Skip to main content
CVE-2026-4043 HIGH This Week

Stack-based buffer overflow in Tenda i12 version 1.0.0.6(2204) allows remote authenticated attackers to achieve complete system compromise through improper input validation in the wifiSSIDget function. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with network access and valid credentials can trigger the overflow via the index parameter to execute arbitrary code with elevated privileges.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4042 HIGH This Week

Remote code execution in Tenda i12 firmware version 1.0.0.6(2204) via stack-based buffer overflow in the WifiMacFilterGet function allows authenticated attackers to achieve full system compromise. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4041 HIGH This Week

Stack-based buffer overflow in Tenda i12 1.0.0.6(2204) allows remote attackers with user privileges to achieve complete system compromise through malicious input to the cmdinput parameter in /goform/exeCommand. Public exploit code exists for this vulnerability, and no patch is currently available to remediate the issue.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4007 HIGH This Week

Stack-based buffer overflow in Tenda W3 1.0.0.3(2204) allows authenticated remote attackers to achieve code execution by manipulating the index parameter in POST requests to /goform/wifiSSIDget. Public exploit code exists for this vulnerability, and no patch is currently available.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-3975 HIGH This Week

Stack-based buffer overflow in Tenda W3 1.0.0.3(2204) allows authenticated remote attackers to achieve full system compromise through manipulation of the wl_radio parameter in the WifiMacFilterGet POST handler. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-3974 HIGH This Week

Stack-based buffer overflow in Tenda W3 1.0.0.3(2204) HTTP handler allows authenticated remote attackers to execute arbitrary code by sending a crafted request to the /goform/exeCommand endpoint with an oversized cmdinput parameter. Public exploit code exists for this vulnerability, and no patch is currently available.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-3970 HIGH This Week

Stack-based buffer overflow in Tenda i3 1.0.0.6(2204) allows remote authenticated attackers to achieve complete system compromise through manipulation of the index parameter in the wifiSSIDget function. Public exploit code exists for this vulnerability, and no patch is currently available.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2025-13913 MEDIUM CISA This Month

Inductive Automation Ignition Software is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the "forgot password" recovery email address. [CVSS 6.3 MEDIUM]

Deserialization Ignition
NVD GitHub VulDB
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-3972 HIGH This Week

Stack-based buffer overflow in Tenda W3 firmware 1.0.0.3(2204) HTTP handler allows adjacent network attackers to achieve remote code execution without authentication. The vulnerability resides in the formSetCfm function's handling of the funcpara1 parameter at /goform/setcfm. Public exploit code is available on GitHub, though EPSS probability remains low at 0.03% (7th percentile), indicating limited real-world exploitation activity. CISA KEV does not list this vulnerability, suggesting no confirmed widespread or targeted exploitation campaigns.

Buffer Overflow Tenda
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-3497 MEDIUM PATCH This Month

Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself.

SSH Information Disclosure Microsoft Ubuntu Linux Openssh +2
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-28254 MEDIUM This Month

A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.

Authentication Bypass Tracer Sc Firmware Tracer Concierge
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-28256 MEDIUM This Month

A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Information Disclosure Tracer Sc Firmware Tracer Concierge
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-2808 MEDIUM PATCH This Month

Medium severity vulnerability in HashiCorp Consul. HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.

Kubernetes Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-32259 MEDIUM PATCH This Month

ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by stack-based buffer overflow (CVSS 6.7).

Stack Overflow Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-32269 MEDIUM PATCH This Month

Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.

Information Disclosure Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-32320 MEDIUM PATCH This Month

Medium severity vulnerability in Ella Networks Core. Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service.

Denial Of Service Information Disclosure Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-66955 MEDIUM This Month

CVE-2025-66955 is a security vulnerability (CVSS 6.5) that allows remote authenticated users. Remediation should follow standard vulnerability management procedures.

Information Disclosure Path Traversal Live
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32240 MEDIUM PATCH This Month

n Proto is a data interchange format and capability-based RPC system. versions up to 1.4.0 contains a vulnerability that allows attackers to HTTP request/response smuggling.

Information Disclosure Capnproto Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32239 MEDIUM PATCH This Month

n Proto is a data interchange format and capability-based RPC system. versions up to 1.4.0 is affected by integer overflow or wraparound.

Information Disclosure Integer Overflow Capnproto Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1525 MEDIUM PATCH This Month

Undici fails to normalize HTTP header names when processing arrays, allowing duplicate Content-Length headers with case-variant names (e.g., "Content-Length" and "content-length") to be sent in malformed requests. Applications using undici's low-level APIs with user-controlled header inputs are vulnerable to request rejection by strict HTTP parsers or potential HTTP request smuggling attacks if intermediaries and backend servers interpret conflicting header values inconsistently. No patch is currently available.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32251 MEDIUM This Month

Tolgee is an open-source localization platform. versions up to 3.166.3 is affected by improper restriction of xml external entity reference.

XXE Google Android
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31841 MEDIUM PATCH This Month

Medium severity vulnerability in See description. Hyperterse allows users to specify database queries for tools to execute under the hood. As of [v2.0.0](https://github.com/hyperterse/hyperterse/releases/tag/v2.0.0), there are only two tools exposed - `search` and `execute`.

Information Disclosure AI / ML
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-61154 MEDIUM This Month

Heap buffer overflow vulnerability in LibreDWG versions v0.13.3.7571 up to v0.13.3.7835 allows a crafted DWG file to cause a Denial of Service (DoS) via the function decompress_R2004_section at decode.c.

Buffer Overflow Denial Of Service Heap Overflow Libredwg
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24125 MEDIUM PATCH This Month

Medium severity vulnerability in TinaCMS. ### Description

Path Traversal Tinacms Graphql
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-4039 MEDIUM PATCH This Month

Code injection in OpenClaw 2026.2.19 and earlier through the Skill Env Handler's applySkillConfigenvOverrides function allows authenticated remote attackers to execute arbitrary code with low integrity and confidentiality impact. An authenticated user can manipulate environment configuration settings to inject malicious code that executes in the context of the application. Mitigation requires upgrading to version 2026.2.21-beta.1 or later, as no official patch is currently available for production releases.

Code Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-0809 MEDIUM This Month

Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded. This issue was fixed in version 20.0.380.92.

Information Disclosure
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-2987 MEDIUM This Month

Unauthenticated attackers can inject malicious scripts into WordPress sites running the Simple Ajax Chat plugin (versions up to 20260217) through improper sanitization of the 'c' parameter, allowing arbitrary JavaScript execution in victim browsers. The vulnerability affects any user viewing an injected page and requires no user interaction beyond normal site access. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-31860 MEDIUM PATCH This Month

## Summary `useHeadSafe()` can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered `<head>` tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. ## Details **XSS via `data-*` attribute name injection** The `acceptDataAttrs` function (safe.ts, line 16-20) allows any property key starting with `data-` through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. ```typescript function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter(([key]) => key === 'id' || key.startsWith('data-')), ) } ``` This result gets merged into every tag's props at line 114: ```typescript tag.props = { ...acceptDataAttrs(prev), ...next } ``` Then `propsToString` (propsToString.ts, line 26) interpolates property keys directly into the HTML string with no sanitization: ```typescript attrs += value === true ? ` ${key}` : ` ${key}="${encodeAttribute(value)}"` ``` A space in the key breaks out of the attribute name. Everything after the space becomes separate HTML attributes. ### PoC The most practical vector uses a `link` tag. `<link rel="stylesheet">` fires `onload` once the stylesheet loads, giving reliable script execution: ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: '/valid-stylesheet.css', 'data-x onload=alert(document.domain) y': 'z' }] }) ``` SSR output: ```html <link data-x onload=alert(document.domain) y="z" rel="stylesheet" href="/valid-stylesheet.css"> ``` The browser parses `onload=alert(document.domain)` as its own attribute. Once the stylesheet loads, the handler fires. The same injection works on any tag type since `acceptDataAttrs` is applied to all of them at line 114. Here's the same thing on a `meta` tag (the injected attributes render, though `onclick` doesn't fire on non-interactive `<meta>` elements): ```javascript useHeadSafe({ meta: [{ name: 'description', content: 'legitimate content', 'data-x onclick=alert(document.domain) y': 'z' }] }) ``` ### Realistic scenario A Nuxt app accepts SEO metadata from a CMS or user profile. The developer uses `useHeadSafe()` as the docs recommend. An attacker puts a `data-*` key with spaces and an event handler into their input. The payload renders into the HTML on every page load. ## Suggested fix For vulnerability 1, validate that attribute names only contain characters legal in HTML attributes: ```typescript const SAFE_ATTR_RE = /^[a-zA-Z][a-zA-Z0-9\-]*$/ function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter( ([key]) => (key === 'id' || key.startsWith('data-')) && SAFE_ATTR_RE.test(key) ), ) } ```

XSS Unhead
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2581 MEDIUM PATCH This Month

Node.js Undici's response deduplication feature accumulates response bodies in memory instead of streaming them, allowing remote attackers to trigger denial of service through large or concurrent responses from untrusted endpoints. Applications using the deduplicate() interceptor are vulnerable to out-of-memory crashes when processing large or chunked responses. No patch is currently available.

Node.js Denial Of Service Undici Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-32235 MEDIUM PATCH This Month

Medium severity vulnerability in See description. #

Open Redirect Red Hat
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-3099 MEDIUM PATCH This Month

Libsoup's digest authentication mechanism fails to validate nonce reuse and enforce proper nonce-count incrementation, enabling attackers to replay captured authentication headers to bypass access controls. A remote attacker can exploit this to impersonate legitimate users and access protected resources without valid credentials. No patch is currently available.

Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2023-1289 MEDIUM POC PATCH This Month

Medium severity vulnerability in ImageMagick. # Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.

Denial Of Service PHP Debian Docker Red Hat +1
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-4014 MEDIUM This Month

SQL injection in the registration module of itsourcecode Cafe Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, which provides attackers with potential access to sensitive data and database manipulation capabilities. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3981 MEDIUM This Month

SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/doctor_action.php, potentially gaining unauthorized access to sensitive data and modifying database records. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3980 MEDIUM This Month

SQL injection in the Online Doctor Appointment System 1.0 admin panel allows unauthenticated remote attackers to manipulate the patient_id parameter and execute arbitrary database queries. The vulnerability affects the /admin/patient_action.php file and enables attackers to compromise data confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3969 MEDIUM This Month

FeMiner WMS versions up to 1.0 contain a SQL injection vulnerability in the department addition module that allows unauthenticated remote attackers to manipulate the Name parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can compromise the confidentiality, integrity, and availability of the underlying database.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-32139 MEDIUM This Month

Stored XSS in Dataease 2.10.19 and earlier allows authenticated users to upload malicious SVG files that bypass backend validation by lacking proper sanitization of event handlers and script-capable attributes. An attacker can exploit this vulnerability to execute arbitrary JavaScript in victims' browsers when they access the uploaded static resource, achieving persistent code execution. The vulnerability was patched in version 2.10.20.

XSS Dataease
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-3977 MEDIUM This Month

ProjectSend up to revision 1945 contains an authorization bypass in its AJAX endpoints that allows authenticated attackers to manipulate functionality without proper access controls. An attacker with valid credentials can exploit this vulnerability to gain unauthorized access to sensitive operations across the application. No patch is currently available, though a fix has been identified in commit 35dfd6f08f7d517709c77ee73e57367141107e6b.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-4013 MEDIUM This Month

Improper authorization in SourceCodester Web-based Pharmacy Product Management System 1.0's add_admin.php allows authenticated remote attackers to gain unauthorized access or modify system data with low complexity. The vulnerability affects confidentiality, integrity, and availability of the affected application. No patch is currently available.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-32142 MEDIUM This Month

Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. [CVSS 5.3 MEDIUM]

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32100 MEDIUM This Month

The Shopware /api/_info/config endpoint publicly discloses information about active security patches without authentication, allowing remote attackers to enumerate implemented security fixes and potentially identify applicable exploits for unpatched instances. This information disclosure affects Shopware versions prior to 2.0.16, 3.0.12, and 4.0.7, where no patch is currently available for earlier releases.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32249 MEDIUM PATCH This Month

command line text editor. From 9.1.0011 to versions up to 9.2.0137 is affected by null pointer dereference (CVSS 5.3).

Null Pointer Dereference Denial Of Service Vim Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2376 MEDIUM This Month

Authenticated users in mirror-registry can exploit open redirect functionality to access internal or restricted systems by supplying malicious URLs that the application blindly follows without destination validation. This allows attackers with valid credentials to bypass access controls and reach systems they should not have permission to interact with. No patch is currently available for this medium-severity vulnerability.

Open Redirect
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-31890 MEDIUM This Month

Silent event loss in Inspektor Gadget prior to 0.50.1 allows local attackers to cause denial of service by filling the 256KB ring-buffer, which triggers undetected data drops without alerting users or administrators. When the buffer becomes full, gadgets silently discard events and fail to report the loss count, potentially hiding critical system events from Kubernetes cluster and Linux host monitoring. A local attacker with limited privileges can exploit this to obscure malicious activity or system anomalies by saturating the instrumentation buffer.

Linux Kubernetes Denial Of Service Suse
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-1527 MEDIUM PATCH This Month

CRLF injection in undici's HTTP upgrade handling allows authenticated attackers to inject arbitrary headers and perform request smuggling attacks against backend services like Redis and Elasticsearch when user input is passed unsanitized to the upgrade option. The vulnerability stems from insufficient validation of the upgrade parameter before writing to the socket, enabling attackers to terminate HTTP requests prematurely and route malicious data to non-HTTP protocols. This requires prior authentication and user interaction, with no patch currently available.

Code Injection Redis Elastic Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-32237 MEDIUM PATCH This Month

### Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured `scaffolder.defaultEnvironment.secrets` are affected. ### Patches This is patched in `@backstage/plugin-scaffolder-backend` version 3.1.5 ### Workarounds Remove or empty the `scaffolder.defaultEnvironment.secrets` configuration from `app-config.yaml`. Alternatively, restrict access to the scaffolder dry-run functionality via the permissions framework. ### References - [Backstage Scaffolder Backend documentation](https://backstage.io/docs/features/software-templates/)

Information Disclosure Backstage Plugin Scaffolder Backend
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-3234 MEDIUM This Month

mod_proxy_cluster's decodeenc() function is vulnerable to CRLF injection, enabling unauthenticated attackers with network access to the MCMP protocol port to manipulate cluster configuration and corrupt INFO endpoint responses. This input validation bypass affects systems relying on mod_proxy_cluster for load balancing and cluster management. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass Red Hat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-2687 MEDIUM This Month

The Reading progressbar WordPress plugin fails to properly clean user inputs in its settings, allowing administrators to inject malicious code that gets stored and executed when other users view the site. This affects WordPress installations using this plugin before version 1.3.1, particularly multisite setups. An admin-level attacker could execute arbitrary JavaScript in visitors' browsers to steal data or compromise accounts.

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3226 MEDIUM This Month

LearnPress WordPress LMS Plugin versions up to 4.3.2.8 allow authenticated subscribers and above to trigger unauthorized email notifications due to missing capability validation in the SendEmailAjax class, enabling attackers to flood admins and users with emails or conduct social engineering attacks. The vulnerability exploits a valid wp_rest nonce that is publicly exposed in frontend JavaScript, combined with insufficient permission checks in the AJAX dispatcher, allowing low-privileged users to impersonate administrative communications. No patch is currently available for this medium-severity issue.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1182 MEDIUM This Month

An authenticated user could view confidential issue titles in public GitLab projects that they shouldn't have access to due to a flaw in access controls. This affects GitLab CE/EE versions 8.14 through 18.9.1, impacting any organization using these versions. An attacker with a GitLab account could exploit this to read sensitive information hidden in issue titles, potentially exposing confidential project details.

Authentication Bypass Gitlab
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy