Skip to main content
CVE-2026-27459 HIGH PATCH This Week

Buffer overflow in pyOpenSSL's cookie generation callback allows attackers to corrupt memory and potentially achieve remote code execution by supplying oversized cookie values exceeding 256 bytes. The vulnerability affects applications using custom cookie callbacks with OpenSSL integration, where insufficient length validation permits writing beyond allocated buffer boundaries. A patch is available that implements proper cookie size validation.

OpenSSL Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-32264 HIGH PATCH This Week

Remote code execution in Craft CMS allows authenticated administrators with control panel access to execute arbitrary code by exploiting an incomplete patch that left the same vulnerable gadget chain pattern in multiple controllers. The vulnerability requires administrative privileges and the allowAdminChanges setting to be enabled, limiting exposure to trusted users with elevated access. Craft CMS versions before 4.17.5 and 5.9.11 are affected and should be patched immediately.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-32263 HIGH PATCH This Week

Unsafe deserialization of untrusted user input in PHP Craft CMS allows authenticated high-privilege users to inject arbitrary Yii2 behaviors and event handlers, enabling remote code execution through the EntryTypesController. An incomplete prior patch for a similar vulnerability left the same dangerous pattern in place, permitting attackers with administrative access to manipulate application configuration and achieve full system compromise. A patch is available to properly sanitize configuration inputs before processing.

Code Injection PHP
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-20999 HIGH This Week

Smart Switch versions prior to 3.7.69.15 contain a replay attack vulnerability in the authentication mechanism that allows remote attackers to bypass security controls and execute privileged functions without valid credentials. The vulnerability requires user interaction to trigger but poses a significant risk as no patch is currently available. Organizations using affected Smart Switch deployments should implement network-level controls to restrict access until an update is released.

Authentication Bypass Smart Switch
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-20998 HIGH This Week

Samsung Smart Switch versions prior to 3.7.69.15 contain an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent security controls. This vulnerability could enable attackers to gain unauthorized access to the application without valid credentials. No patch is currently available for this high-severity issue.

Authentication Bypass Smart Switch
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-20996 HIGH This Week

A cryptographic downgrade vulnerability in Samsung Smart Switch allows remote attackers to force the application to use weak authentication schemes during device-to-device transfers. The vulnerability affects Smart Switch versions prior to 3.7.69.15 and requires user interaction to exploit, potentially exposing sensitive data during the transfer process between Samsung devices. With a CVSS 4.0 score of 7.1 and no current evidence of active exploitation or public proof-of-concept code, this represents a moderate risk primarily to Samsung device users performing data migrations.

Information Disclosure Smart Switch
NVD VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-32769 HIGH PATCH GHSA This Week

CVE-2026-32769 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Kubernetes Authentication Bypass Suse
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25369 HIGH This Week

A reflected Cross-Site Scripting (XSS) vulnerability exists in the Flexmls® IDX WordPress plugin through version 3.15.9, allowing attackers to inject malicious scripts into web pages that execute in victims' browsers when they click specially crafted links. The vulnerability has a CVSS score of 7.1 and requires user interaction but can impact confidentiality, integrity, and availability across different origins due to its scope change characteristic. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability represents a moderate risk for WordPress sites using this real estate listing plugin.

XSS Flexmls Idx
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-3022 HIGH PATCH This Week

A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.

SQLi Wakyma Application Web
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-21005 HIGH This Week

A path traversal vulnerability in Smart Switch (CVSS 7.1) that allows adjacent attackers. High severity vulnerability requiring prompt remediation.

Path Traversal Smart Switch
NVD VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-32608 HIGH PATCH This Week

Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.

Privilege Escalation Nginx Python Command Injection Docker +1
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21000 HIGH This Week

Galaxy Store versions prior to 4.6.03.8 contain an access control flaw that enables local attackers to create files with elevated Galaxy Store privileges. This vulnerability affects local users on affected devices and could allow privilege escalation or persistence mechanisms. No patch is currently available.

Path Traversal Galaxy Store
NVD
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-32611 HIGH PATCH This Week

SQL injection in Python's Glances DuckDB export module allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting malicious data through unparameterized table and column name interpolation in DDL statements. While INSERT values use parameterized queries, identifier names are directly embedded via f-strings, enabling attackers over the network to manipulate database structure and access sensitive monitoring data. A patch is available.

Python SQLi Suse
NVD GitHub VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-32728 HIGH PATCH This Week

File upload validation bypass in applications using MIME parameter injection allows authenticated attackers to upload malicious files by appending parameters like `;charset=utf-8` to the Content-Type header, bypassing extension filters and default blocklists. This enables stored XSS attacks that can compromise session tokens, credentials, and sensitive browser data accessible to the application's domain. A patch is available that strips MIME parameters during validation and expands the default blocklist.

Information Disclosure XSS
NVD GitHub VulDB
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy