Skip to main content
CVE-2026-32304 CRITICAL POC PATCH Act Now

create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.

Node.js RCE PHP Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-15060 CRITICAL Act Now

Command injection RCE in claude-hovercraft tool. EPSS 1.3%.

Command Injection RCE AI / ML Claude Hovercraft
NVD
CVSS 3.0
9.8
EPSS
1.3%
CVE-2026-26954 CRITICAL PATCH Act Now

SandboxJS sandbox escape before 0.8.34 via Function access through arrays. CVSS 10.0.

RCE Code Injection Sandboxjs
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-32306 CRITICAL PATCH Act Now

SQL injection in OneUptime telemetry API before 10.0.23.

RCE SQLi Oneuptime
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-32621 CRITICAL PATCH Act Now

Prototype pollution in Apollo Federation before multiple versions.

Information Disclosure Prototype Pollution
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-3891 CRITICAL Act Now

Arbitrary file upload in Pix for WooCommerce WordPress plugin.

File Upload RCE WordPress
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25823 CRITICAL Act Now

Stack overflow in HMS Networks Ewon Flexy/Cosy+ firmware.

RCE Buffer Overflow Denial Of Service Stack Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-32746 CRITICAL POC PATCH Act Now

OOB write in GNU inetutils telnetd through 2.7 via LINEMODE SLC handler.

Buffer Overflow Inetutils
NVD VulDB GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-32626 CRITICAL Act Now

XSS in AnythingLLM 1.11.1 and earlier.

XSS RCE AI / ML Anything Llm
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-31806 CRITICAL PATCH Act Now

Heap buffer overflow in FreeRDP's NSCodec surface-bits handler (versions prior to 3.24.0) lets a malicious or compromised RDP server corrupt heap memory on connecting clients. The gdi_surface_bits() path passes server-supplied bmp.width and bmp.height into nsc_process_message() without validating them against the actual desktop dimensions, and because the attacker also controls the decoded pixel data, the out-of-bounds write can overwrite adjacent heap allocations with attacker-chosen bytes - a potential path to remote code execution. EPSS is low (0.04%, 13th percentile) and there is no public exploit identified at time of analysis.

Buffer Overflow Heap Overflow Freerdp
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-32301 CRITICAL POC PATCH Act Now

SSRF in Centrifugo real-time messaging before 6.7.0.

SSRF Centrifugo Suse
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-31886 CRITICAL PATCH Act Now

Path traversal via dagRunId in DAG execution endpoints.

Python Authentication Bypass Denial Of Service Path Traversal Docker +1
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-32367 CRITICAL Act Now

RCE via code injection in Modal Dialog WordPress plugin.

Code Injection RCE Modal Dialog
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25818 CRITICAL Act Now

Weak encryption in HMS Networks Ewon Flexy/Cosy+ firmware.

Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy