204 CVEs tracked today. 19 Critical, 82 High, 61 Medium, 9 Low.
-
CVE-2026-33211
CRITICAL
CVSS 9.6
The Tekton Pipelines git resolver contains a path traversal vulnerability allowing authenticated tenants to read arbitrary files from the resolver pod's filesystem via the pathInRepo parameter. Affected products include github.com/tektoncd/pipeline versions 1.0.0 through 1.10.0 across multiple release branches. The vulnerability enables credential exfiltration and privilege escalation from namespace-scoped access to cluster-wide secret reading capabilities. A proof-of-concept was provided by the vulnerability reporter Oleh Konko.
Path Traversal
Privilege Escalation
Kubernetes
-
CVE-2026-33186
CRITICAL
CVSS 9.1
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTTP/2 requests with malformed :path pseudo-headers that omit the mandatory leading slash (e.g., 'Service/Method' instead of '/Service/Method'). This affects gRPC-Go servers using path-based authorization interceptors like google.golang.org/grpc/authz with deny rules for canonical paths but fallback allow rules. The vulnerability has a CVSS score of 9.1 (Critical) with network-based exploitation requiring no privileges or user interaction, enabling attackers to access restricted services and potentially exfiltrate or modify sensitive data.
Canonical
Nginx
Google
Authentication Bypass
-
CVE-2026-33067
CRITICAL
CVSS 9.0
SiYuan's Bazaar marketplace fails to sanitize package metadata (displayName, description) before rendering in the Electron desktop application, allowing stored XSS that escalates to arbitrary remote code execution. Any SiYuan user (versions ≤3.5.9) who browses the Bazaar will automatically execute attacker-controlled code with full OS-level privileges when a malicious package card renders-no installation or user interaction required. A functional proof-of-concept exists demonstrating command execution via img onerror handlers, and this vulnerability is actively tracked in GitHub's advisory database (GHSA-mvpm-v6q4-m2pf), making it a critical supply-chain risk to the SiYuan user community.
Command Injection
Apple
Microsoft
XSS
RCE
-
CVE-2026-33066
CRITICAL
CVSS 9.0
SiYuan's Bazaar (community package marketplace) fails to sanitize HTML in package README files during rendering, allowing stored XSS that escalates to remote code execution due to unsafe Electron configuration. An attacker can submit a malicious package with embedded JavaScript in the README that executes with full Node.js access when any user views the package details in the Bazaar. This affects SiYuan versions 3.5.9 and earlier across Windows, macOS, and Linux, with a CVSS score of 9.6 and multiple real-world exploitation vectors including data theft, reverse shells, and persistent backdoors.
Apple
Microsoft
XSS
RCE
Information Disclosure
-
CVE-2026-33057
CRITICAL
CVSS 9.8
An unauthenticated remote code execution vulnerability exists in the mesop Python package's debugging Flask server endpoint (/exec-py) that accepts and executes arbitrary base64-encoded Python code without any authentication or validation. The vulnerability affects the mesop pip package, with a publicly disclosed proof-of-concept demonstrating trivial exploitation requiring only a single HTTP POST request. With a CVSS score of 9.8 (Critical) and detailed PoC availability, this represents an immediately exploitable vulnerability for any exposed instance.
Command Injection
Python
RCE
Code Injection
-
CVE-2026-33054
CRITICAL
CVSS 10.0
A path traversal vulnerability in A Path Traversal vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
Microsoft
Path Traversal
Denial Of Service
Python
Windows
-
CVE-2026-32731
CRITICAL
CVSS 9.9
Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.
Path Traversal
Node.js
CSRF
Denial Of Service
Google
-
CVE-2026-32703
CRITICAL
CVSS 9.0
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying filenames from repository changesets. Attackers with repository push access can inject malicious HTML code via specially crafted filenames, which executes when project members view affected changesets. This affects OpenProject versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, with a CVSS score of 9.1 indicating critical severity.
XSS
Openproject
-
CVE-2026-32698
CRITICAL
CVSS 9.1
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. When custom fields are used in Cost Reports, insufficient input sanitization allows attackers with administrator privileges to execute arbitrary SQL commands. This vulnerability can be chained with a path traversal issue in the Repositories module to achieve remote code execution by injecting malicious Ruby code into the application. No current KEV listing or public POC is documented in available sources.
SQLi
Openproject
-
CVE-2026-30884
CRITICAL
CVSS 9.6
Cross-course privilege escalation in Moodle Mod Customcert allows authenticated teachers with certificate management rights in any course to read and modify certificate data across the entire Moodle installation due to missing context validation in the editelement callback and save_element web service. An attacker with mod/customcert:manage permissions in a single course can exploit this to disclose sensitive certificate information from other courses or tamper with their certificate elements. Versions 4.4.9 and 5.0.3 patch the vulnerability, but no patch is currently available for affected versions.
Information Disclosure
Authentication Bypass
Moodle Mod Customcert
Moodle
-
CVE-2026-30703
CRITICAL
CVSS 9.8
Unauthenticated remote code execution in WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) via command injection in the adm.cgi sysCMD parameter allows attackers to achieve complete system compromise without authentication or user interaction. The vulnerability stems from insufficient input validation on the web management interface and currently lacks a vendor patch.
Command Injection
-
CVE-2026-30702
CRITICAL
CVSS 9.8
This vulnerability implements a broken authentication mechanism in the WiFi Extender WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) web management interface, allowing attackers to bypass login controls through forced browsing of restricted endpoints without valid session validation. An attacker can directly access administrative functions and sensitive configuration pages by circumventing the authentication layer entirely. A proof-of-concept and detailed technical analysis have been published by security researchers, indicating this is a practical, demonstrable vulnerability affecting consumer-grade networking equipment with no official CVSS scoring yet assigned.
Authentication Bypass
-
CVE-2026-30701
CRITICAL
CVSS 9.1
A WiFi Extender model WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) contains hardcoded credential disclosure vulnerabilities in its web administration interface through server-side include (SSI) directives embedded in critical pages such as login.shtml and settings.shtml. These directives dynamically retrieve and expose the web administration password from non-volatile memory during runtime, allowing unauthenticated attackers to obtain administrative credentials and gain full control of the device. A proof-of-concept and detailed technical analysis have been publicly disclosed by security researchers, indicating active awareness and potential exploitation in the wild.
Authentication Bypass
-
CVE-2026-29859
CRITICAL
CVSS 9.8
aaPanel v7.57.0 contains an arbitrary file upload vulnerability that allows unauthenticated or low-privileged attackers to upload malicious files and achieve remote code execution on affected systems. The vulnerability exists in the file upload functionality of the web-based server management panel, enabling attackers to bypass file type validation and execute arbitrary code with the privileges of the aaPanel process. While no CVSS score or EPSS probability is available in current sources, the Remote Code Execution impact combined with file upload attack vectors suggests critical severity; exploitation feasibility is indicated by the existence of public vulnerability research repositories.
XSS
RCE
File Upload
-
CVE-2026-25873
CRITICAL
CVSS 9.8
OmniGen2-RL reward server component contains an unauthenticated remote code execution vulnerability allowing attackers to execute arbitrary commands through malicious HTTP POST requests exploiting insecure pickle deserialization. The vulnerability affects Beijing Academy of Artificial Intelligence (BAAI)'s OmniGen2-RL software with a critical CVSS score of 9.8. A public proof-of-concept exploit is available and a patch has been released by the vendor, making this an immediate priority for organizations running exposed instances.
RCE
Deserialization
Omnigen2 Rl
-
CVE-2026-25449
CRITICAL
CVSS 9.8
A critical PHP object injection vulnerability exists in the Shinetheme Traveler WordPress theme due to insecure deserialization of untrusted data. This affects all versions prior to 3.2.8.1 and allows unauthenticated remote attackers to execute arbitrary code, compromise data confidentiality and integrity, and cause denial of service. The vulnerability has been publicly disclosed through Patchstack's database, though no active exploitation (KEV listing) or EPSS score data is currently available.
Deserialization
Traveler
-
CVE-2025-67830
CRITICAL
CVSS 9.8
A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS before version 10.1.14, specifically in the getQuery function's sortby parameter. An attacker can inject arbitrary SQL commands through the sortby parameter to extract, modify, or delete database contents. The vulnerability affects Mura CMS installations running versions prior to 10.1.14.
SQLi
-
CVE-2025-67829
CRITICAL
CVSS 9.8
A SQL injection vulnerability exists in the beanFeed.cfc component of Mura CMS, specifically in the getQuery function's sortDirection parameter, affecting versions prior to 10.1.14. An attacker can inject arbitrary SQL commands through the sortDirection parameter to read, modify, or delete database contents without requiring authentication. The vulnerability is classified as SQL injection (SQLi) and patches are available in version 10.1.14 and later.
SQLi
-
CVE-2025-15031
CRITICAL
CVSS 9.1
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
RCE
Path Traversal
Redhat
Mlflow
AI / ML
-
CVE-2026-33226
HIGH
CVSS 8.7
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
Microsoft
Redis
Google
SSRF
Docker
-
CVE-2026-33204
HIGH
CVSS 7.5
The SimpleJWT PHP library version 1.1.0 contains an algorithmic complexity denial-of-service vulnerability in its PBES2 password-based encryption implementation. An unauthenticated attacker can send a crafted JWE token with an extremely large p2c (PBKDF2 iteration count) parameter in the header, forcing the server to perform hundreds of billions of iterations during key derivation and causing CPU exhaustion. A working proof-of-concept exploit is publicly available demonstrating how a single malicious request can block PHP workers until execution timeouts are reached.
PHP
Denial Of Service
-
CVE-2026-33203
HIGH
CVSS 7.5
The SiYuan kernel, a Go-based note-taking application, contains an authentication bypass vulnerability in its WebSocket server that allows unauthenticated attackers to crash the kernel process through malformed JSON messages. SiYuan kernel versions exposed via Docker or network-accessible deployments are affected, with the issue stemming from unsafe type assertions on attacker-controlled input after bypassing authentication via a specific query parameter pattern. A proof-of-concept demonstrating the attack exists in the GitHub advisory, and while CVSS rates this as 7.5 High severity for availability impact, real-world exploitation risk depends heavily on network exposure beyond localhost.
Authentication Bypass
Docker
Denial Of Service
-
CVE-2026-33191
HIGH
CVSS 8.6
Null byte injection in the UDM's Nudm_SubscriberDataManagement API allows unauthenticated remote attackers to crash the service by embedding URL-encoded %00 characters in the supi parameter, triggering unhandled parsing errors and denial of service. The vulnerability stems from improper input validation that permits control characters to reach Go's URL parser, which rejects them with a 500 error instead of sanitizing the input upstream. A patch is available.
Denial Of Service
-
CVE-2026-33180
HIGH
CVSS 7.5
A header leakage vulnerability exists in the internal HTTP client of HAPI FHIR Core library that causes sensitive headers (such as authentication tokens) to be forwarded to third-party hosts when following HTTP redirects. Multiple HAPI FHIR packages including org.hl7.fhir.utilities, org.hl7.fhir.convertors, and various FHIR version implementations (DSTU2, DSTU3, R4, R4B, R5) are affected in versions prior to 6.8.3. With a CVSS score of 9.8 (Critical), this vulnerability allows network-based attackers to capture sensitive credentials without authentication or user interaction, though no EPSS score, KEV listing, or public POC is currently documented.
Information Disclosure
-
CVE-2026-33172
HIGH
CVSS 8.7
A stored cross-site scripting (XSS) vulnerability in Statamic CMS allows authenticated users with asset upload permissions to bypass SVG sanitization during asset reuploads, enabling injection of malicious JavaScript that executes when other users view the compromised asset. The vulnerability affects Statamic CMS versions prior to 5.73.14 and 6.7.0, with patches available in those releases. The CVSS score of 8.7 (High) reflects the changed scope and high confidentiality/integrity impact, though exploitation requires low-privileged authenticated access and user interaction.
XSS
-
CVE-2026-33166
HIGH
CVSS 8.6
Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available.
Jenkins
Path Traversal
Information Disclosure
Java
-
CVE-2026-33163
HIGH
CVSS 8.2
Parse Server's LiveQuery component leaks protected fields and OAuth authentication data to unauthorized subscribers when an afterLiveQueryEvent trigger is registered for a class. The vulnerability affects Parse Server installations using LiveQuery with afterEvent triggers, allowing any user with basic subscription permissions to access sensitive personal information and third-party OAuth tokens belonging to other users. Patches are available from the vendor with workarounds documented.
Information Disclosure
-
CVE-2026-33155
HIGH
Memory exhaustion in Python's pickle deserialization allows attackers to crash applications by supplying a small malicious payload that forces allocation of gigabytes of memory through unrestricted constructor arguments in whitelisted classes. Applications using `_RestrictedUnpickler` to load untrusted pickle data are vulnerable to denial of service attacks. A patch is available.
Python
Denial Of Service
Deserialization
-
CVE-2026-33154
HIGH
CVSS 7.5
Dynaconf, a Python configuration management library, contains a Server-Side Template Injection (SSTI) vulnerability in its @jinja resolver that allows arbitrary command execution when attackers can control configuration sources such as environment variables, .env files, or CI/CD secrets. The vulnerability affects pip package dynaconf and includes a public proof-of-concept demonstrating command execution via Jinja2 template evaluation without sandboxing. The @format resolver additionally enables object graph traversal to expose sensitive runtime data including API keys and credentials.
RCE
Code Injection
Python
-
CVE-2026-33151
HIGH
A specially crafted Socket.IO packet can cause the server to allocate unbounded memory by waiting for and buffering a large number of binary attachments, leading to denial of service through memory exhaustion. The vulnerability affects socket.io-parser versions across multiple major releases (v2.x, v3.x, and v4.x) used by Socket.IO server and client implementations. No EPSS score or KEV listing is available, but patches have been released by the vendor.
Node.js
Denial Of Service
Memory Corruption
-
CVE-2026-33143
HIGH
CVSS 7.5
The OneUptime monitoring platform (specifically version 10.0.23 and likely earlier versions) contains an authentication bypass vulnerability in its WhatsApp webhook handler that fails to verify the X-Hub-Signature-256 HMAC signature required by Meta/WhatsApp. Any unauthenticated remote attacker can send forged webhook payloads to manipulate notification delivery status records, suppress critical alerts, and corrupt audit trails. A working proof-of-concept exploit has been published demonstrating successful injection of arbitrary webhook events via simple HTTP POST requests with no authentication required.
Docker
Authentication Bypass
-
CVE-2026-33142
HIGH
CVSS 8.1
SQL injection in PostgreSQL StatementGenerator allows authenticated attackers to execute arbitrary SQL commands through unsanitized object keys in sort, select, and groupBy parameters on analytics endpoints. The vulnerability exists because column name validation was incompletely applied during a previous fix, leaving three query construction methods vulnerable to direct identifier injection. An attacker with valid credentials can exploit this to access or manipulate database contents without requiring user interaction.
PostgreSQL
SQLi
-
CVE-2026-33139
HIGH
CVSS 7.8
PySpector versions 0.1.6 and earlier contain a security validation bypass in the plugin system that allows arbitrary code execution. The validate_plugin_code() function fails to detect dangerous API calls when invoked indirectly via getattr(), allowing malicious plugins to execute system commands. A public proof-of-concept exploit exists demonstrating the bypass, and while exploitation requires user interaction (installing and trusting a malicious plugin), successful exploitation grants full system access including filesystem manipulation, credential theft, and persistence mechanisms.
Information Disclosure
RCE
-
CVE-2026-33131
HIGH
CVSS 7.4
A Host header manipulation vulnerability in the h3 Node.js web framework allows attackers to bypass authentication middleware by polluting the event.url object. The vulnerability affects h3 npm package and allows unauthorized access to protected routes by crafting malicious Host headers that trigger internal URL reconstruction logic. A working proof-of-concept exploit is publicly available demonstrating the authentication bypass.
Authentication Bypass
-
CVE-2026-33128
HIGH
CVSS 7.5
The h3 JavaScript framework for Node.js contains a Server-Sent Events (SSE) injection vulnerability in its createEventStream function due to missing newline sanitization. Applications using h3's SSE functionality (pkg:npm/h3) are vulnerable to attackers who can control any part of SSE message fields (id, event, data, or comments), allowing injection of arbitrary events to all connected clients. A proof-of-concept exploit exists demonstrating event injection, cross-user content manipulation, and denial-of-service attacks.
Code Injection
-
CVE-2026-33125
HIGH
CVSS 7.1
Frigate video surveillance software contains an authentication bypass vulnerability allowing users with viewer role privileges to delete administrator and other user accounts via an unrestricted API endpoint. The vulnerability affects the Frigate Python package (pkg:pip/frigate) and has been confirmed with a proof-of-concept demonstration successfully deleting the admin user on the demo.frigate.video instance. This leads to denial of service and compromises data integrity by allowing unauthorized account deletions.
Authentication Bypass
Denial Of Service
-
CVE-2026-33080
HIGH
CVSS 7.3
A stored cross-site scripting (XSS) vulnerability exists in Filament Table's Range and Values summarizers, which render database values without HTML escaping. Affected products include filament_tables (Composer package), where an attacker with low privileges can inject malicious HTML or JavaScript into database columns used by these summarizers, executing arbitrary scripts when other users view the table. No KEV listing or EPSS data is available, but proof-of-concept details are documented in GitHub advisories GHSA-vv3x-j2x5-36jc.
XSS
-
CVE-2026-33064
HIGH
CVSS 7.5
A NULL pointer dereference vulnerability in free5GC v4.0.1's UDM (Unified Data Management) service allows remote attackers to crash the service via a crafted POST request to the /sdm-subscriptions endpoint containing path traversal sequences and a large JSON payload. The DataChangeNotificationProcedure function in notifier.go fails to validate pointers before dereferencing, causing complete service disruption requiring manual restart. All deployments of free5GC v4.0.1 utilizing UDM HTTP callback functionality are affected, and a patch is available via PR free5gc/udm#78.
Denial Of Service
Null Pointer Dereference
Path Traversal
-
CVE-2026-33063
HIGH
CVSS 8.7
The free5GC AUSF authentication service is vulnerable to denial of service through an improper null check in the GetSupiFromSuciSupiMap function, which crashes when processing crafted UE authentication requests that trigger unsafe interface conversion. Remote attackers can exploit this vulnerability to completely disable the AUSF service by sending a specially crafted authentication request containing a nil SuciSupiMap value. A patch is available for affected free5GC v4.0.1 deployments.
Denial Of Service
Null Pointer Dereference
-
CVE-2026-33062
HIGH
CVSS 8.7
NRF discovery service denial of service in free5GC v4.0.1 allows remote attackers to crash the service by sending HTTP GET requests with malformed group-id-list parameters that trigger unvalidated array access. The EncodeGroupId function fails to check split data length before accessing specific indices, causing an index out of range panic. A patch is available to address this input validation flaw affecting all deployments using the vulnerable NRF service.
Denial Of Service
Authentication Bypass
-
CVE-2026-33053
HIGH
CVSS 8.8
An Insecure Direct Object Reference (IDOR) vulnerability exists in the Langflow API key deletion endpoint that allows any authenticated user to delete API keys belonging to other users. The delete_api_key_route() function in langflow version prior to 1.7.2 fails to verify ownership of API keys before deletion, enabling attackers to enumerate and delete arbitrary API keys by manipulating the api_key_id UUID parameter. A patch is available from the vendor as of version 1.7.2, addressing this authentication bypass that could lead to account takeover and denial of service.
Authentication Bypass
Denial Of Service
-
CVE-2026-33040
HIGH
CVSS 7.5
The Rust libp2p Gossipsub implementation contains an integer overflow vulnerability that allows remote unauthenticated attackers to crash affected nodes by sending a single crafted PRUNE control message with an extremely large backoff value (e.g., u64::MAX). The vulnerability affects the libp2p-gossipsub Rust crate and enables trivial denial of service against any application exposing a Gossipsub listener. This vulnerability was discovered through responsible disclosure to the Ethereum Foundation bug bounty program by @revofusion, and while no active exploitation (KEV) status is indicated, the attack complexity is extremely low and a detailed proof-of-concept attack scenario has been publicly disclosed in the advisory.
Denial Of Service
Integer Overflow
-
CVE-2026-33002
HIGH
CVSS 7.5
Jenkins versions 2.442 through 2.554 and LTS 2.426.3 through 2.541.2 contain an origin validation bypass vulnerability in the CLI WebSocket endpoint that allows attackers to conduct DNS rebinding attacks. The vulnerability stems from improper use of Host and X-Forwarded-Host headers to compute expected request origins, enabling attackers to bypass authentication controls and potentially execute arbitrary commands through the CLI WebSocket interface. While no CVSS score, EPSS data, or active exploitation in the wild (KEV) status has been publicly disclosed, the vulnerability affects a critical Jenkins component and was responsibly disclosed by the Jenkins security team.
Jenkins
Authentication Bypass
-
CVE-2026-33001
HIGH
CVSS 8.8
Jenkins versions 2.554 and earlier (LTS 2.541.2 and earlier) contain a path traversal vulnerability in their handling of tar and tar.gz archive extraction that fails to safely process symbolic links, allowing attackers to write files to arbitrary filesystem locations. Attackers with Item/Configure permission or control over Jenkins agent processes can exploit this to deploy malicious scripts and plugins on the Jenkins controller, achieving code execution with the privileges of the Jenkins process. The vulnerability is particularly concerning because it affects the core Jenkins application and enables privilege escalation through plugin installation mechanisms.
Information Disclosure
Jenkins
-
CVE-2026-32937
HIGH
CVSS 7.1
Out-of-bounds slice access in the Free5GC CHF nchf-convergedcharging service allows authenticated attackers to trigger server-side panics via malformed PUT requests to the recharge endpoint, causing denial of service and log flooding. An attacker with valid authentication credentials can repeatedly exploit this vulnerability to degrade recharge functionality and disrupt service availability. A patch is available to remediate this high-severity vulnerability.
Buffer Overflow
-
CVE-2026-32875
HIGH
CVSS 7.5
The ujson Python library prior to version 5.12.0 contains an integer overflow/underflow vulnerability in the dumps() function that can crash the Python interpreter (segmentation fault) or cause an infinite loop, leading to denial of service. The vulnerability affects applications that allow untrusted users to control the indent parameter when serializing JSON, or that use large negative indent values with nested data structures. A proof-of-concept demonstrating both the segfault and infinite loop conditions is provided in the vulnerability disclosure, though there is no evidence of active exploitation (not in KEV).
Integer Overflow
Python
Denial Of Service
-
CVE-2026-32874
HIGH
CVSS 7.5
ujson versions 5.4.0 through 5.11.0 contain a memory leak in JSON parsing of large integers outside the range [-2^63, 2^64 - 1], allowing remote denial of service attacks against services processing untrusted JSON input. An attacker can craft malicious JSON payloads with oversized integers to exhaust memory and crash vulnerable applications. A patch is available.
Python
Denial Of Service
-
CVE-2026-32811
HIGH
CVSS 8.2
Heimdall, an authorization decision API for Envoy proxy, contains a path traversal bypass vulnerability when used in gRPC decision API mode. Attackers can bypass non-wildcard path expression rules by appending query parameters to URLs, which causes incorrect URL encoding that prevents rule matching. A proof-of-concept is publicly available demonstrating the bypass, though exploitation requires heimdall to be configured with an insecure 'allow all' default rule (which is blocked by secure defaults since v0.16.0 unless explicitly disabled).
Docker
Authentication Bypass
-
CVE-2026-32763
HIGH
CVSS 8.2
Kysely through version 0.28.11 contains a SQL injection vulnerability in JSON path compilation affecting MySQL and SQLite dialects. The visitJSONPathLeg() function appends user-controlled values from .key() and .at() methods directly into single-quoted JSON path string literals without escaping single quotes, enabling attackers to break out of the string context and inject arbitrary SQL. A working proof-of-concept demonstrates UNION-based data exfiltration from SQLite databases. The vulnerability has CVSS score 8.2 and patches are available from the vendor.
SQLi
PostgreSQL
-
CVE-2026-32730
HIGH
CVSS 8.1
A MongoDB query logic error in ApostropheCMS versions 3.0.0 through 4.27.1 allows complete bypass of multi-factor authentication (MFA/TOTP) protections. An attacker with knowledge of a victim's password can use an incomplete bearer token (returned after password verification but before MFA completion) to gain fully authenticated API access without providing TOTP codes. A proof-of-concept demonstration is included in the vulnerability report, and while no public KEV listing exists, the technical details and working POC make this immediately exploitable.
Authentication Bypass
-
CVE-2026-32693
HIGH
CVSS 8.8
An authorization bypass vulnerability in Canonical's Juju versions 3.0.0 through 3.6.18 allows authenticated users with grantee privileges to incorrectly update secret content beyond their intended permissions, potentially accessing or modifying other secrets. The vulnerability (CWE-863: Incorrect Authorization) has a CVSS score of 8.8, indicating high severity with network-based exploitation requiring low attack complexity and low privileges. The flaw is particularly dangerous because even when exploitation attempts are logged as errors, the unauthorized secret updates still persist and become visible to both owners and grantees.
Authentication Bypass
Debian
Juju
-
CVE-2026-32692
HIGH
CVSS 7.6
An authorization bypass vulnerability exists in the Vault secrets back-end implementation of Canonical's Juju orchestration tool, allowing authenticated unit agents to perform unauthorized updates to secret revisions beyond their intended scope. Juju versions 3.1.6 through 3.6.18 are affected, and attackers with sufficient information can poison any existing secret revision within the Vault secret back-end scope. With a CVSS score of 7.6 (High severity) featuring network attack vector, low complexity, and high integrity impact, this represents a significant security concern for Juju deployments using Vault as their secrets back-end, though no active exploitation (KEV) status or EPSS score was provided in available data.
Hashicorp
Authentication Bypass
Debian
Juju
-
CVE-2026-32321
HIGH
CVSS 8.8
An authenticated time-based blind SQL injection vulnerability exists in the ClipBucket v5 open source video sharing platform, affecting versions prior to 5.5.3 #80. The vulnerability resides in the actions/ajax.php endpoint where the userid parameter lacks proper input sanitization, allowing authenticated attackers to execute arbitrary SQL queries. This can lead to full database disclosure and potential administrative account takeover with a CVSS score of 8.8.
SQLi
PHP
Clipbucket V5
-
CVE-2026-32255
HIGH
CVSS 8.6
Kan, an open-source project management tool, contains a Server-Side Request Forgery (SSRF) vulnerability in its unauthenticated /api/download/attatchment endpoint in versions 0.5.4 and below. Attackers can exploit this to make arbitrary HTTP requests from the server to internal services, cloud metadata endpoints (such as AWS EC2 metadata at 169.254.169.254), or private network resources without any authentication. With a CVSS score of 8.6 (High) reflecting network-based attack vector, low complexity, and no privileges required, this poses significant risk for confidentiality breaches in affected deployments.
Nginx
SSRF
Kan
-
CVE-2026-31971
HIGH
CVSS 7.1
HTSlib, a widely-used bioinformatics library for reading and writing sequence alignment formats, contains a critical buffer overflow vulnerability in its CRAM format decoder. The vulnerability exists in the `cram_byte_array_len_decode()` function which fails to validate that unpacked data matches the output buffer size, affecting HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1. An attacker can craft a malicious CRAM file that, when opened by a user, triggers either a heap or stack overflow with attacker-controlled bytes, potentially leading to arbitrary code execution, program crash, or memory corruption.
Buffer Overflow
Stack Overflow
Heap Overflow
Denial Of Service
RCE
-
CVE-2026-31970
HIGH
CVSS 7.1
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the GZI index loading function `bgzf_index_load_hfile()`. An integer overflow during buffer allocation allows attackers to craft malicious `.gzi` files that trigger heap memory corruption, potentially leading to denial of service, data corruption, or remote code execution when a user opens the compromised file. No evidence of active exploitation in the wild has been reported, but the vulnerability is demonstrable and patch availability is confirmed.
Buffer Overflow
Heap Overflow
Integer Overflow
Denial Of Service
RCE
-
CVE-2026-31969
HIGH
CVSS 7.1
HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain an out-by-one error in the CRAM decoder's `cram_byte_array_stop_decode_char()` function that allows a single attacker-controlled byte to be written beyond the end of a heap allocation. This heap buffer overflow (CWE-122) affects bioinformatics applications using HTSlib to process CRAM-formatted DNA sequence alignment files, and could enable arbitrary code execution if exploited. No public exploit code or KEV status is currently documented, but patch availability exists for multiple stable release branches.
Buffer Overflow
Heap Overflow
Denial Of Service
RCE
Debian
-
CVE-2026-31968
HIGH
CVSS 8.8
HTSlib contains a buffer overflow vulnerability in its CRAM format decoder affecting the VARINT and CONST encoding handlers, where incomplete context validation allows writes of up to eight bytes beyond heap allocation boundaries or into stack-allocated single-byte variables. This vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and impacts any application using the library to process CRAM-formatted bioinformatics data files. An attacker can craft a malicious CRAM file to trigger heap or stack overflow conditions, potentially leading to denial of service, memory corruption, or arbitrary code execution when processed by a vulnerable application.
Buffer Overflow
Stack Overflow
Heap Overflow
Denial Of Service
RCE
-
CVE-2026-31963
HIGH
CVSS 8.8
HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating feature boundaries. When a user opens a maliciously crafted CRAM file, an attacker can write one controlled byte beyond the end of a heap buffer, potentially causing application crashes, data corruption, or arbitrary code execution. Versions 1.23.1, 1.22.2, and 1.21.1 include fixes, and patches are available via the official GitHub repository.
Buffer Overflow
Heap Overflow
Denial Of Service
RCE
Debian
-
CVE-2026-31962
HIGH
CVSS 8.8
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq() function when processing CRAM-formatted bioinformatics files with omitted sequence and quality data. An attacker can craft a malicious CRAM file that triggers an out-of-bounds read followed by an attacker-controlled single-byte write to heap memory, potentially enabling arbitrary code execution, data corruption, or denial of service when a user opens the file. No public exploit proof-of-concept has been identified, but the vulnerability is confirmed and patched by the HTSlib project.
Buffer Overflow
Heap Overflow
Denial Of Service
RCE
Information Disclosure
-
CVE-2026-29056
HIGH
CVSS 8.8
Kanboard project management software contains a privilege escalation vulnerability in its user invite registration endpoint that allows invited users to inject the 'role=app-admin' parameter during account creation, granting themselves administrator privileges. This affects all Kanboard versions prior to 1.2.51. The vulnerability has documented proof-of-concept exploitation capability (CVSS E:P indicates PoC exists) and carries a CVSS 4.0 score of 7.0 with high integrity impact to both the vulnerable system and subsequent components.
Code Injection
Ubuntu
Debian
Kanboard
-
CVE-2026-28674
HIGH
CVSS 7.2
xiaoheiFS, a self-hosted financial and operational system for cloud service businesses, contains a critical authenticated remote code execution vulnerability in versions up to 0.3.15. An attacker who knows the hardcoded password 'qweasd123456' can upload arbitrary executable files through the AdminPaymentPluginUpload endpoint, which are then automatically executed by a background watcher service every 5 seconds. While EPSS data is not provided, the combination of hardcoded credentials (CWE-434, Authentication Bypass tag) and automatic execution significantly elevates real-world risk despite requiring high privileges (PR:H) in the CVSS vector.
File Upload
-
CVE-2026-28673
HIGH
CVSS 7.2
xiaoheiFS versions up to and including 0.3.15 contain a critical remote code execution vulnerability in the plugin upload mechanism. Administrators can upload plugin ZIP files containing arbitrary binaries which the server executes without validation based on the manifest.json 'binaries' field. This allows authenticated administrators with high privileges to achieve full system compromise by uploading malicious plugin packages.
RCE
Command Injection
-
CVE-2026-27894
HIGH
CVSS 8.8
LDAP Account Manager (LAM), a web-based interface for managing LDAP directory entries, contains a local file inclusion vulnerability in its PDF export functionality that allows authenticated users to include and execute arbitrary PHP files. When chained with GHSA-88hf-2cjm-m9g8, this vulnerability enables complete remote code execution on the affected server. The vulnerability affects all versions prior to 9.5 and requires low-privilege authentication (CVSS 8.8, PR:L), tracking across 7 Ubuntu and 4 Debian releases indicates significant deployment in enterprise LDAP environments.
PHP
Lfi
RCE
-
CVE-2026-27811
HIGH
CVSS 8.8
Roxy-WI versions prior to 8.2.6.3 contain a command injection vulnerability in the configuration comparison endpoint that allows authenticated users to execute arbitrary system commands on the host server. The flaw stems from unsanitized user input being directly embedded into template strings executed by the application. An attacker with valid credentials can exploit this to achieve full system compromise with high impact on confidentiality, integrity, and availability.
Command Injection
Apache
Nginx
-
CVE-2026-27135
HIGH
CVSS 7.5
nghttp2 before version 1.68.1 fails to properly validate internal state when session termination APIs are invoked, allowing an attacker to send a malformed frame that triggers an assertion failure and crashes the application. This denial of service vulnerability affects applications using the nghttp2 HTTP/2 library and can be triggered remotely without authentication or user interaction. No patch is currently available to remediate this issue.
Denial Of Service
Redhat
Suse
-
CVE-2026-26740
HIGH
CVSS 8.2
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when processing Graphic Control Extension blocks, enabling remote attackers to trigger denial of service conditions. Public exploit code exists for this vulnerability, though no patch is currently available. The flaw affects any application using the vulnerable giflib version to process GIF files from untrusted sources.
Buffer Overflow
Denial Of Service
Memory Corruption
Redhat
Suse
-
CVE-2026-24063
HIGH
CVSS 8.2
Arturia Software Center on macOS installs plugin uninstall scripts with world-writable permissions (777) in root-owned directories, allowing local attackers to modify these scripts and achieve privilege escalation when the Privileged Helper executes them during plugin removal. This vulnerability affects any macOS user with the Arturia Software Center installed and requires local access and user interaction to exploit. No patch is currently available.
Privilege Escalation
Apple
Software Center
macOS
-
CVE-2026-24062
HIGH
CVSS 7.8
The Arturia Software Center on macOS contains insufficient code signature validation in its Privileged Helper component, allowing unauthenticated clients to connect and execute privileged actions without proper authorization. This vulnerability affects all versions of Arturia Software Center and enables local privilege escalation attacks where an unprivileged user can escalate to root or system-level privileges. While no CVSS score or EPSS data is publicly available, the authentication bypass nature and privilege escalation impact classify this as a high-severity issue; no KEV listing or public proof-of-concept has been confirmed at this time.
Privilege Escalation
Apple
Authentication Bypass
Software Center
macOS
-
CVE-2026-23270
HIGH
CVSS 7.8
This vulnerability is a use-after-free (UaF) condition in the Linux kernel's traffic control (tc) subsystem, specifically in the act_ct (connection tracking) action module. The vulnerability affects all Linux kernel versions where act_ct can be attached to qdiscs other than clsact/ingress, allowing a packet held by the defragmentation engine to be freed while the defrag engine still references it, potentially leading to information disclosure or denial of service. The issue is resolved by restricting act_ct binding to only clsact/ingress qdiscs and shared blocks, eliminating the dangerous egress path usage patterns.
Linux
Information Disclosure
Redhat
Suse
-
CVE-2026-23269
HIGH
CVSS 7.1
A slab out-of-bounds read vulnerability exists in the Linux kernel's AppArmor security module where untrusted DFA (Deterministic Finite Automaton) start states are used as array indexes without bounds validation during policy unpacking. An attacker with the ability to load a malicious AppArmor policy can trigger an out-of-bounds memory read, potentially leading to information disclosure or denial of service. The vulnerability affects all Linux kernel versions with the vulnerable AppArmor code path and has been patched across multiple stable kernel branches.
Linux
Buffer Overflow
Redhat
Suse
-
CVE-2026-23268
HIGH
CVSS 7.8
This vulnerability in the Linux kernel's AppArmor security module allows an unprivileged local user to perform privileged policy management operations through a confused deputy attack. An attacker can load, replace, and remove AppArmor security profiles by passing an opened file descriptor to a privileged process and manipulating it into writing to the AppArmor policy management interface, bypassing normal access controls. This enables complete circumvention of AppArmor confinement, denial of service attacks, bypass of unprivileged user namespace restrictions, and potential kernel exploitation for local privilege escalation. The vulnerability is not currently listed in the CISA KEV catalog and no CVSS score or EPSS data is available, but the technical severity is high given the policy management implications and the involvement of privilege escalation vectors.
Privilege Escalation
Linux
Redhat
Suse
-
CVE-2026-23253
HIGH
CVSS 7.8
This vulnerability in the Linux kernel's DVB core media subsystem causes improper reinitialization of a shared ringbuffer waitqueue when the DVR device is reopened, orphaning existing io_uring poll and epoll waitqueue entries with stale pointers. Affected Linux kernels of all versions prior to the patched commits are vulnerable, potentially leading to information disclosure or kernel instability when multiple readers interact with the DVR device simultaneously. While no CVSS score or EPSS probability has been assigned and no active exploitation in the wild is documented, the vulnerability has been patched in stable kernel releases, indicating developer recognition of its severity.
Linux
Information Disclosure
Redhat
Suse
-
CVE-2026-23248
HIGH
CVSS 7.8
A race condition in the Linux kernel's perf_mmap() function creates a use-after-free vulnerability when concurrent threads attempt to access a ring buffer during failed memory mapping operations. The vulnerability affects Linux kernel versions across 6.18.17, 6.19.7, and 7.0-rc2, allowing a local attacker with standard user privileges to trigger refcount saturation warnings and potential kernel crashes via denial of service. This issue was discovered by Syzkaller fuzzing and has patches available across multiple stable kernel branches.
Linux
Information Disclosure
Redhat
Suse
-
CVE-2026-23246
HIGH
CVSS 8.8
A stack out-of-bounds write vulnerability exists in the Linux kernel's mac80211 WiFi subsystem in the ieee80211_ml_reconfiguration function, where the link_id parameter extracted from the ML Reconfiguration element is not properly bounds-checked before being used as an array index. The vulnerability affects Linux kernel versions across multiple release branches (6.5 through 7.0-rc2), allowing an attacker with network proximity to craft a malicious WiFi frame to trigger a buffer overflow and potentially cause denial of service or code execution. While no CVSS score or EPSS data is currently published, the vulnerability has been assigned EUVD-2026-12809 and patches are available across stable kernel branches.
Linux
Buffer Overflow
Redhat
Suse
-
CVE-2026-23245
HIGH
CVSS 7.8
A race condition vulnerability exists in the Linux kernel's net/sched act_gate module where the hrtimer callback or dump path can access schedule list parameters while they are being replaced, leading to potential use-after-free or memory corruption. The vulnerability affects Linux kernel versions across multiple release branches including 5.8 and later stable releases up to 6.19.8, with the fix implemented through RCU-protected parameter snapshots. This is a kernel-level race condition that could allow local attackers with network scheduler configuration privileges to cause denial of service or potentially achieve code execution through memory corruption.
Linux
Information Disclosure
Redhat
Suse
-
CVE-2026-23243
HIGH
CVSS 7.8
A negative integer underflow vulnerability exists in the Linux kernel's RDMA/umad subsystem where the ib_umad_write function fails to validate user-controlled data_len calculations, allowing a mismatch between user MAD header size and RMPP header length to produce negative values. This negative data_len can propagate to ib_create_send_mad() and trigger an out-of-bounds memset in alloc_send_rmpp_list(), causing kernel memory corruption and denial of service. The vulnerability affects Linux kernel versions from 2.6.24 through multiple stable branches (5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19) and requires local access to RDMA user-mode interface to exploit, with patches available across multiple stable kernel versions as referenced in the git commits.
Linux
Buffer Overflow
Redhat
Suse
-
CVE-2026-23242
HIGH
CVSS 7.5
A null pointer dereference vulnerability exists in the Linux kernel's RDMA/siw (Software iWARP) module in the TCP receive data path handler. When siw_get_hdr() returns an error before initializing the receive FPDU context, the error handling code attempts to dereference qp->rx_fpdu without null checking, potentially causing a kernel panic and denial of service. The vulnerability affects multiple Linux kernel versions across stable branches (5.10, 5.15, 6.1, 6.6, 6.12, and others) and has been patched across numerous kernel releases.
Linux
Denial Of Service
Redhat
Suse
-
CVE-2026-22730
HIGH
CVSS 8.8
A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter component allows authenticated attackers to bypass metadata-based access controls and execute arbitrary SQL commands due to missing input sanitization. VMware Spring AI versions 1.0.x prior to 1.0.4 and 1.1.x prior to 1.1.3 are affected. With a CVSS score of 8.8, this vulnerability enables attackers with low-level privileges to compromise confidentiality, integrity, and availability of the database system through network-based attacks with low complexity.
Java
SQLi
-
CVE-2026-22729
HIGH
CVSS 8.6
Spring AI's AbstractFilterExpressionConverter fails to properly escape user-controlled input in JSONPath queries, allowing authenticated attackers to inject arbitrary expressions and bypass access controls in vector store implementations. This impacts applications relying on the converter for multi-tenant isolation, role-based access, or metadata-based document filtering, enabling attackers to access unauthorized documents. No patch is currently available.
Java
Authentication Bypass
-
CVE-2026-22323
HIGH
CVSS 7.1
A CSRF vulnerability in A CSRF vulnerability in the Link Aggregation configuration interface (CVSS 7.1) that allows an unauthenticated remote attacker. High severity vulnerability requiring prompt remediation.
CSRF
Fl Switch 2406 2sfx
Fl Switch 2108
Fl Switch 2206 2fx Sm St
Fl Switch 2708 Pn
-
CVE-2026-22322
HIGH
CVSS 7.1
A cross-site scripting vulnerability (CVSS 7.1) that allows an unauthenticated remote attacker. High severity vulnerability requiring prompt remediation.
XSS
Fl Switch 2416
Fl Switch 2506 2sfp Pn
Fl Switch 2216 Pn
Fl Switch 2408
-
CVE-2026-22317
HIGH
CVSS 7.2
Arbitrary command execution with root privileges affects multiple Fl Switch and Fl Nat devices through improper handling of HTTP POST requests in the Root CA certificate transfer workflow. An authenticated high-privileged attacker can exploit this command injection flaw to execute arbitrary commands on the underlying Linux operating system. No patch is currently available for the affected product versions.
Command Injection
Fl Switch 2316 Pn
Fl Switch 2005
Fl Switch Tsn 2316
Fl Switch 2206 2fx Sm
-
CVE-2026-22179
HIGH
CVSS 7.5
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the macOS node-host system.run function that permits remote attackers with high privileges to execute arbitrary commands by exploiting improper parsing of command substitution tokens. Attackers can craft malicious shell payloads using command substitution syntax within double-quoted strings to circumvent security allowlists and achieve code execution. A patch is available from the vendor, and the vulnerability has been documented by VulnCheck with public advisory and GitHub security advisory references.
Command Injection
Apple
macOS
-
CVE-2026-22175
HIGH
CVSS 7.1
OpenClaw contains an execution approval bypass vulnerability in allowlist mode that allows authenticated attackers to circumvent allow-always grants through unrecognized multiplexer shell wrappers like busybox and toybox. Attackers with low-level privileges can invoke arbitrary payloads under these multiplexer wrappers to satisfy stored allowlist rules while executing unintended commands. This affects all OpenClaw versions prior to 2026.2.23, with a patch now available from the vendor.
Authentication Bypass
Openclaw
-
CVE-2026-22171
HIGH
CVSS 8.2
OpenClaw contains a path traversal vulnerability in the Feishu media download functionality where untrusted media key values are directly interpolated into temporary file paths without sanitization. OpenClaw versions prior to 2026.2.19 are affected, allowing remote unauthenticated attackers to write arbitrary files within the process permissions by using directory traversal sequences in media keys. No public evidence of active exploitation (KEV) or public proof-of-concept exists at this time, though the high CVSS score of 8.2 reflects the network-accessible attack vector and lack of authentication requirements.
Path Traversal
Openclaw
-
CVE-2026-22169
HIGH
CVSS 7.1
OpenClaw versions before 2026.2.22 allow local attackers with high privileges to execute arbitrary commands through a safeBins allowlist bypass in the compress-program option, enabling unauthorized external program execution despite security constraints. The vulnerability exploits improper validation of the sort tool configuration to circumvent intended access controls. A patch is available to remediate this command injection flaw.
Command Injection
-
CVE-2026-4396
HIGH
CVSS 8.1
Devolutions Hub Reporting Service versions 2025.3.1.1 and earlier contain improper certificate validation that disables TLS certificate verification, enabling network attackers to intercept and manipulate encrypted communications. An unauthenticated attacker on the network can conduct man-in-the-middle (MITM) attacks to eavesdrop on sensitive data exchanges or inject malicious content. While no CVSS score or EPSS probability is currently available, the vulnerability's classification under CWE-295 (Improper Certificate Validation) indicates a cryptographic bypass with potentially severe information disclosure implications.
Information Disclosure
-
CVE-2026-3278
HIGH
CVSS 7.4
OpenText ZENworks Service Desk contains an improper input neutralization vulnerability (CWE-79 Cross-Site Scripting) that allows attackers to inject and execute arbitrary JavaScript in the context of a user's browser session. Affected versions are 25.2 and 25.3. Successful exploitation enables unauthorized actions on behalf of the user, including session hijacking, credential theft, or lateral movement within the service desk application.
XSS
Zenworks Service Desk
-
CVE-2026-3090
HIGH
CVSS 7.2
A stored cross-site scripting (XSS) vulnerability exists in the Post SMTP WordPress plugin through version 3.8.0, allowing unauthenticated attackers to inject malicious scripts via the 'event_type' parameter. The vulnerability requires the Post SMTP Pro plugin with its Reporting and Tracking extension to be enabled for exploitation. With a CVSS score of 7.2 and unauthenticated network-based exploitation possible, this represents a moderate-to-high severity risk for WordPress sites using both the free and Pro versions of Post SMTP together.
WordPress
XSS
-
CVE-2026-2992
HIGH
CVSS 8.2
The KiviCare clinic management plugin for WordPress contains a critical privilege escalation vulnerability allowing unauthenticated attackers to create new clinics and administrative users through an unprotected REST API endpoint. All versions up to and including 4.1.2 are affected. With a CVSS score of 8.2 and network-based exploitation requiring no authentication, this represents a significant risk to healthcare data confidentiality and system integrity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.
WordPress
Privilege Escalation
Authentication Bypass
-
CVE-2026-2991
HIGH
CVSS 7.3
The KiviCare Clinic & Patient Management System (EHR) plugin for WordPress contains a critical authentication bypass vulnerability allowing unauthenticated attackers to log in as any patient by simply providing their email address and an arbitrary access token value. All versions up to and including 4.1.2 are affected, exposing sensitive medical records, appointments, prescriptions, and billing information (PII/PHI). The CVSS score of 9.8 reflects the severity of unauthenticated remote exploitation with high impact to confidentiality, integrity, and availability.
WordPress
Authentication Bypass
-
CVE-2026-2603
HIGH
CVSS 8.1
Keycloak contains an authentication bypass vulnerability in its SAML broker functionality that allows remote attackers with low-level privileges to complete IdP-initiated broker logins even when the SAML Identity Provider has been administratively disabled. Red Hat Build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. The CVSS score of 8.1 reflects high confidentiality and integrity impact, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported at this time.
Authentication Bypass
Debian
Red Hat Build Of Keycloak 26.4.10
Red Hat Build Of Keycloak 26.2.14
Red Hat Build Of Keycloak 26.4
-
CVE-2026-2092
HIGH
CVSS 7.7
Keycloak's SAML broker endpoint contains a validation flaw that allows attackers with a valid signed SAML assertion to inject encrypted assertions for arbitrary principals when the overall SAML response is unsigned. This leads to authentication bypass and unauthorized access to protected resources. Red Hat build of Keycloak versions 26.2 and 26.4 are affected, with patches available in versions 26.2-16, 26.2.14-1, 26.4-12, and 26.4.10-1. No evidence of active exploitation (not in CISA KEV) has been reported.
Information Disclosure
Authentication Bypass
Debian
Red Hat Build Of Keycloak 26.4.10
Red Hat Build Of Keycloak 26.4
-
CVE-2026-1463
HIGH
CVSS 8.8
The NextGEN Gallery plugin for WordPress contains a Local File Inclusion vulnerability in the 'template' parameter of gallery shortcodes, affecting all versions up to and including 4.0.3. Authenticated attackers with Author-level privileges or higher can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or complete site compromise. This is a confirmed vulnerability reported by Wordfence with a high CVSS score of 8.8, though no active exploitation (KEV) status has been reported at this time.
WordPress
PHP
Lfi
RCE
Information Disclosure
-
CVE-2025-55046
HIGH
CVSS 8.1
MuraCMS versions through 10.1.10 contain a Cross-Site Request Forgery (CSRF) vulnerability in the cTrash.empty function that lacks proper token validation, allowing attackers to permanently delete all content in the trash system. An authenticated administrator visiting a malicious webpage can be tricked into permanently destroying all deleted content without their knowledge or consent, resulting in catastrophic, irreversible data loss. While no CVSS score or EPSS data is currently available, the vulnerability's attack vector is network-based with low complexity, affecting any authenticated administrator, and the technical impact of complete data destruction in the trash system constitutes a critical business continuity threat.
CSRF
-
CVE-2025-55045
HIGH
CVSS 7.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in MuraCMS through version 10.1.10 affecting the cUsers.updateAddress function, which lacks proper CSRF token validation. Attackers can exploit this by crafting malicious webpages that, when visited by an authenticated administrator, automatically submit hidden forms to add, modify, or delete user address records without the administrator's knowledge or consent. Successful exploitation enables unauthorized manipulation of user address data, potentially redirecting sensitive communications to attacker-controlled addresses, compromising user privacy, and disrupting legitimate business operations through injection of malicious contact information.
CSRF
-
CVE-2025-55044
HIGH
CVSS 8.8
A Cross-Site Request Forgery (CSRF) vulnerability exists in the cTrash.restore function of MuraCMS through version 10.1.10, which lacks CSRF token validation. An authenticated administrator can be tricked into restoring deleted content to arbitrary locations within the CMS by visiting a malicious webpage, enabling attackers to resurrect malicious or sensitive content, manipulate website structure, or restore intentionally-removed materials. No CVSS score, EPSS data, or known exploits-in-the-wild confirmation are available at this time, though the vulnerability is documented as requiring user interaction (an admin must visit a crafted page) and authenticated session context.
CSRF
-
CVE-2025-55041
HIGH
CVSS 8.0
MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the user management Add To Group functionality that allows attackers to escalate privileges by adding authenticated users to arbitrary groups without proper authorization validation. An authenticated administrator visiting a malicious webpage can be tricked into adding any user to the Admin group or other privileged groups, though escalation to the Super Admin (s2) group is blocked. This vulnerability enables both horizontal privilege escalation across different user groups and vertical privilege escalation to administrative roles, posing a significant risk to multi-user MuraCMS installations where administrator accounts are targeted.
Privilege Escalation
CSRF
-
CVE-2025-55040
HIGH
CVSS 8.8
MuraCMS versions through 10.1.10 contain a Cross-Site Request Forgery (CSRF) vulnerability in the cForm.importform function that lacks proper token validation, allowing attackers to deceive authenticated administrators into uploading and installing malicious form definitions. An attacker can craft a malicious webpage that, when visited by an authenticated MuraCMS administrator, automatically generates and submits a forged file upload request containing a ZIP archive with attacker-controlled form definitions. Successful exploitation results in the installation of data-harvesting forms on the target website that can steal sensitive user information collected through legitimate-appearing web forms. No active exploitation in the wild has been documented (KEV status unknown), and no formal CVSS score has been assigned, though the vulnerability requires user interaction (administrator must visit the malicious page) which moderates the overall risk profile.
CSRF
File Upload
-
CVE-2025-41258
HIGH
CVSS 8.0
A critical authentication bypass vulnerability exists in LibreChat version 0.8.1-rc2 where the same JWT secret is reused for both user session management and the RAG (Retrieval-Augmented Generation) API authentication. This design flaw allows authenticated users to compromise service-level authentication of the RAG API by leveraging their session tokens to access or manipulate the RAG service beyond intended privileges. No active exploitation (KEV) has been reported, but a detailed security advisory with technical analysis is publicly available from SBA Research.
Authentication Bypass
-
CVE-2026-33265
MEDIUM
CVSS 6.3
LibreChat 0.8.1-rc2 improperly issues JWT tokens to authenticated users for both the LibreChat API and RAG API without adequate scope separation or validation, enabling token reuse across API boundaries. An authenticated attacker with local access can exploit this misconfiguration to access or manipulate resources in the RAG API using credentials intended only for the main LibreChat API. This authentication bypass affects all deployments of LibreChat 0.8.1-rc2, with a proof-of-concept available via the SBA Research advisory (EUVD-2026-12813), though no active KEV exploitation has been reported at this time.
Information Disclosure
-
CVE-2026-33230
MEDIUM
CVSS 6.1
A reflected cross-site scripting (XSS) vulnerability exists in NLTK's WordNet Browser application (nltk.app.wordnet_app) in the lookup_... route, where attacker-controlled word parameters are reflected into HTML responses without proper escaping. This vulnerability affects users running the local WordNet Browser server and allows attackers to inject and execute arbitrary JavaScript in the browser context of the affected application. A proof-of-concept exploit has been publicly demonstrated, and a vendor patch is available.
XSS
Docker
Python
-
CVE-2026-33209
MEDIUM
CVSS 6.1
A reflected cross-site scripting (XSS) vulnerability exists in the `return_to` query parameter of the Avo Ruby gem (pkg:rubygems/avo), allowing attackers to inject arbitrary JavaScript that executes when users click dynamically generated navigation buttons. The vulnerability affects both authenticated and unauthenticated deployments, with unauthenticated setups being directly exploitable via crafted links. The CWE-79 classification confirms this as a classic reflected XSS issue without a published CVSS score or EPSS metric currently available.
XSS
-
CVE-2026-33194
MEDIUM
CVSS 6.8
Docker's IsSensitivePath() function uses an incomplete denylist that fails to restrict access to sensitive directories including /opt, /usr, /home, /mnt, and /media, allowing authenticated users with high privileges to read arbitrary files outside the intended workspace through the globalCopyFiles and importStdMd endpoints. An attacker with administrative credentials could exploit this path traversal vulnerability to access sensitive configuration files and data from other users or mounted volumes. No patch is currently available for this medium-severity issue.
Path Traversal
Docker
-
CVE-2026-33192
MEDIUM
CVSS 5.3
UDM incorrectly converts client-side errors to server-side errors and mistranslates PATCH requests to PUT when forwarding to UDR, exposing internal error handling behavior that prevents clients from distinguishing between legitimate client errors and actual server failures. An unauthenticated remote attacker can exploit this by sending PATCH requests with malformed parameters to leak information about the service's internal architecture and error handling mechanisms. A patch is available to address this HTTP method translation and improper error handling issue.
Information Disclosure
-
CVE-2026-33177
MEDIUM
CVSS 4.3
A low-privileged authorization bypass vulnerability in Statamic CMS allows Control Panel users to create taxonomy terms without proper authorization by submitting crafted requests to the field action processing endpoint with attacker-controlled field definitions. This vulnerability affects Statamic CMS versions prior to 5.73.14 and 6.7.0, enabling unauthorized data modification with a CVSS score of 4.3 and low attack complexity. No active exploitation or public proof-of-concept has been confirmed, but patches are readily available from the vendor.
Authentication Bypass
-
CVE-2026-33171
MEDIUM
CVSS 4.3
Authenticated Control Panel users can read arbitrary JSON, YAML, and CSV files from the server by manipulating the filename parameter in the fieldtype endpoint, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects versions prior to 5.73.14 and 6.7.0. No patch is currently available for affected deployments.
Path Traversal
-
CVE-2026-33140
MEDIUM
CVSS 6.1
PySpector versions 0.1.6 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator that fails to sanitize JavaScript payloads embedded within scanned Python code. When a victim scans a malicious Python file crafted by an attacker and opens the resulting HTML report in a browser, the embedded JavaScript executes in the local file context, potentially enabling DOM manipulation, page redirects, and theft of locally accessible data. A proof-of-concept demonstrating the vulnerability has been publicly disclosed.
Python
XSS
-
CVE-2026-33132
MEDIUM
CVSS 5.3
Zitadel's OAuth2/OIDC implementation contains an authentication bypass vulnerability (CWE-863: Improper Authorization) that allows unauthenticated attackers to circumvent organization enforcement controls during login. Affected versions 3.0.0-3.4.8 and 4.0.0-4.12.2 fail to validate organization membership scopes in device authorization flows and all Login V2/OIDC API V2 endpoints, enabling attackers to authenticate with users from unauthorized organizations. While the CVSS score of 5.3 indicates low-to-moderate severity with confidentiality impact only, the attack requires no privileges or user interaction and operates over the network, making it a practical concern for multi-tenant deployments.
Authentication Bypass
-
CVE-2026-33129
MEDIUM
CVSS 5.9
A timing side-channel vulnerability exists in the h3 npm package's `requireBasicAuth` function, where unsafe string comparison using the `!==` operator allows attackers to deduce valid passwords character-by-character by measuring server response times. This affects all versions of h3 that implement this vulnerable authentication mechanism, and while a proof-of-concept exists demonstrating feasibility in local/co-located network environments, the attack requires statistical analysis over multiple requests and is significantly hampered by network jitter in internet-scale scenarios. The CVSS score of 5.9 reflects high confidentiality impact but high attack complexity, placing this in moderate-priority territory despite the linear password recovery capability.
Authentication Bypass
-
CVE-2026-33123
MEDIUM
CVSS 6.5
A Denial of Service vulnerability exists in pypdf (Python PDF library) where an attacker can craft a malicious PDF file that causes excessive runtime and memory consumption by exploiting improper handling of array-based streams with large numbers of entries. All versions of pypdf prior to 6.9.1 are affected. An attacker can remotely trigger resource exhaustion on any system processing untrusted PDF files with this library, potentially causing application crashes or service unavailability.
Denial Of Service
-
CVE-2026-33081
MEDIUM
CVSS 5.8
PinchTab contains a Server-Side Request Forgery (SSRF) vulnerability in its /download endpoint that allows unauthenticated attackers to bypass URL validation and cause the embedded Chromium browser to make requests to internal network services. The vulnerability affects PinchTab versions 0.7.x and 0.8.x when the security.allowDownload setting is enabled (disabled by default), and exploits a validation gap where only the initial user-supplied URL is checked while subsequent browser-initiated requests (redirects, JavaScript navigations, resource fetches) bypass this protection entirely. Although the attacker cannot receive response bodies from internal services (blind SSRF), they can trigger state-changing endpoints on localhost or private network addresses reachable from the PinchTab host, with a proof-of-concept publicly available demonstrating counter increments on internal services.
Google
Python
SSRF
Chrome
-
CVE-2026-33065
MEDIUM
CVSS 5.3
This is an improper error handling vulnerability in free5GC's UDM (Unified Data Management) component that incorrectly converts valid 400 Bad Request responses from downstream UDR (Unified Data Repository) services into 500 Internal Server Error responses when processing DELETE requests with empty `supi` path parameters. An attacker or misconfigured client can exploit this by sending malformed DELETE requests to the sdm-subscriptions endpoint, causing the UDM to leak internal error handling behavior and making it difficult for legitimate clients to distinguish between client-side errors and actual server failures. This vulnerability affects free5GC v4.0.1 and is classified as an information disclosure issue (CWE-209), though no CVSS score or KEV status has been assigned and no public exploit code is currently known.
Information Disclosure
-
CVE-2026-33060
MEDIUM
CVSS 5.3
The @aborruso/ckan-mcp-server MCP server contains a Server-Side Request Forgery (SSRF) vulnerability in its ckan_package_search, sparql_query, and ckan_datastore_search_sql tools, which accept an arbitrary base_url parameter without validation, allowing attackers to scan internal networks, exfiltrate cloud metadata credentials (including IAM tokens from 169.254.169.254), and potentially execute injection attacks. The vulnerability affects the npm package @aborruso/ckan-mcp-server (pkg:npm/@aborruso/ckan-mcp-server) and requires prompt injection to exploit, making attack complexity high; a proof-of-concept exists demonstrating 9 unthrottled HTTP requests to a canary endpoint, and patch availability exists from the vendor.
Docker
SSRF
-
CVE-2026-33058
MEDIUM
CVSS 6.5
An authenticated SQL injection vulnerability exists in Kanboard project management software prior to version 1.2.51. Authenticated attackers with permission to add users to a project can exploit this vulnerability to dump the entire Kanboard database, potentially exposing sensitive project data, user credentials, and application secrets. The vulnerability is confirmed under active tracking by Debian (2 releases) and Ubuntu (medium priority), with a GitHub Security Advisory published.
SQLi
Ubuntu
Debian
Kanboard
-
CVE-2026-33051
MEDIUM
CVSS 5.4
This vulnerability is a stored cross-site scripting (XSS) flaw in Craft CMS's element editor revision/draft context menu that renders user-supplied fullName data as raw HTML without proper sanitization. A low-privileged control panel user (such as an Author) can inject malicious JavaScript into their profile's fullName field, which executes when an administrator views the revision context menu. If weaponized with a carefully crafted payload while an administrator is authenticated, an attacker can escalate their account privileges to administrator level. A patch is available in Craft CMS version 5.9.11.
XSS
-
CVE-2026-33004
MEDIUM
CVSS 4.3
The Jenkins LoadNinja Plugin version 2.1 and earlier fails to mask LoadNinja API keys displayed on the job configuration form, allowing attackers with access to the Jenkins web interface to observe and capture sensitive credentials. This information disclosure vulnerability affects Jenkins administrators and users with job configuration visibility, enabling credential theft that could lead to unauthorized access to LoadNinja services and associated testing infrastructure. No CVSS score, EPSS data, or active exploitation status (KEV listing) is currently available in public sources.
Jenkins
Information Disclosure
-
CVE-2026-33003
MEDIUM
CVSS 4.3
The Jenkins LoadNinja Plugin versions 2.1 and earlier stores LoadNinja API keys in plaintext within job configuration files (config.xml) on the Jenkins controller, allowing unauthorized disclosure of sensitive credentials. Users with Item/Extended Read permission on Jenkins jobs or direct file system access to the controller can extract these API keys, potentially leading to account compromise and unauthorized access to LoadNinja services. This is a straightforward credential exposure vulnerability with no complexity barriers to exploitation once access is gained.
Jenkins
Information Disclosure
-
CVE-2026-32761
MEDIUM
CVSS 6.5
FileBrowser contains an authorization bypass vulnerability where users with share privileges but without download privileges can still expose and retrieve file content via public share links, enabling unauthorized data exfiltration to unauthenticated users. The vulnerability affects FileBrowser (CPE: pkg:go/https:__github.com_filebrowser_filebrowser) and has been confirmed with a working proof-of-concept demonstrating that restricted users can create shares and access files publicly despite download restrictions. With a CVSS score of 6.5 and an attack vector requiring only low privileges and no user interaction, this represents a significant access control bypass in environments relying on download restrictions for data loss prevention.
Authentication Bypass
-
CVE-2026-32736
MEDIUM
CVSS 4.3
An Insecure Direct Object Reference (IDOR) vulnerability in the Hytale Modding Wiki prior to version 1.0.0 allows any authenticated user to access and view mod authors' personal information, including full names and email addresses, by navigating directly to mod pages using their slugs. The vulnerability requires only low-privilege authentication (account creation) and no user interaction, making it trivially exploitable. While the CVSS score is moderate at 4.3, the exposure of personally identifiable information (PII) represents a direct privacy harm to affected mod authors.
Authentication Bypass
Wiki
-
CVE-2026-32694
MEDIUM
CVSS 6.6
A predictable secret identifier (XID) vulnerability in Juju versions 3.0.0 through 3.6.18 allows a malicious grantee to enumerate and predict previously granted secrets owned by the same administrator, enabling unauthorized access to resources intended for other applications. An attacker with high privileges and control over at least one deployed application can exploit this to obtain credentials or configuration data from past secret grants, resulting in information disclosure and potential privilege escalation. While the CVSS score is moderate at 6.6 and exploitation requires specific configuration and high privileges, the fundamental weakness in secret ownership verification represents a significant trust boundary violation in Juju's secret management architecture.
Information Disclosure
Debian
Juju
-
CVE-2026-32691
MEDIUM
CVSS 5.3
Juju 3.0.0 through 3.6.18 contains a race condition in secrets management that allows authenticated unit agents to intercept and claim ownership of newly created secrets due to a timing window between secret ID generation and revision creation. An attacker with valid unit agent credentials can exploit this to read the initial content of secrets intended for other units. The vulnerability requires local authentication and manual interaction but results in high-impact confidentiality disclosure with no available patch.
Information Disclosure
Debian
Juju
-
CVE-2026-32565
MEDIUM
CVSS 5.3
Contextual Related Posts versions before 4.2.2 contain an authorization bypass vulnerability that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. The vulnerability affects the plugin's ability to enforce proper permission checks, potentially exposing confidential data to unauthorized users. No patch is currently available for this issue.
Authentication Bypass
Contextual Related Posts
-
CVE-2026-31973
MEDIUM
CVSS 6.9
SAMtools versions 1.17 and later contain a null pointer dereference vulnerability in the cram-size command due to missing error handling for the cram_decode_compression_header() function. When this function fails and returns an error, the code does not properly validate the return value before dereferencing the pointer, allowing an attacker to crash the application by providing a malformed CRAM file. This is a denial-of-service vulnerability with no active exploitation reported in the wild, though patches are available in versions 1.23.1, 1.22.2, and 1.21.1.
Denial Of Service
Samtools
-
CVE-2026-31972
MEDIUM
CVSS 6.9
SAMtools mpileup command contains a use-after-free vulnerability in reference data management that can leak sensitive program state information or trigger application crashes when processing aligned DNA sequences. The vulnerability affects versions prior to 1.2 and requires no authentication or user interaction to exploit, though a patch is not yet available. An attacker could leverage this to obtain information disclosure or cause denial of service against systems processing bioinformatics data with vulnerable SAMtools versions.
Use After Free
Information Disclosure
Denial Of Service
Samtools
-
CVE-2026-31967
MEDIUM
CVSS 6.9
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain an out-of-bounds read vulnerability in the CRAM file parser where the mate reference ID field is not validated during decoding. An attacker can craft a malicious CRAM file that, when processed by affected applications (particularly those converting CRAM to SAM format), triggers out-of-bounds array access that may leak sensitive information about program state or cause a denial of service through memory access violations. No public exploit has been reported, but no workaround exists, making patching essential.
Denial Of Service
Debian
Htslib
-
CVE-2026-31966
MEDIUM
CVSS 6.9
HTSlib versions prior to 1.21.1, 1.22.2, and 1.23.1 contain a buffer over-read vulnerability in the CRAM decoder's cram_decode_seq() function that fails to properly validate feature data offsets. An attacker can craft malicious CRAM files to read arbitrary data from memory adjacent to reference sequence buffers, leading to information disclosure of program state or denial of service through memory access violations. No active exploitation has been documented, but patches are available from the vendor.
Buffer Overflow
Information Disclosure
Denial Of Service
Debian
Htslib
-
CVE-2026-31965
MEDIUM
CVSS 6.9
HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the reference ID field early enough during CRAM file parsing, allowing two separate out-of-bounds reads before error detection. The vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and can result in information disclosure through leaked memory values or application crashes when processing malicious or corrupted CRAM bioinformatics files. While the function reports an error after the reads occur, the window for exploitation exists and the practical impact depends on memory layout and application context.
Buffer Overflow
Information Disclosure
Denial Of Service
Debian
Htslib
-
CVE-2026-31964
MEDIUM
CVSS 6.9
HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference vulnerability in its CRAM format decoder affecting versions before 1.23.1, 1.22.2, and 1.21.1. The vulnerability exists in the CONST, XPACK, and XRLE encodings which fail to properly handle CRAM records with omitted sequence or quality data, causing attempts to write to NULL pointers when these records are decoded. An attacker can exploit this by providing a malformed CRAM file to any application using vulnerable HTSlib versions, resulting in denial of service through application crash, with no known active exploitation or public proof-of-concept at this time.
Denial Of Service
Debian
Htslib
-
CVE-2026-27545
MEDIUM
CVSS 6.1
OpenClaw versions prior to 2026.2.26 contain a Time-of-Check-Time-of-Use (TOCTOU) approval bypass vulnerability in the system.run execution function that allows local attackers with low privileges to execute arbitrary commands from unintended filesystem locations. An attacker can exploit a race condition by modifying parent symlinks in the current working directory after command approval but before execution, redirecting execution while maintaining the appearance of a safe working directory. A patch is available from the vendor, and this vulnerability has been documented by both VulnCheck and the OpenClaw security advisory (GHSA-f7ww-2725-qvw2).
Authentication Bypass
Openclaw
-
CVE-2026-27523
MEDIUM
CVSS 6.1
OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation bypass vulnerability that allows local attackers with low privileges to circumvent allowed-root and blocked-path security checks through symlinked parent directories combined with non-existent leaf paths. An attacker can craft bind source paths that appear to reside within permitted sandbox roots but resolve outside sandbox boundaries once missing path components are created, effectively weakening the sandbox's bind-source isolation enforcement. A patch is available from the vendor, and exploitation requires local access with standard user privileges, making this a practical threat in multi-tenant or shared-system environments.
Path Traversal
Openclaw
-
CVE-2026-27522
MEDIUM
CVSS 6.5
OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability that allows authenticated attackers to read arbitrary files from the host system through the sendAttachment and setGroupIcon message actions when sandboxRoot configuration is unset. An attacker with valid credentials can exploit path traversal to hydrate media from absolute file paths, gaining unauthorized access to sensitive files accessible by the OpenClaw runtime user. A patch is available from the vendor, and this vulnerability has been tracked in the ENISA EUVD database (EUVD-2026-12732) with confirmed GitHub security advisory and commit-level patch information.
Path Traversal
Openclaw
-
CVE-2026-26948
MEDIUM
CVSS 4.9
Dell Integrated Dell Remote Access Controller (iDRAC) versions 9, 14G (prior to 7.00.00.174), 15G, and 16G (prior to 7.10.90.00) contain an exposure of sensitive system information vulnerability caused by uncleared debug information in memory or logs. A remote attacker with high privileges can exploit this to disclose confidential system details without modifying or disrupting service availability. While the CVSS score is moderate at 4.9 due to high privilege requirements, the confidentiality impact is rated high, making this relevant for organizations where insider threats or compromised administrator accounts are a concern.
Dell
Information Disclosure
Integrated Dell Remote Access Controller
-
CVE-2026-26945
MEDIUM
CVSS 5.3
A Process Control vulnerability (CWE-114) exists in Dell Integrated Dell Remote Access Controller (iDRAC) across multiple generations that allows a high-privileged attacker with adjacent network access to achieve code execution. Affected versions include iDRAC 9 (14G prior to 7.00.00.181, 15G and 16G prior to 7.20.10.50) and iDRAC 10 (17G prior to 1.20.25.00). While the CVSS score of 5.3 is moderate, the integrity impact is rated high and remote code execution capability presents significant risk to out-of-band management infrastructure.
Dell
RCE
Integrated Dell Remote Access Controller
-
CVE-2026-26004
MEDIUM
CVSS 6.5
An Insecure Direct Object Reference (IDOR) vulnerability exists in Sentry versions prior to 26.1.0 within the GroupEventJsonView endpoint, allowing attackers to access event data across different organizations without proper authorization checks. This information disclosure vulnerability enables cross-organization data leakage where an authenticated attacker with access to one organization can enumerate and retrieve sensitive error tracking and performance monitoring data belonging to other organizations. The vulnerability has been patched in version 26.1.0, and a proof-of-concept is available via the referenced GitHub Security Lab advisory.
Authentication Bypass
-
CVE-2026-25745
MEDIUM
CVSS 6.5
OpenEMR versions up to 8.0.0 contain an authorization bypass vulnerability in the message/note update endpoints that allows authenticated users with notes permissions to modify any patient's messages without proper access control verification. An attacker can exploit this by supplying arbitrary message IDs in PUT or POST requests, enabling unauthorized modification of other patients' medical records. This is a moderate-risk issue (CVSS 6.5) with integrity impact on sensitive healthcare data, though exploitation requires existing authentication and notes permissions.
Authentication Bypass
-
CVE-2026-22321
MEDIUM
CVSS 5.3
A buffer overflow vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Buffer Overflow
Stack Overflow
Fl Switch 2708 Pn
Fl Switch Tsn 2316
Fl Switch 2206c 2fx
-
CVE-2026-22320
MEDIUM
CVSS 6.5
A buffer overflow vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Buffer Overflow
Denial Of Service
Stack Overflow
Fl Switch 2512 2gc 2sfp
Fl Switch 2206 2sfx Pn
-
CVE-2026-22319
MEDIUM
CVSS 4.9
Denial of service in Stack Overflow and Fl networking devices results from a stack-based buffer overflow in the file installation workflow that can be triggered by high-privileged attackers through oversized POST parameters. An authenticated attacker with elevated privileges can crash the affected service by exploiting this memory corruption vulnerability. No patch is currently available for the impacted products.
Buffer Overflow
Stack Overflow
Fl Switch 2516
Fl Switch 2207 Fx Sm
Fl Switch 2314 2sfp
-
CVE-2026-22318
MEDIUM
CVSS 4.9
A buffer overflow vulnerability (CVSS 4.9) that allows a high-privileged attacker. Remediation should follow standard vulnerability management procedures.
Buffer Overflow
Stack Overflow
Fl Switch 2708
Fl Switch 2105
Fl Switch 2216 Pn
-
CVE-2026-22316
MEDIUM
CVSS 6.5
A buffer overflow vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Buffer Overflow
Stack Overflow
Fl Switch 2207 Fx Sm
Fl Switch 2208 Pn
Fl Switch 2206 2fx St
-
CVE-2026-22217
MEDIUM
CVSS 5.8
OpenClaw versions prior to 2026.2.23 contain an arbitrary code execution vulnerability in shell-env that allows local attackers with low privileges to execute attacker-controlled binaries by manipulating the $SHELL environment variable through trusted-prefix fallback logic. An attacker who can write to directories like /opt/homebrew/bin can trick OpenClaw into executing malicious binaries in its process context, potentially escalating privileges or compromising system integrity. A patch is available from the vendor, and this vulnerability has been documented by VulnCheck and tracked under EUVD-2026-12730.
RCE
-
CVE-2026-22181
MEDIUM
CVSS 6.1
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability that allows authenticated attackers to circumvent SSRF (Server-Side Request Forgery) protections by exploiting environment proxy variable configuration. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, attackers can route malicious URLs through proxy mechanisms instead of pinned-destination routing, enabling access to internal resources that should be protected. The vulnerability requires low privilege (PR:L) and non-interactive attack (UI:N) with medium attack complexity (AC:H), resulting in high confidentiality impact (C:H) and lesser integrity and availability impact. A patch is available from the vendor.
SSRF
-
CVE-2026-22180
MEDIUM
CVSS 5.3
OpenClaw prior to version 2026.3.2 allows local users with standard privileges to write files outside designated directories through insufficient path validation in the browser output handler. An attacker can exploit this path-confinement bypass to place malicious files in arbitrary filesystem locations, potentially leading to privilege escalation or system compromise.
Canonical
Authentication Bypass
-
CVE-2026-22178
MEDIUM
CVSS 6.5
OpenClaw versions before 2026.2.19 are vulnerable to regex injection and denial of service through unescaped Feishu mention metadata in the stripBotMention function. An unauthenticated network attacker can craft malicious mention metadata containing nested-quantifier patterns or regex metacharacters to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing, with a CVSS score of 6.5 indicating medium severity with integrity and availability impact. Patch availability exists from the vendor via GitHub commits, and proof-of-concept details are available through VulnCheck advisory references.
Denial Of Service
Openclaw
-
CVE-2026-22177
MEDIUM
CVSS 6.9
OpenClaw versions prior to 2026.2.21 contain an environment variable injection vulnerability that allows authenticated local attackers to execute arbitrary code at startup time by injecting dangerous process-control variables (such as NODE_OPTIONS or LD_*) through the configuration env.vars mechanism. An attacker with local privileges can manipulate the gateway service's runtime environment to achieve code execution in the service context, potentially compromising the entire OpenClaw deployment. A patch is available from the vendor, and this vulnerability has been documented by VulnCheck with supporting references to the GitHub security advisory and corresponding commit fix.
RCE
-
CVE-2026-22174
MEDIUM
CVSS 5.9
OpenClaw Gateway versions prior to 2026.2.22 leak authentication tokens through Chrome DevTools Protocol (CDP) probe traffic on loopback interfaces, allowing local attackers to intercept the x-OpenClaw-relay-token header and reuse it for unauthorized Gateway access. An attacker with local network access or control of a loopback port can capture reachability probes to the /json/version endpoint and escalate privileges by replaying the stolen token as bearer authentication. A vendor patch is available, and this vulnerability has been documented by VulnCheck with references to the official GitHub security advisory and patch commit.
Authentication Bypass
Google
Chrome
-
CVE-2026-22170
MEDIUM
CVSS 6.3
OpenClaw versions prior to 2026.2.22 contain an access control bypass vulnerability in the optional BlueBubbles plugin where empty allowFrom configuration causes the allowlist validation logic to fail, enabling remote attackers to send direct messages to BlueBubbles accounts without proper authorization. The vulnerability stems from improper handling of misconfigured sender authorization checks, allowing attackers to circumvent dmPolicy pairing and allowlist restrictions. Patches are available from the vendor, and this is classified as an authentication bypass issue with a CVSS score of 4.8 indicating moderate severity.
Authentication Bypass
-
CVE-2026-22168
MEDIUM
CVSS 6.5
OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in the system.run function that allows authenticated operators to execute arbitrary commands on Windows systems by appending malicious arguments after cmd.exe /c while the approval audit log records only the benign command text. An authenticated attacker with operator privileges can exploit this to achieve local command execution on trusted Windows nodes with mismatched or incomplete audit trails, enabling information disclosure and lateral movement while evading detection.
Information Disclosure
Microsoft
Openclaw
Windows
-
CVE-2026-4366
MEDIUM
CVSS 5.8
A remote code execution vulnerability in A flaw (CVSS 5.8) that allows an attacker. Remediation should follow standard vulnerability management procedures.
Information Disclosure
SSRF
-
CVE-2026-4268
MEDIUM
CVSS 6.4
WP Go Maps (formerly WP Google Maps) plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'wpgmza_custom_js' parameter due to insufficient input sanitization and output escaping. Authenticated attackers with Subscriber-level privileges or higher can inject arbitrary JavaScript code that executes in the browsers of users visiting affected pages, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 10.0.05, with a CVSS score of 6.4 indicating moderate severity but significant practical impact due to low attack complexity and the ability to affect site-wide functionality.
WordPress
XSS
Google
-
CVE-2026-3512
MEDIUM
CVSS 6.1
The Writeprint Stylometry WordPress plugin (versions up to 0.1) contains a Reflected Cross-Site Scripting (XSS) vulnerability in the bjl_wprintstylo_comments_nav() function that fails to properly sanitize and escape the 'p' GET parameter before outputting it in HTML href attributes. An attacker can craft a malicious link containing arbitrary JavaScript code and trick users into clicking it, resulting in session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (clicking a link) but has a network attack vector with low complexity and no privilege requirements, making it a practical threat in WordPress ecosystems.
WordPress
XSS
Writeprint Stylometry
-
CVE-2026-2575
MEDIUM
CVSS 5.3
Unauthenticated remote attackers can exhaust memory in Red Hat Build of Keycloak 26.4 and 26.4.10 by sending highly compressed SAML requests that bypass decompression size limits, triggering denial of service. The vulnerability affects SAML Redirect Binding implementations that fail to enforce resource constraints during DEFLATE decompression, allowing attackers to crash the application with OutOfMemoryError conditions. No patch is currently available.
Denial Of Service
Debian
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.10
Redhat
-
CVE-2026-2559
MEDIUM
CVSS 5.3
The Post SMTP WordPress plugin for versions up to 3.8.0 contains an authorization bypass vulnerability in the Office 365 OAuth redirect handler that allows authenticated subscribers and above to overwrite sensitive SMTP configuration without proper capability checks or nonce validation. An attacker with subscriber-level access can craft a malicious URL to inject attacker-controlled Azure app credentials into the site's Microsoft 365 configuration, potentially causing administrators to unknowingly connect to the attacker's account during Pro wizard setup. This vulnerability has a CVSS score of 5.3 and is classified as CWE-862 (Missing Authorization), with active evidence of the vulnerable code path present in the plugin repository.
WordPress
Microsoft
Authentication Bypass
-
CVE-2026-2512
MEDIUM
CVSS 6.4
The Code Embed plugin for WordPress (versions up to 2.5.1) contains a stored cross-site scripting vulnerability that allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into pages through custom field meta values. The vulnerability exists because the plugin's sanitization function only runs during post saves, while WordPress AJAX endpoints can add meta fields without triggering sanitization, and the plugin then outputs these unsanitized values directly without HTML escaping. An attacker can inject malicious scripts that execute whenever any user visits an affected page, potentially leading to session hijacking, credential theft, or malware distribution.
WordPress
XSS
Code Embed
-
CVE-2026-1926
MEDIUM
CVSS 5.3
The Subscriptions for WooCommerce plugin contains a critical authentication bypass vulnerability in the subscription cancellation function that allows unauthenticated attackers to cancel any active WooCommerce subscription. The vulnerability affects all versions up to and including 1.9.2 of the plugin (CPE: cpe:2.3:a:wpswings:subscriptions_for_woocommerce:*:*:*:*:*:*:*:*) and stems from a missing capability check combined with improper nonce validation. An attacker can exploit this with a simple GET request, requiring no special privileges or user interaction, resulting in unauthorized modification of subscription data with a CVSS score of 5.3 and confirmed active exploitation potential.
WordPress
Authentication Bypass
Subscriptions For Woocommerce
-
CVE-2026-1780
MEDIUM
CVSS 6.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the [CR]Paid Link Manager WordPress plugin through version 0.5, caused by insufficient input sanitization and output escaping in the URL path parameter. Unauthenticated attackers can craft malicious URLs containing arbitrary JavaScript that executes in the browsers of users who click the link, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability has a moderate CVSS score of 6.1 and requires user interaction (UI:R), but the network-accessible attack vector (AV:N) and lack of privilege requirements make it a practical threat for WordPress sites using this plugin.
WordPress
XSS
-
CVE-2026-1217
MEDIUM
CVSS 5.4
The Yoast Duplicate Post WordPress plugin through version 4.5 contains a missing capability check vulnerability in the clone_bulk_action_handler() and republish_request() functions, allowing authenticated attackers with Contributor-level access to duplicate restricted posts (private, draft, trashed) and Author-level attackers to overwrite published posts via the Rewrite & Republish feature. The vulnerability carries a CVSS score of 5.4 (medium severity) with ENISA EUVD tracking (EUVD-2026-12800), and Wordfence has documented specific vulnerable code paths in the plugin's bulk handler and post republisher modules.
WordPress
Authentication Bypass
Yoast Duplicate Post
-
CVE-2025-55043
MEDIUM
CVSS 6.5
MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the bundle creation functionality (csettings.cfc createBundle method) that allows unauthenticated attackers to force administrators into unknowingly creating and exporting site bundles containing complete sensitive data to publicly accessible web directories. Affected administrators have no knowledge the attack occurred, enabling complete data exfiltration including user accounts, password hashes, form submissions, email lists, plugins, and site content. While no CVSS score or EPSS probability is available and KEV status is unknown, the vulnerability's silent nature combined with its ability to compromise all site data without authentication represents a critical confidentiality and integrity risk.
Information Disclosure
CSRF
-
CVE-2025-15363
MEDIUM
CVSS 5.9
The Get Use APIs WordPress plugin before version 2.0.10 contains a Cross-Site Scripting (XSS) vulnerability that arises from unsanitized execution of imported JSON data. This vulnerability allows attackers with contributor-level privileges (a low-level WordPress role) to inject and execute malicious scripts under certain server configurations, potentially compromising site integrity and user data. A public proof-of-concept exploit is available via WPScan, and the vulnerability has been documented in multiple intelligence sources (WPScan, VulDB, and EUVD-2025-208813), indicating active awareness in the security community.
WordPress
XSS
Get Use Apis
PHP
-
CVE-2025-12518
MEDIUM
CVSS 5.3
The beefree.io SDK contains a Stored Cross-Site Scripting (XSS) vulnerability in the Social Media icon URL parameter within its email builder functionality, allowing attackers to inject arbitrary HTML and JavaScript code that persists in email templates and executes when preview pages are visited. The vulnerability affects beefree.io SDK versions prior to 3.47.0 across all platforms. While the impact is partially mitigated by beefree's Content Security Policy, attackers can still achieve limited script execution and social engineering attacks, making this a moderate-risk vulnerability that requires immediate patching.
XSS
Befree Sdk
-
CVE-2026-33221
LOW
The Nhost storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection, allowing attackers to upload files with spoofed MIME types that bypass bucket-level MIME restrictions. This affects the Go module github.com/nhost/nhost and could cause downstream systems (browsers, CDNs, applications) to mishandle files based on false type metadata. While the CVSS vector indicates low immediate severity due to requiring user interaction and lacking direct confidentiality or availability impact, the metadata corruption poses integrity risks for systems relying on accurate file type information.
File Upload
Information Disclosure
-
CVE-2026-32735
LOW
CVSS 2.3
A security vulnerability in version 5.1.1 and (CVSS 2.3) that allows users. Remediation should follow standard vulnerability management procedures.
Java
RCE
File Upload
-
CVE-2026-30704
None
The WiFi Extender WDR201A (hardware version 2.1, firmware LFMZX28040922V1.02) contains an unprotected UART interface exposed through accessible PCB pads, allowing information disclosure through direct hardware access. An attacker with physical access to the device can connect to the UART pins to read sensitive data, firmware contents, or configuration information without authentication. No CVSS score, EPSS metric, or KEV status is currently available, but a proof-of-concept and detailed security research have been published, confirming the vulnerability's practical exploitability.
TP-Link
IoT
Information Disclosure
-
CVE-2026-30695
None
A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess physical access control devices across multiple product lines (XA4, X3/X3BIO, X4, X7, and XIO/i-door/i-door+). The vulnerability stems from improper sanitization of the dirBrowse parameter in the /file_manager.cgi endpoint, allowing attackers to inject malicious scripts that execute in the context of authenticated administrators. A public proof-of-concept has been disclosed on GitHub (https://github.com/iremnurylmz/CVE-2026-30695), and given the lack of CVSS/EPSS scoring data and KEV status confirmation, the true exploitation likelihood remains uncertain but the presence of a POC elevates practical risk.
XSS
-
CVE-2026-30345
None
A zip slip vulnerability exists in CTFd v3.8.1-18-gdb5a18c4's Admin import functionality, allowing attackers to write arbitrary files outside intended directories by supplying a crafted import file. This path traversal vulnerability affects the CTFd Capture-The-Flag platform and can lead to information disclosure and potential remote code execution depending on file placement. A proof-of-concept exploit has been published on GitHub (syphonetic/CVE-2026-30345), and patch information is available in the CTFd v3.8.2 release blog post.
Information Disclosure
-
CVE-2026-30048
None
A stored cross-site scripting (XSS) vulnerability exists in NotChatbot WebChat widget versions through 1.4.4, where user-supplied input in chat messages is not properly sanitized before being stored and rendered in the chat history. This allows attackers to inject arbitrary JavaScript code that executes whenever the chat history is reloaded, affecting all independent implementations of the widget. A proof-of-concept has been publicly disclosed on GitHub (https://github.com/0xN4no/CVE-2026-30048) and a detailed technical writeup is available via Gist (https://gist.github.com/0xN4no/0601f398942a29259d217ea650f694fe), indicating active demonstration of exploitability.
XSS
-
CVE-2026-29858
None
aaPanel v7.57.0 contains a path validation vulnerability that allows local file inclusion (LFI) attacks, enabling attackers to read sensitive files and disclose confidential information. The vulnerability affects the aaPanel control panel application and requires local or proximal access to exploit. While no CVSS score or EPSS data is currently available, the presence of public references and vulnerability research repositories suggests active researcher interest and potential proof-of-concept availability.
Information Disclosure
-
CVE-2026-29856
None
A Regular Expression Denial of Service (ReDoS) vulnerability exists in aaPanel v7.57.0's VirtualHost configuration handling and parser component, allowing attackers to trigger catastrophic backtracking in regex pattern matching through specially crafted input. This vulnerability affects the aaPanel web server control panel management system, enabling unauthenticated or authenticated attackers to exhaust server resources and cause service unavailability. The vulnerability has been documented in public repositories including the mbiesiad vulnerability research project, indicating proof-of-concept or technical details may be available.
Denial Of Service
-
CVE-2026-27524
LOW
CVSS 2.3
OpenClaw versions prior to 2026.2.21 are vulnerable to prototype pollution attacks via the /debug set endpoint, allowing authenticated attackers to inject reserved prototype keys (__proto__, constructor, prototype) and manipulate object prototypes to bypass command gate restrictions. The vulnerability requires authenticated access and has relatively low real-world exploitability due to high attack complexity, but presents a meaningful integrity risk for authorized users who may not be aware of this attack vector. A patch is available from the vendor.
Authentication Bypass
Prototype Pollution
-
CVE-2026-23267
None
This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.
Linux
Race Condition
Denial Of Service
Debian
Linux Kernel
-
CVE-2026-23266
None
A divide-by-zero vulnerability exists in the Linux kernel's rivafb framebuffer driver in the nv3_arb() function, which can be triggered by unprivileged userspace applications via the FBIOPUT_VSCREENINFO ioctl call on /dev/fb* devices. An attacker can crash the kernel by crafting a malicious or misconfigured PCI device that exposes a bogus PRAMDAC MCLK PLL configuration, causing the state->mclk_khz divisor to become zero. This is a Denial of Service vulnerability affecting the Linux kernel across multiple stable versions, with patches available in the kernel git repository.
Denial Of Service
Linux
Debian
Linux Kernel
-
CVE-2026-23265
None
A vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation fails to validate node footer integrity during asynchronous read and write I/O operations, allowing corrupted node page data to trigger a kernel BUG and cause denial of service. This affects all Linux kernel versions using f2fs, particularly those processing untrusted or fuzzed filesystem images. An attacker with the ability to craft a malicious f2fs filesystem image can trigger a kernel panic when the corrupted node page is written back, resulting in system unavailability.
Linux
Denial Of Service
Debian
Linux Kernel
-
CVE-2026-23264
None
A logic error in the Linux kernel's AMD GPU driver causes system crashes when two AMD GPUs are present and only one supports ASPM (Active State Power Management). The vulnerability stems from a commit that was erroneously reapplied after being removed in a prior refactoring, leading to incorrect ASPM state evaluation across multiple devices. Systems running affected Linux kernel versions with heterogeneous AMD GPU configurations (mixed ASPM support) will experience denial of service through kernel crashes.
Linux
Denial Of Service
Debian
Linux Kernel
-
CVE-2026-23263
None
This vulnerability is a memory leak in the Linux kernel's io_uring subsystem, specifically within the zero-copy receive (zcrx) implementation where a page array fails to be deallocated during scatter-gather initialization failures. The vulnerability affects all Linux kernel versions with the vulnerable io_uring/zcrx code path, allowing local attackers with the ability to trigger failed scatter-gather operations to exhaust kernel memory and cause denial of service. No active exploitation has been reported, but this is a kernel memory management issue with straightforward local triggering conditions.
Linux
Denial Of Service
Memory Corruption
Debian
Linux Kernel
-
CVE-2026-23262
None
A memory corruption vulnerability exists in the Linux kernel's Google Virtual Ethernet (gve) driver where dynamic queue count changes cause misalignment between the driver's stats region and the NIC's offset calculations. When queue counts increase, the NIC can write past the allocated stats region boundary causing heap corruption; when decreased, stats data becomes misaligned. This affects Linux kernel versions across multiple stable branches (as evidenced by patches in 5.10, 5.15, 6.1, 6.6, 6.7, 6.8, and 6.9 series). The vulnerability is not currently listed as actively exploited in KEV, but represents a critical reliability and security issue for systems using Google Cloud Platform infrastructure with the affected gve driver.
Linux
Memory Corruption
Denial Of Service
Debian
Linux Kernel
-
CVE-2026-23261
None
This vulnerability is a resource leak in the Linux kernel's NVMe/FC (NVMe over Fibre Channel) driver where the admin tag set and associated block I/O queue resources fail to be released if controller initialization encounters errors after the admin queue is allocated. The affected product is the Linux kernel across all versions that include the vulnerable nvme-fc code path. An attacker or malicious process could trigger repeated failed NVMe/FC controller initialization attempts to exhaust kernel memory through cumulative tag set leaks, potentially leading to denial of service. This is not actively exploited in the wild (not listed in CISA KEV), but patches are available across multiple kernel branches.
Linux
Denial Of Service
Memory Corruption
Debian
Linux Kernel
-
CVE-2026-23260
None
A memory leak vulnerability exists in the Linux kernel's regmap maple tree caching implementation where allocated memory is not freed when the mas_store_gfp() function fails during a write operation. This affects all Linux kernel versions containing the vulnerable regcache_maple_write() function, potentially allowing local attackers to exhaust kernel memory through repeated cache write failures. While no CVSS score or EPSS data is currently available, the vulnerability has been assigned CVE-2026-23260 and multiple stable kernel patches are available, indicating this is a recognized and actively addressed issue.
Linux
Denial Of Service
Memory Corruption
Debian
Linux Kernel
-
CVE-2026-23259
None
A memory management vulnerability exists in the Linux kernel's io_uring subsystem where allocated iovec buffers may fail to be properly freed when a read/write request cannot be recycled back to the rw_cache. This affects all Linux kernel versions with the vulnerable io_uring/rw code path, potentially allowing local attackers to trigger memory leaks that degrade system performance or enable denial of service conditions. The vulnerability has been patched in the Linux kernel stable trees as evidenced by the provided commit references.
Linux
Denial Of Service
Memory Corruption
Debian
Linux Kernel
-
CVE-2026-23258
None
A memory leak vulnerability exists in the Linux kernel's Liquidio network driver within the setup_nic_devices() function where the netdev pointer is not initialized in the oct->props[i].netdev structure before calling queue setup functions. If netif_set_real_num_rx_queues() or netif_set_real_num_tx_queues() fail, the allocated netdev memory is not freed because the cleanup function liquidio_destroy_nic_device() cannot locate it via the NULL pointer. This affects all Linux kernel versions with the Liquidio driver and allows for memory exhaustion through repeated device initialization failures.
Linux
Denial Of Service
Memory Corruption
Debian
Linux Kernel
-
CVE-2026-23257
None
A memory leak vulnerability exists in the Linux kernel's liquidio network driver within the setup_nic_devices() function, where an off-by-one error in the cleanup loop causes failure to deallocate the last successfully allocated device during error handling. The vulnerability affects Linux kernel versions across multiple stable branches (as evidenced by patches in 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, and 5.16 stable trees per the kernel.org references). While this is a local denial-of-service vector through memory exhaustion rather than a direct code execution path, it could be leveraged by unprivileged users to degrade system stability over time.
Linux
Memory Corruption
Debian
Linux Kernel
-
CVE-2026-23256
None
This vulnerability is an off-by-one error in the Linux kernel's liquidio driver that causes a memory leak during virtual function (VF) setup failure cleanup. The vulnerability affects the Linux kernel across all versions where the liquidio net driver is compiled, as identified through the affected CPE (cpe:2.3:a:linux:linux). While this is a memory leak rather than a direct code execution vulnerability, it can be exploited to exhaust kernel memory resources, leading to denial of service.
Linux
Memory Corruption
Debian
Linux Kernel
-
CVE-2026-23255
None
A race condition vulnerability exists in the Linux kernel's /proc/net/ptype implementation where concurrent readers and writers violate RCU (Read-Copy-Update) synchronization rules, allowing information disclosure through unsafe access to device pointers. The vulnerability affects all Linux kernel versions with the vulnerable ptype_seq_show() and ptype_seq_next() functions. An attacker with local access can trigger RCU stalls, kernel panics, or read uninitialized kernel memory by racing concurrent packet type structure modifications against /proc/net/ptype reads, potentially leaking sensitive kernel data or causing denial of service.
Linux
Race Condition
Denial Of Service
Debian
Linux Kernel
-
CVE-2026-23254
None
A vulnerability in the Linux kernel's Generic Receive Offload (GRO) implementation for UDP traffic causes incorrect network offset calculations when processing encapsulated packets. The flaw affects all Linux kernel versions where the GRO subsystem handles UDP encapsulation, as specified in the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. When hardware NICs, the tun driver, or veth setups inject packets with the encapsulation flag set, the udp4_gro_complete() function incorrectly computes the outer UDP header pseudo checksum using the inner network offset, leading to checksum validation failures that can disrupt packet processing and potentially cause denial of service or packet drops. No active exploitation has been reported in the wild, and no public proof-of-concept code is known to exist, though the vulnerability is triggered through normal network operations involving UDP-encapsulated traffic.
Linux
Denial Of Service
Debian
Linux Kernel
-
CVE-2026-23252
None
A memory allocation failure vulnerability exists in the Linux kernel's XFS filesystem checking code where the xchk_xfile_*_descr macros call kasprintf with formatted strings that can exceed safe allocation limits, leading to potential denial of service or information disclosure. This affects Linux kernel versions 6.6 through 6.14 and later releases including 6.18.16, 6.19.6, and 7.0-rc1, with the vulnerability discoverable through syzbot fuzzing by researcher Jiaming Zhang. While no active exploitation has been confirmed, the issue represents a path to failure in a core filesystem validation component that could be triggered by malicious or malformed filesystem structures.
Linux
Denial Of Service
Debian
Linux Kernel
-
CVE-2026-23251
None
This vulnerability in the Linux kernel's XFS filesystem code involves improper pointer validation in xfarray and xfblob destructor functions, where the destructors can be called with invalid (dangling) pointers if the pointer is not properly nulled after deallocation. The vulnerability affects Linux kernel versions 6.9 through 6.10 and later patch versions, potentially allowing information disclosure or system instability. While no CVSS score or exploitation data is publicly available, the fix was backported across multiple kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0-rc1) indicating recognition of the issue's significance across the kernel maintenance community.
Linux
Use After Free
Debian
Linux Kernel
-
CVE-2026-23250
None
A null pointer dereference vulnerability exists in the XFS filesystem checker (xchk_scrub_create_subord) in the Linux kernel, where the function returns a mangled ENOMEM error instead of NULL, and callers fail to properly validate the return value. This affects Linux kernel versions 6.2 through 6.10 and later stable branches, potentially allowing a local attacker with filesystem access to trigger a denial of service condition through unhandled memory allocation failures during XFS filesystem integrity checks.
Linux
Denial Of Service
Debian
Linux Kernel
-
CVE-2026-23249
None
A null pointer dereference vulnerability exists in the Linux kernel's XFS filesystem repair code when revalidating B-tree structures during fsck operations. The vulnerability affects Linux kernel versions across multiple release branches (6.8, 6.12.75, 6.18.16, 6.19.6, and 7.0-rc1) when the xfs_scrub utility attempts to repair both the free space B-tree (bnobt) and count B-tree (cntbt) simultaneously. An authenticated attacker with fsck/scrub privileges can trigger a kernel crash (denial of service) by injecting corruption markers via XFS_IOC_ERROR_INJECTION ioctl, causing the kernel to crash when the second B-tree revalidation is attempted after the first one fails and nullifies a required cursor.
Linux
Denial Of Service
Null Pointer Dereference
Debian
Linux Kernel
-
CVE-2026-23247
None
This vulnerability is an information disclosure issue in the Linux kernel's TCP implementation where the timestamp offset calculation was insufficiently randomized, allowing off-path attackers to leak TCP source ports via a SYN cookie side-channel attack. All Linux kernel versions from 4.11 onwards are affected, with confirmed vulnerable versions including Linux 6.18.17, 6.19.7, and 7.0-rc3. An attacker can exploit this to infer source port numbers used in TCP connections without being on the network path, which can facilitate further network-level attacks such as connection hijacking or targeted DoS.
Linux
Information Disclosure
Debian
Linux Kernel
-
CVE-2026-23244
None
A memory allocation vulnerability exists in the Linux kernel's NVMe Persistent Reservation implementation where the nvme_pr_read_keys() function fails to properly handle large num_keys values passed from userspace, resulting in excessive memory allocation attempts up to 4MB that trigger page allocator warnings and potential denial of service. This affects Linux kernel versions across multiple stable branches (6.5, 6.12.77, 6.18.17, 6.19.7, and 7.0-rc3) and requires local access with ioctl privileges to trigger. The vulnerability is addressed through replacement of kzalloc() with kvzalloc() to support larger allocations via vmalloc fallback, and patches are available across multiple kernel stable branches.
Linux
Denial Of Service
Memory Corruption
Debian
Linux Kernel
-
CVE-2026-4407
LOW
CVSS 2.1
An out-of-bounds array write vulnerability exists in Xpdf versions 4.06 and earlier, stemming from improper validation of the 'N' field in ICCBased color spaces within PDF documents. This buffer overflow vulnerability affects all versions of Xpdf up to and including 4.06, potentially allowing attackers to achieve arbitrary code execution or denial of service by crafting malicious PDF files with specially crafted color space definitions. No CVSS score or EPSS data is currently available, and active exploitation status is not confirmed in public sources.
Buffer Overflow
Denial Of Service
-
CVE-2026-4356
LOW
CVSS 2.4
A Cross-Site Scripting (XSS) vulnerability exists in itsourcecode University Management System version 1.0, specifically in the /add_result.php file where the 'vr' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. A public proof-of-concept exploit is available on GitHub, and while the CVSS score is low (2.4), the vulnerability is actively documented in security databases and poses a real risk in educational environments.
XSS
PHP
-
CVE-2026-4355
LOW
CVSS 3.5
A stored or reflected cross-site scripting (XSS) vulnerability exists in Portabilis i-Educar 2.11 through improper input validation on the Name parameter in the /intranet/educar_servidor_curso_lst.php endpoint. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially enabling session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure attempts, indicating no patch is currently available.
XSS
PHP
-
CVE-2026-4354
LOW
CVSS 3.5
A reflected cross-site scripting (XSS) vulnerability exists in TRENDnet TEW-824DRU wireless router firmware versions 1.010B01 and 1.04B01, affecting the apply_sec.cgi web interface component. An authenticated attacker can inject malicious JavaScript through the Language parameter in the sub_420A78 function, which is then executed in the context of another user's browser session. The vulnerability is publicly exploitable (working proof-of-concept available on GitHub), has a low CVSS score (3.5) due to authentication requirements and user interaction, but represents a real security concern for router administration interfaces where multiple users may access the web UI.
XSS
-
CVE-2026-3479
LOW
CVSS 2.1
The pkgutil.get_data() function in CPython fails to properly validate the resource argument, enabling path traversal attacks that allow unauthorized information disclosure. This vulnerability affects CPython across multiple versions and could permit attackers to read arbitrary files from the system where Python code is executing. A patch is available from the Python Software Foundation, and the vulnerability has been documented with proof-of-concept references in the official CPython repository.
Path Traversal
-
CVE-2025-71270
None
This vulnerability is a missing exception fixup handler in the LoongArch architecture's BPF JIT compiler that fails to properly recover from memory access exceptions (ADEM) triggered by BPF_PROBE_MEM* instructions. The Linux kernel on LoongArch systems (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is affected, potentially allowing information disclosure or denial of service when BPF programs attempt to safely probe memory locations. This is not actively exploited (no KEV status), but patches are available across multiple stable kernel branches.
Linux
Memory Corruption
Privilege Escalation
Debian
Linux Kernel
-
CVE-2025-71269
None
A resource management vulnerability exists in the Linux kernel's Btrfs filesystem implementation where qgroup data reservations are incorrectly freed when an inline extent creation fails due to -ENOSPC (no space available). This causes the kernel to prematurely release qgroup quota accounting for data that will actually be used when the operation falls back to the normal copy-on-write path, potentially leading to qgroup quota inconsistencies and information disclosure about quota state. All Linux distributions using Btrfs with qgroup quota tracking enabled are affected. While no CVSS score or EPSS risk score has been assigned, the vulnerability has stable patches available in the Linux kernel repository.
Linux
Memory Corruption
Debian
Linux Kernel
-
CVE-2025-71268
None
A resource leak vulnerability exists in the Linux kernel's btrfs filesystem implementation where reserved qgroup data fails to be freed in error paths during inline extent insertion operations. This affects all Linux versions with vulnerable btrfs code, and allows local attackers with filesystem write access to exhaust kernel memory resources through repeated failed inline extent insertions, potentially causing denial of service. No active exploitation in the wild has been reported, but kernel memory exhaustion vulnerabilities are routinely targeted by local privilege escalation chains.
Linux
Denial Of Service
Debian
Linux Kernel
-
CVE-2025-71267
None
A denial-of-service vulnerability exists in the Linux kernel's ntfs3 file system driver where a malformed NTFS image with a zero-sized ATTR_LIST attribute triggers an infinite loop during file system mount operations. The vulnerability affects Linux kernel versions across multiple stable branches (5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc1) and can cause the kernel to hang indefinitely, preventing normal system operation. An attacker can exploit this by providing a crafted NTFS image file that triggers the loop when mounted, requiring no special privileges and resulting in complete denial of service for affected systems.
Linux
Denial Of Service
Debian
Linux Kernel
-
CVE-2025-71266
None
An infinite loop vulnerability exists in the Linux kernel's ntfs3 filesystem implementation that allows attackers to trigger a denial-of-service condition through malformed NTFS directory entries. A crafted dentry with the HAS_SUB_NODE flag and manipulated VCN pointer can cause the indx_find() function to repeatedly allocate 4 KB memory blocks without proper loop detection, leading to memory exhaustion and kernel out-of-memory crashes. The vulnerability affects multiple stable Linux kernel versions across 5.15, 6.1, 6.6, 6.12, 6.18, and 6.19 series, and patches have been released for all affected branches.
Linux
Denial Of Service
Memory Corruption
Debian
Linux Kernel
-
CVE-2025-71265
None
An infinite loop vulnerability exists in the Linux kernel's NTFS3 file system implementation within the attr_load_runs_range() function, triggered by inconsistent metadata where an attribute header claims to be empty (evcn=-1) while directory entries reference it as containing actual data. This vulnerability affects Linux kernel versions across multiple stable branches (5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc1) and can be exploited by an attacker mounting a malformed NTFS image to cause a Denial-of-Service condition by inducing infinite CPU consumption in kernel space.
Linux
Denial Of Service
Debian
Linux Kernel
-
CVE-2025-58112
None
This vulnerability enables arbitrary SQL command execution in Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 through malicious Report Definition Language (RDL) files uploaded to SQL Server Reporting Services. An attacker with the 'Add Reporting Services Reports' privilege can upload a crafted RDL file containing raw SQL queries; if the file is already loaded and executable by the user, this privilege is not required. Upon report generation, arbitrary SQL commands execute in the underlying database, potentially allowing data exfiltration, linked server access, or operating system command execution depending on SQL Server service account permissions. A proof-of-concept has been documented in public repositories, indicating active research and potential exploitation risk.
Information Disclosure
Microsoft
-
CVE-2025-31703
LOW
CVSS 2.4
This vulnerability in Dahua NVR/XVR devices allows unauthenticated privilege escalation through the serial port console by bypassing shell authentication mechanisms. Affected devices include Dahua NVR2-4KS3, XVR4232AN-I/T, and XVR1B16H-I/T models with build dates prior to March 3, 2026. An attacker with physical access to the device can gain a restricted shell and escalate privileges to access sensitive system functions, though the CVSS 2.4 score reflects the requirement for physical proximity and lack of data availability impact.
Dahua
Privilege Escalation
Authentication Bypass