Skip to main content
CVE-2025-71260 HIGH POC This Week

BMC FootPrints ITSM contains a critical deserialization vulnerability in ASP.NET VIEWSTATE handling that allows authenticated attackers to execute arbitrary code remotely. Versions 20.20.02 through 20.24.01.001 are affected, and attackers with valid credentials can fully compromise the application by injecting malicious serialized objects. Security researchers from watchTowr have published detailed analysis of this vulnerability, significantly increasing exploitation risk.

Deserialization RCE Footprints Itsm
NVD VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-33354 HIGH PATCH This Week

Authenticated file read vulnerability in PHP and Docker deployments allows users to exfiltrate arbitrary files from the server by exploiting insufficient path validation in the video upload endpoint, which copies attacker-specified local files to publicly accessible storage. An authenticated attacker can leverage this to read sensitive files from broad server directories including application roots, cache, and temporary locations. No patch is currently available, and the vulnerability carries a 10% exploit prediction score.

PHP RCE Docker
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
10.0%
CVE-2026-32622 HIGH PATCH This Week

Remote code execution in SQLBot 1.5.0 and below allows authenticated users to inject malicious prompts through unsanitized terminology uploads, enabling attackers to manipulate the LLM into generating arbitrary PostgreSQL commands executed with database privileges. The vulnerability stems from missing permission checks on the Excel upload API combined with inadequate semantic isolation when injecting user-controlled data into the system prompt. An attacker can exploit this to achieve code execution on the database or application server running as the postgres user.

Authentication Bypass RCE PostgreSQL
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-33228 HIGH PATCH This Week

Prototype pollution in the flatted npm library (versions <= 3.4.1) lets an attacker who controls input to the parse() function leak a live reference to Array.prototype into the returned object, so any later write to that property poisons the global prototype chain. The flaw stems from parse() using attacker-supplied JSON string values such as "__proto__" as raw array index keys without numeric validation. Publicly available exploit code exists (a three-line proof of concept in the GitHub Security Advisory), though EPSS is only 0.01% (2nd percentile) and it is not in CISA KEV.

RCE Denial Of Service Prototype Pollution
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-33068 HIGH POC PATCH This Week

Claude Code, an AI coding assistant, contains an authentication bypass vulnerability where malicious repositories can silently skip the workspace trust confirmation dialog by setting permissions.defaultMode to bypassPermissions in a committed .claude/settings.json file. This affects users of the @anthropic-ai/claude-code npm package who open untrusted repositories. An attacker can place users into a permissive execution mode without explicit consent, enabling tool execution without the user seeing trust prompts, though no evidence of active exploitation or public proof-of-concept is currently available.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-32013 HIGH PATCH This Week

A symlink traversal vulnerability in OpenClaw allows authenticated attackers to read and write arbitrary files on the host system through the agents.files.get and agents.files.set methods. The vulnerability affects OpenClaw versions prior to 2026.2.25 and can lead to remote code execution through strategic file overwrites. With a high CVSS score of 8.8 and an RCE tag, this represents a critical security risk for organizations using affected versions.

RCE Openclaw
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33310 HIGH PATCH This Week

Unauthenticated remote code execution in catalog parsing allows attackers to execute arbitrary commands on the host system by embedding shell() syntax in malicious catalog YAML files accessed by users. The vulnerability exploits automatic expansion of parameter default values during catalog source loading without proper sanitization. No patch is currently available, and exploitation requires only user interaction to load a compromised catalog.

Command Injection Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-25445 HIGH This Week

WishList Member X, a WordPress membership plugin, contains a deserialization of untrusted data vulnerability that allows authenticated attackers with low-level privileges to perform PHP object injection attacks. This affects all versions up to and including 3.29.0. The vulnerability has a CVSS score of 8.8, indicating high severity with potential for complete compromise of confidentiality, integrity, and availability. There is no indication of active exploitation in KEV data, but the vulnerability has been publicly disclosed by Patchstack.

Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4342 HIGH PATCH This Week

A configuration injection vulnerability in Kubernetes ingress-nginx controller allows authenticated attackers to inject arbitrary nginx configuration through specially crafted Ingress annotations, leading to remote code execution with controller privileges and exposure of all cluster Secrets. The vulnerability has a high CVSS score of 8.8 and affects the ingress-nginx controller's annotation parsing mechanism. No active exploitation (not in KEV) or public POC has been reported, though the attack requires only low privileges and network access.

RCE Nginx
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-29099 HIGH This Week

SQL injection in SuiteCRM versions prior to 7.15.1 and 8.9.3 allows authenticated users to execute arbitrary SQL queries through improper input validation in the EmailUIAjax module's retrieve() function. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete sensitive database records without restrictions. The vulnerability requires authentication but has no patch currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30711 HIGH This Week

Authenticated attackers can execute arbitrary SQL queries in Devome GRR v4.5.0 through injection vulnerabilities in the referer and user-agent parameters within include/session.inc.php, enabling full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability carries a CVSS score of 8.8 (High) with low attack complexity requiring only low-level privileges and no user interaction. EPSS probability of exploitation is extremely low at 0.01% (2nd percentile), and no public exploit identified at time of analysis beyond technical disclosure and audit documentation.

PHP SQLi
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-27934 HIGH PATCH This Week

Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allows unauthenticated attackers to view restricted post titles and excerpts through inadequate permission validation on user action API endpoints. The vulnerability affects all deployments running vulnerable versions, with no available workarounds until patching to the fixed releases.

Information Disclosure Discourse
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-33346 HIGH PATCH This Week

A stored cross-site scripting vulnerability in OpenEMR's patient portal payment flow allows authenticated patient users to inject malicious JavaScript that executes when staff members review payment submissions. The vulnerability affects OpenEMR versions prior to 8.0.0.2 and enables attackers to compromise staff accounts, potentially accessing sensitive medical records and administrative functions. No evidence of active exploitation exists, and no KEV listing or public POC has been identified.

PHP XSS
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-33344 HIGH PATCH This Week

Path traversal in Apple and Kubernetes DAG management APIs allows authenticated attackers to access arbitrary files outside the intended directory by injecting URL-encoded forward slashes into file name parameters on GET, DELETE, RENAME, and EXECUTE endpoints. The vulnerability affects systems where a previous patch (CVE-2026-27598) only secured the CREATE endpoint while leaving other API functions unprotected. An attacker with valid credentials can read, modify, or execute unintended DAG files on the affected system.

Path Traversal Apple Kubernetes macOS Suse
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
3.0%
CVE-2026-23659 HIGH PATCH This Week

A sensitive information exposure vulnerability exists in Microsoft Azure Data Factory that allows unauthorized remote attackers to access and disclose confidential data over the network without authentication. The vulnerability has a high CVSS score of 8.6 due to its network-based attack vector requiring no privileges or user interaction, with scope change indicating potential impact beyond the vulnerable component. No active exploitation has been reported and no proof-of-concept is currently available.

Information Disclosure Microsoft
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-26139 HIGH PATCH This Week

Microsoft Purview is vulnerable to server-side request forgery (SSRF) that enables unauthenticated remote attackers to escalate privileges across network boundaries. This network-accessible vulnerability requires no user interaction and impacts the confidentiality of affected systems. No patch is currently available.

SSRF Microsoft
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-26138 HIGH PATCH This Week

Microsoft Purview contains a server-side request forgery vulnerability that allows unauthenticated remote attackers to escalate privileges across network boundaries. An attacker can exploit this flaw without user interaction to gain unauthorized access to sensitive resources and functionality. No patch is currently available.

SSRF Microsoft
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-23658 HIGH PATCH This Week

This vulnerability involves insufficiently protected credentials in Azure DevOps that allows an unauthorized attacker to elevate privileges over a network. The vulnerability affects Azure DevOps versions up to and presents a high-risk authentication bypass issue that could allow attackers to gain unauthorized access with elevated privileges. With a CVSS score of 8.6 and no exploitation complexity barriers, this represents a critical security risk for organizations using affected Azure DevOps instances.

Microsoft Authentication Bypass
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-3511 HIGH PATCH This Week

An XML External Entity (XXE) vulnerability in the XMLUtils.java component of Slovensko.Digital Autogram allows remote unauthenticated attackers to conduct Server-Side Request Forgery (SSRF) attacks and read local files from the filesystem. The vulnerability affects Autogram software and can be exploited when a victim visits a specially crafted website that sends malicious XML to the application's local HTTP server /sign endpoint. A blog post detailing exploitation research is publicly available, increasing the likelihood of exploitation attempts.

XXE Java Authentication Bypass SSRF Autogram
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-32721 HIGH This Week

A stored cross-site scripting (XSS) vulnerability exists in the OpenWrt LuCI web interface where malicious JavaScript code embedded in Wi-Fi network names (SSIDs) can execute when users open the wireless scan modal. The vulnerability affects OpenWrt versions newer than 23.05/22.03 up to 24.10.5 and 25.12.0, allowing attackers within wireless range to compromise users who scan for available networks. No active exploitation has been reported (not in KEV), and with an EPSS score not provided, the real-world exploitation risk appears limited despite the high CVSS score of 8.6.

XSS Luci Openwrt
NVD GitHub VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-3549 HIGH PATCH This Week

Integer underflow in TLS 1.3 ECH (Encrypted Client Hello) extension parsing within wolfSSL allows remote attackers to trigger heap buffer overflow conditions with availability impact through specially crafted network packets. While ECH is disabled by default in wolfSSL and the specification remains unstable, exploitation requires no authentication and succeeds under specific timing conditions. No patch is currently available for this vulnerability.

Buffer Overflow Heap Overflow Wolfssl
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-31998 HIGH PATCH This Week

Synology OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass in the synology-chat channel plugin where misconfigured allowlist policies with empty user IDs fail open, allowing authenticated Synology senders to dispatch unauthorized agents and execute downstream tool actions. The vulnerability requires network access and low-complexity exploitation, with a patch currently available.

Synology Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-33210 HIGH PATCH This Week

A format string injection vulnerability exists in the Ruby JSON gem that can lead to denial of service attacks or information disclosure when parsing user-supplied documents with the non-default 'allow_duplicate_key: false' parsing option enabled. The vulnerability affects users of the pkg:rubygems/json package who have explicitly opted into using this specific parsing configuration. There is no evidence of active exploitation (not listed in CISA KEV), and no EPSS score is currently available for risk quantification.

Denial Of Service Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-22731 HIGH PATCH GHSA This Week

Spring Boot Actuator endpoints can be bypassed for authentication when application endpoints are configured under Health Group paths in versions 4.0 before 4.0.3, 3.5 before 3.5.11, and 3.4 before 3.4.15. An unauthenticated attacker can exploit this path-based misconfiguration to gain unauthorized access to protected resources with high confidence in authentication bypass and partial information disclosure. No patch is currently available.

Authentication Bypass Java
NVD VulDB HeroDevs
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-32030 HIGH PATCH This Week

OpenClaw versions before 2026.2.19 allow remote file disclosure when iMessage remote attachment fetching is enabled, as the stageSandboxMedia function fails to properly validate attachment paths and accepts arbitrary absolute paths. An attacker with the ability to manipulate attachment metadata can read files accessible to the OpenClaw process on the configured remote host via SCP. No patch is currently available for this vulnerability.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-27093 HIGH PATCH This Week

A PHP remote/local file inclusion vulnerability exists in the Ovatheme Tripgo WordPress theme due to improper control of filename parameters in include/require statements. Versions prior to 1.5.6 are affected, allowing unauthenticated remote attackers to potentially include arbitrary files and execute malicious code. This vulnerability has a CVSS score of 8.1 (High) with network attack vector but high attack complexity, and has been reported by Patchstack as exploitable for local file inclusion and information disclosure.

PHP Information Disclosure LFI
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25471 HIGH This Week

The Admin Safety Guard WordPress plugin versions through 1.2.6 contains an authentication bypass vulnerability that allows attackers to exploit password recovery mechanisms through alternate paths or channels. Attackers can remotely compromise administrator accounts without authentication, leading to complete site takeover. The vulnerability has a CVSS score of 8.1 (High) with high attack complexity, though no EPSS data or KEV listing indicates limited observed exploitation to date.

Authentication Bypass Admin Safety Guard
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-33236 HIGH PATCH This Week

NLTK downloader contains a path traversal vulnerability that allows remote attackers to write arbitrary files to any location on the filesystem when a user downloads packages from a malicious server. Attackers controlling a remote XML index server can inject path traversal sequences (../) into package metadata to overwrite critical system files including /etc/passwd or SSH authorized_keys. A working proof-of-concept exploit exists demonstrating arbitrary file creation at /tmp/test_file.zip via malicious server and client script.

Python Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33301 HIGH PATCH This Week

A remote code execution vulnerability in OpenEMR (CVSS 8.1). High severity vulnerability requiring prompt remediation.

Information Disclosure Openemr
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-27096 HIGH This Week

The ColorFolio Freelance Designer WordPress Theme versions up to 1.3 contains a deserialization of untrusted data vulnerability that allows attackers to perform PHP Object Injection. This enables remote unauthenticated attackers to execute arbitrary code or manipulate application logic, though exploitation requires high attack complexity. There is no evidence of active exploitation (not in CISA KEV), and EPSS score data is not provided, but the vulnerability has been publicly disclosed by Patchstack.

Deserialization WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33293 HIGH This Week

Arbitrary file deletion in PHP CloneSite plugin allows authenticated attackers to bypass path validation and remove critical files via path traversal in the deleteDump parameter, causing denial of service or facilitating privilege escalation attacks. An attacker with valid clone credentials can leverage unvalidated input passed directly to unlink() to delete arbitrary files including configuration.php and other security-critical application files. No patch is currently available for this vulnerability.

PHP Denial Of Service Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-33302 HIGH PATCH This Week

A remote code execution vulnerability in OpenEMR (CVSS 8.1). High severity vulnerability requiring prompt remediation.

Authentication Bypass Openemr
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-29096 HIGH This Week

A second-order SQL injection vulnerability exists in the Reports module of SuiteCRM, allowing authenticated users with reporting privileges to execute arbitrary SQL queries when viewing reports. The vulnerability affects SuiteCRM versions before 7.15.1 and 8.9.3, enabling attackers to extract sensitive database contents including password hashes, API tokens, and configuration values, with potential for remote code execution on MySQL installations with FILE privileges. While no public exploits or active exploitation have been reported, the vulnerability has a high CVSS score of 8.1 due to the potential for both data theft and system compromise.

SQLi Suitecrm
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32014 HIGH PATCH This Week

A metadata spoofing vulnerability in OpenClaw allows attackers with paired node identities on the trusted network to bypass platform-based node command policies by manipulating unsigned reconnect platform and deviceFamily fields. This authentication bypass vulnerability affects OpenClaw versions prior to 2026.2.26 and enables unauthorized access to restricted commands with high impact on confidentiality, integrity, and availability (CVSS 8.0). No active exploitation has been reported in KEV and EPSS data is not available, but the vulnerability has been publicly disclosed with patches available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-30874 HIGH This Week

OpenWrt versions prior to 24.10.6 allow local attackers with limited privileges to inject a malicious PATH environment variable into hotplug scripts due to improper filtering in the hotplug_call function, enabling execution of arbitrary binaries with elevated privileges. The vulnerability stems from a strcmp/strncmp logic error that fails to properly exclude the PATH variable when executing scripts in /etc/hotplug.d, resulting in local privilege escalation. No patch is currently available.

Privilege Escalation Openwrt
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-22558 HIGH This Week

UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.

Ubiquiti Nosql Injection Privilege Escalation
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-33321 HIGH PATCH This Week

OpenEMR versions prior to 8.0.0.2 allow authenticated users with the Notes role to trigger an out-of-band Server-Side Request Forgery (SSRF) vulnerability through unescaped HTML parsing in Eye Exam form PDF generation, enabling attackers to forge requests to arbitrary internal or external resources from the affected server. This vulnerability requires valid user credentials but no user interaction, and can lead to information disclosure or further internal network compromise. No patch is currently available for affected deployments.

SSRF Openemr
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2024-42210 HIGH This Week

A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable. No vendor patch available.

XSS Unica Marketing Operations Plan
NVD VulDB GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-4424 HIGH PATCH This Week

Heap memory disclosure in libarchive allows remote unauthenticated attackers to read sensitive heap data by submitting a malformed RAR archive. The flaw affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with vendor patches available per multiple RHSA advisories (RHSA-2026:8492 through RHSA-2026:8908). Despite the HIGH CVSS score of 7.5 and network-exploitable vector requiring no authentication, the EPSS score of 0.14% (35th percentile) indicates low observed exploitation probability. No public exploit code identified at time of analysis, and not listed in CISA KEV, suggesting this remains a patch-and-monitor priority rather than emergency response.

Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +3
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28461 HIGH PATCH This Week

OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that allows unauthenticated remote attackers to exhaust system memory through query string manipulation. OpenClaw versions prior to 2026.3.1 are affected. Attackers can send repeated HTTP requests with varying query parameters to trigger in-memory key accumulation, leading to memory pressure, process instability, or complete denial of service through out-of-memory conditions.

Denial Of Service Openclaw
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3658 HIGH This Week

Unauthenticated attackers can exploit SQL injection in the Simply Schedule Appointments Booking Plugin for WordPress (versions up to 1.6.10.0) through the 'fields' parameter to extract sensitive database information including usernames, email addresses, and password hashes. The vulnerability stems from insufficient input escaping and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4427 HIGH PATCH GHSA This Week

PostgreSQL client applications using the pgproto3 Go library (github.com/jackc/pgproto3/v2) can be crashed remotely by malicious or compromised PostgreSQL servers sending specially crafted DataRow messages with negative field lengths, triggering slice bounds panics that result in denial of service. The vulnerability requires no authentication and has low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), though the EPSS score of 0.07% (20th percentile) suggests minimal observed exploitation activity. Multiple detailed technical advisories exist including analysis from Security Infinity, and the issue is tracked in GitHub issue #2507 for the pgx project.

PostgreSQL Denial Of Service Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32025 HIGH PATCH This Week

A WebSocket authentication bypass vulnerability in OpenClaw gateway software allows attackers to circumvent origin validation and rate limiting protections when deployed on localhost/loopback interfaces. The flaw enables malicious websites to conduct brute-force attacks against the gateway's authentication mechanism through a victim's browser, potentially gaining full administrative control over the OpenClaw control plane. With a 7.5 CVSS score and requiring only user interaction to exploit, this represents a significant risk for organizations running OpenClaw in loopback configurations.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25667 HIGH This Week

A security vulnerability in Microsoft .NET 8.0 (CVSS 7.5) that allows a remote attacker. High severity vulnerability requiring prompt remediation.

Microsoft Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-33231 HIGH PATCH GHSA This Week

The NLTK (Natural Language Toolkit) WordNet Browser HTTP server contains an unauthenticated shutdown vulnerability that allows any remote attacker to terminate the service with a single GET request to the '/SHUTDOWN THE SERVER' endpoint. This affects users running nltk.app.wordnet_app in its default mode, where the server binds to all network interfaces without authentication. A proof-of-concept exploit is publicly available demonstrating the denial-of-service attack, though EPSS and KEV data are not yet available for this recent CVE.

CSRF Denial Of Service Docker Python Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25443 HIGH This Week

Dotstore Fraud Prevention For Woocommerce versions through 2.3.3 contain an authorization bypass vulnerability that allows unauthenticated attackers to manipulate access control settings and cause denial of service. The missing authorization checks enable remote exploitation without user interaction, affecting WordPress installations using this plugin. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32011 HIGH PATCH This Week

OpenClaw webhook handlers for BlueBubbles and Google Chat prior to version 2026.3.2 fail to validate authentication before parsing request bodies, allowing unauthenticated remote attackers to trigger denial of service by sending maliciously crafted or oversized payloads. Successful exploitation exhausts parser resources and degrades service availability, with no patch currently available. The vulnerability affects all Google products using the vulnerable OpenClaw versions.

Denial Of Service Google
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32815 HIGH PATCH This Week

SiYuan knowledge management system versions 3.6.0 and below allow unauthenticated WebSocket connections to the /ws endpoint via specific URL parameters, enabling attackers to bypass authentication and receive real-time server push events. An attacker can exploit this by connecting from a malicious website to monitor a victim's local SiYuan instance and exfiltrate sensitive metadata including document titles, notebook names, file paths, and user activity without the victim's knowledge. No patch is currently available for this high-severity information disclosure vulnerability.

Authentication Bypass Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29097 HIGH This Week

The RSS Feed Dashlet in SuiteCRM versions before 7.15.1 and 8.9.3 is vulnerable to a server-side request forgery (SSRF) attack that can be exploited to trigger denial of service conditions. An unauthenticated remote attacker can leverage this vulnerability to disrupt service availability without requiring user interaction. No patch is currently available for this high-severity vulnerability affecting enterprise CRM deployments.

Denial Of Service SSRF Suitecrm
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3547 HIGH PATCH This Week

Denial of service in Nginx via out-of-bounds read during ALPN protocol parsing when ALPN support is enabled, allowing unauthenticated remote attackers to crash the process by sending a crafted ALPN list. This vulnerability affects Nginx and other third-party applications that have compiled wolfSSL 5.8.4 or earlier with ALPN enabled. A patch is available to address this incomplete validation flaw.

Buffer Overflow Denial Of Service Nginx Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy