentication Bypass Misskey
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-56421 HIGH PATCH This Week

SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database. [CVSS 7.5 HIGH]

SQLi Limesurvey
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30946 HIGH PATCH This Week

Parse-Server versions up to 9.5.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30925 HIGH PATCH This Week

Parse Server's LiveQuery feature is vulnerable to denial of service through malicious regex patterns that trigger catastrophic backtracking, freezing the Node.js event loop and rendering the entire server unresponsive to all clients. Attackers only require the publicly available application ID and JavaScript key to exploit this vulnerability on any Parse Server with LiveQuery enabled. Updates to versions 9.5.0-alpha.14 or 8.6.11 and later address this issue.

Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30947 HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. A patch is available in the mentioned versions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25167 HIGH PATCH This Week

Privilege escalation in Microsoft's Brokering File System on Windows 11 (24h2 and 25h2) stems from a use-after-free vulnerability that allows local attackers to gain elevated system privileges. An attacker with local access can exploit memory corruption to execute arbitrary code with higher privileges, potentially compromising system integrity. No patch is currently available for this vulnerability.

Microsoft Use After Free Denial Of Service Memory Corruption Windows 11 24h2 +3
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-66413 HIGH This Week

Git for Windows versions prior to 2.53.0(2) leak NTLM credential hashes when users clone from malicious servers, enabling password cracking attacks. The vulnerability requires user interaction (cloning from attacker-controlled repository) but needs no authentication from the attacker. EPSS score of 0.03% suggests low probability of mass exploitation, and no evidence of active exploitation or public POC exists at time of analysis. However, the simplicity of the attack (social engineering a git clone operation) and the high confidentiality impact (user credential theft) make this a priority for Windows-based development environments.

Microsoft Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-2713 HIGH This Week

IBM Trusteer Rapport 3.5.2309.290 contains an insecure DLL search path vulnerability that allows local attackers to execute arbitrary code by planting a malicious file in a compromised directory. The attack requires local system access but no user interaction or elevated privileges, making it exploitable by any local user. No patch is currently available for this high-severity vulnerability.

IBM RCE
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-0112 HIGH This Week

Local privilege escalation on Android devices occurs through a race condition in the VPU driver's instance opening function, allowing attackers to trigger a use-after-free condition without requiring special privileges or user interaction. An unprivileged local attacker can exploit this vulnerability to gain elevated system privileges. No patch is currently available for this vulnerability.

Use After Free Privilege Escalation Race Condition Android Google
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-30930 HIGH PATCH This Week

SQL injection in Glances TimescaleDB export module allows local attackers to execute arbitrary SQL commands against the monitoring database. The vulnerability stems from unsafe string concatenation when constructing queries with system monitoring data (process names, mount points, network interfaces, container names). Proof-of-concept exploit code exists (CVSS E:P). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation activity. Vendor-released patch available in version 4.5.1.

SQLi Glances
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-2364 HIGH This Week

Privilege escalation in CODESYS Development System installer exploits a time-of-check-time-of-use (TOCTOU) race condition, allowing a low-privileged local attacker to gain elevated rights when a legitimate user initiates a system update or installation. An attacker with local access can manipulate files during the installation process window to execute arbitrary code with elevated privileges. No patch is currently available, and the vulnerability requires user interaction but poses significant risk to system integrity and confidentiality.

Race Condition
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-25836 HIGH This Week

Fortinet FortiSandbox Cloud 5.0.4 contains an OS command injection vulnerability that allows privileged super-admin users with CLI access to execute arbitrary code through malicious HTTP requests. The vulnerability requires high privileges and direct access but carries high impact including confidentiality, integrity, and availability compromise. No patch is currently available.

Fortinet Command Injection
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-66178 HIGH This Week

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.11, FortiWeb 7.2.0 through 7.2.12, FortiWeb 7.0.0 through 7.0.12 may allow an authenticated attacked to execute arbitrary commands via a specialy crafted HTTP request. [CVSS 7.2 HIGH]

Fortinet Command Injection Fortiweb
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2724 HIGH This Week

Unlimited Elements for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1261 HIGH This Week

Stored XSS in MetForm Pro's Quiz feature allows unauthenticated attackers to inject malicious scripts through insufficient input sanitization in WordPress versions up to 3.9.6. When users access affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-22572 HIGH This Week

MFA bypass in Fortinet FortiManager and FortiAnalyzer 7.2.2-7.6.3 allows attackers with valid admin credentials to disable multifactor authentication through specially crafted repeated requests. This authentication bypass (CWE-288) affects multiple product lines including FortiManager Cloud, creating high risk for unauthorized administrative access. No patch is currently available, leaving affected systems vulnerable to MFA circumvention attacks.

Fortinet Authentication Bypass Fortimanager Fortianalyzer Fortimanager Cloud
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-68648 HIGH This Week

A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, Fort...

Fortinet Privilege Escalation
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-31834 HIGH PATCH This Week

Privilege escalation in Umbraco CMS versions 15.3.1 through 16.5.0 and 17.x before 17.2.2 allows authenticated backoffice users with user management permissions to assign themselves elevated privileges by bypassing authorization checks on role assignments. An attacker with these permissions could gain administrative access to the CMS without proper privilege validation. No patch is currently available for affected installations.

Privilege Escalation Umbraco Cms
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-31827 HIGH This Week

Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission.

Race Condition Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-30945 HIGH PATCH This Week

StudioCMS prior to version 0.4.0 allows authenticated editors and above to revoke API tokens belonging to any user, including administrators and owners, due to insufficient authorization checks on the DELETE /studiocms_api/dashboard/api-tokens endpoint. An attacker with editor privileges can exploit this to disable critical integrations and automations by revoking tokens of higher-privileged accounts. No patch is currently available for affected versions.

Denial Of Service Authentication Bypass Studiocms
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28281 HIGH This Week

InstantCMS is a free and open source content management system. versions up to 2.18.1 is affected by cross-site request forgery (csrf) (CVSS 7.1).

CSRF Instantcms
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28494 HIGH PATCH This Week

High severity vulnerability in ImageMagick. A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption.

Linux Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-30926 HIGH This Week

SiYuan Note prior to version 3.5.10 contains an insufficient authorization flaw in the /api/block/appendHeadingChildren endpoint that allows authenticated users with read-only (RoleReader) privileges to modify notebook content by appending blocks to documents. The vulnerability exists because the endpoint applies only basic authentication checks instead of enforcing stricter administrative or read-only restrictions. Affected users should upgrade to version 3.5.10 or later, as no workaround is currently available and exploitation requires only network access and valid read-only credentials.

Privilege Escalation Authentication Bypass Siyuan Suse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24285 HIGH PATCH This Week

Use after free in Windows Win32K allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]

Use After Free Microsoft Denial Of Service Memory Corruption
NVD VulDB
CVSS 3.1
7.0
EPSS
0.1%
CVE-2026-25179 HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock in Windows Server 2025, 2022, and Windows 10 1809 contains insufficient input validation that allows authenticated local users to escalate privileges. An attacker with local access and valid credentials can exploit this vulnerability to gain elevated system permissions, though no patch is currently available. This HIGH severity vulnerability affects multiple Windows Server and client versions with no active exploit mitigation path.

Information Disclosure Microsoft Windows Server 2025 Windows Server 2022 Windows Server 2022 23h2 +12
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-23668 HIGH PATCH This Week

Local privilege escalation in Microsoft Graphics Component on Windows Server 2016 and Windows 11 23h2 stems from improper synchronization of shared resources, enabling authenticated attackers to gain elevated privileges. The race condition vulnerability requires local access and specific timing conditions but carries high impact potential across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Microsoft Industrial Race Condition Windows Server 2016 Windows 11 23h2 +8
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-25178 HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock (AFD) in Windows 11 versions 24h2 and 26h1 contains a use-after-free vulnerability (CWE-416) that allows authenticated local attackers to escalate privileges through memory corruption. An attacker with local access could exploit this flaw to gain elevated system permissions, though no official patch is currently available.

Use After Free Microsoft Denial Of Service Memory Corruption Windows 11 26h1 +14
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-25171 HIGH PATCH This Week

Privilege escalation in Windows Authentication Methods (Windows 10 22H2, Windows 11 26H1) stems from a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The flaw requires low user privileges and manual interaction but provides complete system compromise through code execution. No patch is currently available for this high-severity vulnerability.

Use After Free Microsoft Denial Of Service Memory Corruption Windows 10 22h2 +14
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-25170 HIGH PATCH This Week

Use after free in Windows Hyper-V allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]

Use After Free Microsoft Denial Of Service Memory Corruption Windows 11 23h2 +7
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-23667 HIGH PATCH This Week

Use after free in Broadcast DVR allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]

Use After Free Windows 10 1809 Windows 11 26h1 Windows 11 24h2 Windows 11 25h2 +4
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-24296 HIGH PATCH This Week

Privilege escalation in Windows Device Association Service (Windows 10 versions 1607, 1809, and 21H2) stems from improper synchronization of shared resources, enabling local authenticated users to gain elevated system privileges. The vulnerability requires high attack complexity and no user interaction, making it exploitable by insiders or compromised local accounts. No patch is currently available.

Race Condition Microsoft Information Disclosure Windows Server 2022 23h2 Windows Server 2019 +13
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-24295 HIGH PATCH This Week

Privilege escalation in Windows Device Association Service across Windows 10, 11, and Server 2022 stems from improper synchronization of shared resources, enabling local authenticated users to gain elevated system privileges. The vulnerability requires local access and specific timing conditions but poses high risk due to its impact on confidentiality, integrity, and availability. No patch is currently available.

Race Condition Microsoft Information Disclosure Windows Server 2022 23h2 Windows 11 24h2 +12
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-23671 HIGH PATCH This Week

Privilege escalation in the Windows Bluetooth RFCOM Protocol Driver across Windows 11 26h1, Windows Server 2025, and Windows 10 1809 stems from improper synchronization of concurrent access to shared resources. An authenticated local attacker can exploit this race condition to gain elevated privileges on affected systems. No patch is currently available for this vulnerability.

Race Condition Information Disclosure Microsoft Windows 11 26h1 Windows Server 2025 +12
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy