Skip to main content
CVE-2025-15473 MEDIUM This Month

The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type. [CVSS 4.3 MEDIUM]

WordPress Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4040 LOW PATCH Monitor

A vulnerability was identified in OpenClaw versions up to 2026.2.17. is affected by information exposure (CVSS 3.3).

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-2366 LOW Monitor

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.

Information Disclosure Authentication Bypass
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-4045 LOW Monitor

A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. [CVSS 3.7 LOW]

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-3965 LOW PATCH Monitor

Medium severity vulnerability in See description. A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address...

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3992 LOW Monitor

CodeGenieApp's serverless-express library (versions up to 4.17.1) contains an injection vulnerability in its Users Endpoint that allows attackers to manipulate filter arguments and execute unauthorized commands remotely. This affects applications using the vulnerable versions of this library. An attacker could exploit this to inject malicious code, potentially gaining unauthorized access to user data or taking control of affected systems.

Code Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3968 LOW Monitor

AutohomeCorp's frostmourne application (version 1.0 and earlier) allows attackers to inject malicious code through the EXPRESSION parameter in the ExpressionRule.java component, which uses Oracle's Nashorn JavaScript engine without proper input validation. This vulnerability affects users of frostmourne and can be exploited remotely by unauthenticated attackers to execute arbitrary code on affected systems. The vendor has not responded to disclosure attempts, leaving users vulnerable to potential system compromise.

Java Information Disclosure Oracle
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3967 LOW Monitor

Unsafe deserialization in Alfresco Activiti up to versions 7.19 and 8.8.0 allows authenticated remote attackers to achieve arbitrary code execution through the Process Variable Serialization System component. An attacker with valid credentials can manipulate serialized objects during deserialization to execute malicious code on the affected system. Public exploit code is available and no patch has been released by the vendor.

Java Deserialization
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3966 LOW Monitor

Server-side request forgery in wvp-GB28181-pro up to version 2.7.4-20260107 allows authenticated attackers to manipulate the MediaServer.streamIp parameter in the IP Address Handler component, enabling arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to the disclosure.

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3993 LOW Monitor

Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System 1.0 exists in the /manage_employee_deductions.php file via unsanitized ID parameters, allowing remote attackers to inject malicious scripts that execute in users' browsers. Public exploit code is available and the vulnerability remains unpatched. Successful exploitation requires user interaction but can lead to session hijacking, credential theft, or unauthorized payroll data manipulation.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3982 LOW Monitor

Cross-site scripting (XSS) in the /view_result.php endpoint of PHP-based University Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts through the vr parameter. Public exploit code exists for this vulnerability, which requires user interaction to execute. The vulnerability has no available patch and affects the integrity of affected applications.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3990 LOW Monitor

Stored cross-site scripting in CesiumJS up to version 1.137.0 allows unauthenticated remote attackers to inject malicious scripts through the parameter 'c' in Apps/Sandcastle/standalone.html, with public exploit code already available. While the vendor classifies this as demo code outside the core library product, the vulnerability affects users running vulnerable versions of the application. No patch is currently available.

XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4044 LOW Monitor

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. [CVSS 3.8 LOW]

PHP Path Traversal
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-13462 LOW PATCH Monitor

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Information Disclosure Python
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3984 LOW Monitor

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3983 LOW Monitor

A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4010 LOW Monitor

A vulnerability was found in ThakeeNathees pocketlang up to cc73ca61b113d48ee130d837a7a8b145e41de5ce. The affected element is the function pkByteBufferAddString. [CVSS 3.3 LOW]

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4016 LOW Monitor

Out-of-bounds write in GPAC 26.03-DEV's SVG parser allows local attackers with user privileges to corrupt memory and potentially execute code through a malicious SVG file. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires local system access but no user interaction beyond opening a crafted SVG document.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4015 LOW Monitor

Stack-based buffer overflow in GPAC 26.03-DEV's TeXML file parser (txtin_process_texml function) allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code. Public exploit code exists for this vulnerability, making it an immediate concern for systems processing untrusted TeXML files. No patch is currently available, requiring users to implement alternative mitigations or restrict access to the affected parser.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4009 LOW Monitor

A vulnerability has been found in jarikomppa soloud up to 20200207. Impacted is the function drwav_read_pcm_frames_s16__msadpcm in the library src/audiosource/wav/dr_wav.h of the component WAV File Parser. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. Upgrading to version 20200207 is recommen...

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3994 LOW Monitor

Heap-based buffer overflow in mold linker versions up to 2.40.4 allows local attackers with user privileges to corrupt memory and potentially execute code through the X86_64 object file initialization function. Public exploit code is available for this vulnerability. The maintainer has not yet released a patch despite early notification.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3979 LOW Monitor

Use-after-free vulnerability in quickjs-ng through version 0.12.1 allows local attackers to corrupt memory and potentially execute arbitrary code via the js_iterator_concat_return function in quickjs.c. Public exploit code exists for this vulnerability. A local account is required to trigger the flaw, which affects confidentiality, integrity, and availability of the affected system.

Buffer Overflow Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4012 LOW Monitor

A vulnerability was determined in rxi fe up to ed4cda96bd582cbb08520964ba627efb40f3dd91. The impacted element is the function read_ of the file src/fe.c. [CVSS 3.3 LOW]

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-32236 LOW PATCH Monitor

### Impact A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected. ### Patches Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents. ### Workarounds Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration. Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern. ### References - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)

SSRF Backstage
NVD GitHub
CVSS 4.0
1.7
EPSS
0.0%
CVE-2026-28384 This Week

unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 versions up to 6.6 is affected by os command injection.

Command Injection
NVD GitHub VulDB
EPSS
0.1%
CVE-2026-32232 PATCH Monitor

### Summary Workspace boundary enforcement currently has three related bypass risks. This issue tracks fixing all three in one pull request. ### Details #### R1 - Dangling Symlink Component Bypass - What happens: Path validation can miss dangling symlink components during traversal checks. - Why it matters: A symlink that is unresolved at validation time can later resolve to an external location. - Impact: Read and write operations may escape workspace boundaries. - Affected area: src/security/path.rs (check_symlink_escape). #### R2 - TOCTOU Between Validation and Use - What happens: The path is validated first, then used later for filesystem operations. - Why it matters: A concurrent filesystem change can swap path components after validation but before open/write. - Impact: Race-based workspace escape is possible. - Affected area: Filesystem and file-consuming tools that call validate_path_in_workspace before I/O. #### R3 - Hardlink Alias Bypass - What happens: A file inside workspace can be a hardlink to an inode outside the intended workspace trust boundary. - Why it matters: Prefix and symlink checks can pass while data access still mutates or reads external content. - Impact: Policy bypass for read/write operations. - Affected area: Any tool that reads or writes via validated paths. #### Risk Matrix | ID | Risk | Severity | Likelihood | Impact | |---|---|---|---|---| | R1 | Dangling symlink component bypass | High | Medium | Workspace boundary escape for read/write | | R2 | Validate/use TOCTOU race | High | Medium | Race-based boundary escape during file I/O | | R3 | Hardlink alias bypass | Medium | Low-Medium | External inode read/write through in-workspace path | ### PoC #### R1 - Dangling symlink component bypass 1. Create a symlink inside workspace pointing to a missing target. 2. Validate a path traversing that symlink. 3. Create the target directory outside workspace after validation. 4. Perform file operation and observe potential boundary escape if not fail-closed. #### R2 - TOCTOU between validation and use 1. Validate a candidate in-workspace path. 2. Before open/write, replace an intermediate component with a link to external location. 3. Continue with the file operation. 4. Observe boundary escape if operation trusts only stale validation result. #### R3 - Hardlink alias bypass 1. Place a hardlink inside workspace that points to an external inode. 2. Validate the in-workspace hardlink path. 3. Read or write through this path. 4. Observe external inode access through a path that appears in-scope. ### Impacts Unauthorized cross path boundary ## Credit [@zpbrent](https://github.com/zpbrent) ### Patch [f50c17e11ae3e2d40c96730abac41974ef2ee2a8](https://github.com/qhkm/zeptoclaw/commit/f50c17e11ae3e2d40c96730abac41974ef2ee2a8)

Path Traversal Race Condition
NVD GitHub
EPSS
0.1%
CVE-2026-2513 This Week

This vulnerability allows attackers to trick administrators into performing unintended actions within Flowmon ADS by clicking malicious links while logged in. It affects Progress Flowmon ADS versions before 12.5.5 and 13.0.3. An attacker could exploit an administrator's authenticated session to make unauthorized changes to the system without the administrator's knowledge or consent.

XSS
NVD VulDB
EPSS
0.0%
CVE-2026-31873 NONE PATCH Awaiting Data

The `link.href` check in `makeTagSafe` (safe.ts, line 68-71) uses `String.includes()`, which is case-sensitive: ```typescript if (key === 'href') { if (val.includes('javascript:') || val.includes('data:')) { return } next[key] = val } ``` Browsers treat URI schemes case-insensitively. `DATA:text/css,...` is the same as `data:text/css,...` to the browser, but `'DATA:...'.includes('data:')` returns `false`. ### PoC ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: 'DATA:text/css,body{display:none}' }] }) ``` SSR output: ```html <link rel="stylesheet" href="DATA:text/css,body{display:none}"> ``` The browser loads this as a CSS stylesheet. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. Any case variation works: `DATA:`, `Data:`, `dAtA:`, `JAVASCRIPT:`, etc. ## Suggested fix ```typescript if (key === 'href') { const lower = val.toLowerCase() if (lower.includes('javascript:') || lower.includes('data:')) { return } next[key] = val } ```

XSS Unhead
NVD GitHub
EPSS
0.0%
CVE-2026-2514 This Week

In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.

XSS
NVD VulDB
EPSS
0.0%
CVE-2025-15037 Monitor

An Incorrect Permission Assignment vulnerability exists in the ASUS Business System Control Interface driver.

Linux RCE Information Disclosure
NVD VulDB
EPSS
0.0%
CVE-2025-15038 This Week

An Out-of-Bounds Read vulnerability exists in the ASUS Business System Control Interface driver. This vulnerability can be triggered by an unprivileged local user sending a specially crafted IOCTL  request, potentially leading to a disclosure of kernel information or a system crash.

Linux
NVD VulDB
EPSS
0.0%
CVE-2026-1878 Monitor

An Insufficient Integrity Verification vulnerability in the ASUS ROG peripheral driver installation process allows privilege escalation to SYSTEM. The vulnerability is due to improper access control on the installation directory, which enables the exploitation of a race condition where the legitimate installer is substituted with an unexpected payload immediately after download, resulting in arbitrary code execution. Refer to the "Security Update for ASUS ROG peripheral driver" section on the...

Privilege Escalation
NVD VulDB
EPSS
0.0%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy